Professional Documents
Culture Documents
RSK4801 B0 LS05 004 Mo PDF
RSK4801 B0 LS05 004 Mo PDF
4.1 PURPOSE
Review operational risk appetite – the amount and type of risk an organisation is willing to accept in pursuit of its strategic
objectives.
Control appetite is the amount an organisation is willing to spend in time, money and/or resources to reduce a risk to an
acceptable residual level (i.e. retained remaining risk). Risk appetite is the level of risk that an organisation is willing to accept
or retain while pursuing its objectives. The lower the risk appetite, the more controls are required, which implies a higher
cost. It is therefore important to maintain a balance between the risk appetite and the cost to control the risk – that is, the
control appetite.
The generic definition of risk appetite applies to all types of risk, including operational risk. However, operational risk appetite
requires several additional sub-definitions to accommodate individual loss categories and to recognise the relevance of
thresholds and targets as opposed to hard limits. Operational risk appetite will include elements that are unquantifiable and
some elements for which an organisation has zero appetite.
Risk appetite
Amount and type of risk an organisation is willing to accept.
Risk capacity
Amount and type of risk an organisation is able to sustain.
Risk tolerance
Maximum amount of each type of risk an organisation is willing to accept.
Risk target
Optimal level of risk that an organisation wants to take.
Risk limit
Threshold to monitor and ensure that the actual risk exposure does not deviate too much from the
risk target and stays within an organisation’s risk tolerance. Exceeding a risk limit triggers an
action.
Natural tensions between the board, senior management and shareholders result in different levels of risk appetite for an
organisation:
Senior management – short(er) term with high(er) appetite focused on business opportunities.
The different levels in an organisation have fundamentally different approaches to operational risk appetite:
Board
Senior management
Business units
risk and control assessments, key risk indicators and event data
A risk appetite statement articulates the aggregate level and types of risk that an organisation will either accept or avoid to
achieve its objectives. This document includes qualitative statements as well as quantitative measures expressed relative to
earnings, capital, risk, liquidity and other relevant measures. It should also address reputational risk, which is difficult to
measure and quantify. Therefore, a risk appetite statement should
establish the amount of risk the organisation is prepared to accept in pursuit of its objectives, accounting for the
interests of its customers or clients and its fiduciary duty to shareholders as well as any regulatory requirements
determine the maximum level of risk that the organisation is willing to operate within, based on its overall risk
appetite, risk capacity and risk profile
include quantitative measures that translate into risk limits to enable measurement of the risk profile against risk
appetite and risk capacity
include qualitative statements on the reasons for taking on or avoiding certain types of risk and establish non-
qualitative measures (e.g. limits or indicators) to enable monitoring of these risks
be forward looking and subject to scenario and stress testing to determine what events might push the organisation
outside its risk appetite or risk capacity
A risk appetite is not the result of a risk assessment but a limit to which the assessment is compared, to determine if the level
of risk is within the appetite for risk. Accepting risk above the risk appetite is not possible without concurrently increasing the
appetite. Instead, an organisation must mitigate, transfer or hedge the risk to lower its residual likelihood and impact.
The expected operational risk appetite reflects the amount of loss an organisation provides for, assuming that its risk controls
are effective and functioning. An unexpected loss is the amount of loss to which an organisation is exposed when controls
fail, and is more difficult to identify and quantify being of a lower frequency and indeterminate severity.
Various components of the operational risk management process are utilised to express and set an operational risk appetite:
absolute figures
risk assessment scores
key risk indicator (KRI) thresholds
numbers of losses
regulatory capital modelling
Operational risk controls are processes, policies, practices or tools used to manage risk and restrict the maximum level of risk
to an organisation’s risk appetite level. A low risk appetite equates to many or more restrictive controls and vice versa. An
organisation needs to balance its appetite for risk with its appetite for controls – large potential losses versus high costs.
Board
expenditure on controls
Senior management
reduction of risk or losses
Business units
KCIs or inherent-to-residual change
Business support functions
target control level
Internal audits focus on the effectiveness of controls and are useful in determining the actual control appetite of an
organisation. Lean and Six Sigma (process improvement methods) are likewise concerned with the effective and efficient
operation of controls. Both methods rely on control analysis and thus relate to control appetite.
Residual or net risk appetite is the level of risk accepted with effective and functioning risk controls in place. Inherent or gross
risk appetite is the level of risk exposed to when risk controls fail or without any functioning controls.
Amount willing to risk with controls Amount willing to risk without controls
The following table shows a breakdown of control appetite into its components:
Control appetite
Linked to the likelihood of risk occurring Requires careful consideration due to under-rated and
Focus of management’s risk appetite under-tested corrective controls
Control appetite consists of preventive and directive control appetites (causes) as well as corrective and detective control
appetites (effects).
4.5 SELF-REFLECTIVE ACTIVITY
After working through the lesson, you should be able to answer the following questions:
4.6 ACTIVITY
4.7 REFLECTION
Before you continue to the next lesson, reflect on the following personal questions:
a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 4 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?
4.8 CONCLUSION
The aim of this lesson was to discuss governance as part of the operational risk management framework.
References
Blunden, T & Thirlwell, J. 2014. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. Harlow: Pearson Education.
Young, J. 2014a. Operational risk management. 2nd ed. Pretoria: Van Schaik.
Young, J. 2014b. Practical guidelines to formulate an operational risk appetite statement for corporate organisations: a South
African perspective. Corporate Ownership & Control, 12(1):46-63.
http://hdl.handle.net/10500/20041