A risk governance framework should put in place a structure of risk responsibility throughout the organisation. Good risk governance is not just about “ticking boxes”. Many disasters have been in companies that have had comprehensive risk management policies and procedures in place.
It should involve everybody within the firm and involves not only the agreement and implementation of policy and standards but also culture, attitudes and behaviours.
The operational risk policy should set overall risk objectives for the firm which will then cascade down to each level within the organisation right down to employee level. Incentives should be in place to ensure good risk management takes place and undue risks are not taken.
Luxon Risk Systems takes a pragmatic approach to this whilst acknowledging its fundamental importance to a company’s bottom line.
Key components of effective risk governance are:
Board and executive level representation. Risk management needs to take place at the highest level within an organisation because this is the only place where the firm can be viewed in its entirety. External auditors, regulators, shareholders, ratings agencies and other external stakeholders need to gain assurance that risk is at the heart of business decision making and all key risks are effectively mitigated.
Risk committees. Whatever the size, structure and complexity of a firm, risks need to be monitored and assessed formally. Separate committees may be established for different risk categories in larger firms, whereas small firms may simply want to include a risk management section in existing committees.
An operational risk policy should be agreed and signed off by the board and executive at regular intervals. It should contain the definition of operational risk as viewed by the firm, a statement of risk appetite describing the firm’s appetites and tolerances for each key activity, an overview of the risk management processes used in the firm, and clearly defined roles and responsibilities for the management of risk.
Risk appetite definition. This is essentially how much and what sort of risk an organisation is willing to take. Risks need to be considered in terms of both opportunities and threats and are not usually confined to purely financial impact - they will also affect the capability of the organisation, its performance and its reputation. The risk appetite will be used to raise standards, improve service quality, drive systems and process change and deliver more value for money.
Risk scenarios. The most significant risks should be subjected to risk scenarios to test the organisation’s capability. These should include the risks that are considered serious enough to threaten the survival of the firm. They are typically in structured workshop format involving relevant senior managers and technical specialists. The results should be published and reported to the executive and the board.
Loss reporting. All organisations suffer financial losses as the result of carrying out their business. These losses are often hard to identify, but can be significant. Many losses involve a large number of small amounts over a long period of time and are not visible using ‘common sense’. Loss data should be used to improve business processes and systems.
Structured risk control framework. Techniques such as Risk Control Self Assessment should be used to identify the key areas of exposure, implement controls for these risks and report on the effective of these controls on a regular basis.
Key risk indicators. These are triggers placed in the business at key points where risk exposures are the greatest. These indicators show management when acceptable tolerances have been breached or are close to being breached. If designed well they are able to give management early warning of adverse events.
Thematic risk reviews. Areas of particular concern or focus for management should be subjected to formal structured risk reviews.