LESSON 4: OPERATIONAL RISK APPETITE

Video Activity Text Additional reading and references

4.1 PURPOSE

Review operational risk appetite – the amount and type of risk an organisation is willing to accept in pursuit of its strategic
objectives.

4.2 KEY CONCEPTS

Risk appetite Control appetite Reputational risk appetite
Expected losses Unexpected losses Risk and control assessments
Indicators Board of directors Roles and responsibilities
Audit committee Economic capital Compliance function
Glossary Timeline Numbers of losses

4.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 define operational risk appetite

 differentiate between risk appetite and risk tolerance
 identify the different approaches to risk appetite at various levels
 distinguish between expected and unexpected losses
 describe the different ways of expressing operational risk appetite
 define and describe control appetite
 break down control appetite into its components

4.4 LEARNING MATERIAL

Chapter 4 of the prescribed book

4.4.1 Risk appetite and control appetite

Control appetite is the amount an organisation is willing to spend in time, money and/or resources to reduce a risk to an
acceptable residual level (i.e. retained remaining risk). Risk appetite is the level of risk that an organisation is willing to accept
or retain while pursuing its objectives. The lower the risk appetite, the more controls are required, which implies a higher
cost. It is therefore important to maintain a balance between the risk appetite and the cost to control the risk – that is, the
control appetite.

Study “RISK APPETITE AND CONTROL APPETITE” in chapter 4.

4.4.2 Risk appetite

The generic definition of risk appetite applies to all types of risk, including operational risk. However, operational risk appetite
requires several additional sub-definitions to accommodate individual loss categories and to recognise the relevance of
thresholds and targets as opposed to hard limits. Operational risk appetite will include elements that are unquantifiable and
some elements for which an organisation has zero appetite.
 Risk appetite
Amount and type of risk an organisation is willing to accept.
Risk capacity
Amount and type of risk an organisation is able to sustain.
Risk tolerance
Maximum amount of each type of risk an organisation is willing to accept.
Risk target
Optimal level of risk that an organisation wants to take.
Risk limit
Threshold to monitor and ensure that the actual risk exposure does not deviate too much from the
risk target and stays within an organisation’s risk tolerance. Exceeding a risk limit triggers an
action.

Natural tensions between the board, senior management and shareholders result in different levels of risk appetite for an
organisation:

 Shareholders – low appetite focused on volatility of earnings.

 Board – longer term with moderate appetite stated in terms of a threshold.

 Senior management – short(er) term with high(er) appetite focused on business opportunities.

The different levels in an organisation have fundamentally different approaches to operational risk appetite:

 Board

 capital and profit

 Senior management

 risk and reaction (actions taken to manage and mitigate risk)

 Business units

 risk and control assessments, key risk indicators and event data

 Business support functions

 key risk indicators and event (or loss) data

A risk appetite statement articulates the aggregate level and types of risk that an organisation will either accept or avoid to
achieve its objectives. This document includes qualitative statements as well as quantitative measures expressed relative to
earnings, capital, risk, liquidity and other relevant measures. It should also address reputational risk, which is difficult to
measure and quantify. Therefore, a risk appetite statement should

 establish the amount of risk the organisation is prepared to accept in pursuit of its objectives, accounting for the
 interests of its customers or clients and its fiduciary duty to shareholders as well as any regulatory requirements

 determine the maximum level of risk that the organisation is willing to operate within, based on its overall risk
appetite, risk capacity and risk profile

 include quantitative measures that translate into risk limits to enable measurement of the risk profile against risk
appetite and risk capacity

 include qualitative statements on the reasons for taking on or avoiding certain types of risk and establish non-
qualitative measures (e.g. limits or indicators) to enable monitoring of these risks

 be forward looking and subject to scenario and stress testing to determine what events might push the organisation
outside its risk appetite or risk capacity

A risk appetite is not the result of a risk assessment but a limit to which the assessment is compared, to determine if the level
of risk is within the appetite for risk. Accepting risk above the risk appetite is not possible without concurrently increasing the
appetite. Instead, an organisation must mitigate, transfer or hedge the risk to lower its residual likelihood and impact.

The expected operational risk appetite reflects the amount of loss an organisation provides for, assuming that its risk controls
are effective and functioning. An unexpected loss is the amount of loss to which an organisation is exposed when controls
fail, and is more difficult to identify and quantify being of a lower frequency and indeterminate severity.

Various components of the operational risk management process are utilised to express and set an operational risk appetite:

 absolute figures
 risk assessment scores
 key risk indicator (KRI) thresholds
 numbers of losses
 regulatory capital modelling

Study “RISK APPETITE” in chapter 4.

4.4.3 Control appetite

Operational risk controls are processes, policies, practices or tools used to manage risk and restrict the maximum level of risk
to an organisation’s risk appetite level. A low risk appetite equates to many or more restrictive controls and vice versa. An
organisation needs to balance its appetite for risk with its appetite for controls – large potential losses versus high costs.

Control appetite can be expressed in terms of

 an acceptable level of control assessment

 a reduction in the risk level from inherent (without) to residual (with)
 targets and thresholds of key control indicators (KCIs)
 reductions in the number and/or value of events and losses
 the monetary benefit to lowering the risk profile
 the money spent on risk controls

Therefore, the interpretation of control appetite varies at different levels:

 Board
 expenditure on controls
 Senior management
  reduction of risk or losses
 Business units
 KCIs or inherent-to-residual change
 Business support functions
 target control level

Internal audits focus on the effectiveness of controls and are useful in determining the actual control appetite of an
organisation. Lean and Six Sigma (process improvement methods) are likewise concerned with the effective and efficient
operation of controls. Both methods rely on control analysis and thus relate to control appetite.

Residual or net risk appetite is the level of risk accepted with effective and functioning risk controls in place. Inherent or gross
risk appetite is the level of risk exposed to when risk controls fail or without any functioning controls.

Residual risk appetite Inherent risk appetite

Amount willing to risk with controls Amount willing to risk without controls

 Residual likelihood value  Inherent likelihood value

 Residual impact value  Inherent impact value
 Control appetite  Control appetite

The following table shows a breakdown of control appetite into its components:

Control appetite

Causes appetite Affects appetite

 Linked to the likelihood of risk occurring Requires careful consideration due to under-rated and
 Focus of management’s risk appetite under-tested corrective controls

Preventive Directive Corrective Detective

Linked to willingness to Linked to willingness to Linked to willingness to

Linked to willingness to
implement correct for the identify events once
implement controls
governance effects of the impact they have happened

 Automated controls  Policies  Relatively cheap and  Focus for action is on

 Significant costs
 Primarily IT costs
 Immediate
 Obvious
 Visible
 Occupies significant
amount of management
thought and time
 Procedures unused until event occurs correction
 Committees  Under-rated  Low level of appetite
 Power of the board  Under-tested despite the obvious need
 Often too late to to detect event before
implement and test once correcting for its effects
required

Study “CONTROL APPETITE” in chapter 4.

Control appetite consists of preventive and directive control appetites (causes) as well as corrective and detective control
appetites (effects).
4.5 SELF-REFLECTIVE ACTIVITY

After working through the lesson, you should be able to answer the following questions:

1. What is the difference between risk tolerance and risk appetite?

2. How does risk appetite vary with the stakeholder?
3. What are the types of operational risk appetite?
4. Discuss the different ways of expressing risk appetite.
5. Define control appetite and briefly discuss its components.

4.6 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 4.6.

4.7 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 4 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?

4.8 CONCLUSION

The aim of this lesson was to discuss governance as part of the operational risk management framework.

Study “Conclusion” in chapter 4.

References

Blunden, T & Thirlwell, J. 2014. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. Harlow: Pearson Education.

Young, J. 2014a. Operational risk management. 2nd ed. Pretoria: Van Schaik.

Young, J. 2014b. Practical guidelines to formulate an operational risk appetite statement for corporate organisations: a South
African perspective. Corporate Ownership & Control, 12(1):46-63.

http://hdl.handle.net/10500/20041