ESTABLISHING BUSINESS RHYTHM

By: Thea Lorraine Tuico

Three Keys to Integration

Integrating risk management into your business processes works in three distinct dimensions:
It builds risk into the yearly management planning, budgeting, and monitoring cycle. Most
companies use this overarching cycle to some degree.
It drives risk into day-to-day processes—the business operations.
It enhances development of a monitoring and reporting framework.

Develop a Business Rhythm

Most companies run on some sort of annual cycle. This cycle defines the company’s business
rhythm. It may be finance-driven, beginning at the start of the financial year and moving into
development of strategic planning and budgeting.

Business rhythm is the cycle of activities that revolve around financial management and
monitoring. Usually the cycle is annual. It often starts with strategic planning and budgeting and
budget allocations, then progresses through the year with routine checks of the plan. It ends with
the production of yearly financial statements and the review of performance measures and
objectives.

Much of the company falls in line with plans, budgets, and reporting targets in some form or
another. The company should do the same with risk. Embed the consideration of risk in planning,
budgeting and reporting; they should integrate with the existing cycles. Even the smallest
companies operate on a cycle like this, although it may be a less formal process. If your business
includes any sort of shareholders, investors, or board members, then you utilize a business rhythm,
even if it’s lean. At the very least, you probably create plans, set a budget, and track it on some level.
That, too, is a business rhythm.

Including Risk in Your Business Plans

Good business rhythm starts with smart business plans. While a business plan discussion
may not seem relevant to risk management, it actually is vital to planning for risk.
Hopefully, you developed a business plan at some point and have refreshed it regularly—or
at least rethought its basics. Your business plan should be reviewed annually. At a minimum, it
should include the following elements:
Strategic direction of the company
Core initiatives to support those objectives
Initiatives to be met over the next year
 The company business plan also provides a basis for the financial plan by laying out the
following information:
Growth expectations
Cost expectations to support growth
Initiatives requiring investment
New markets and key new customers or suppliers that may require special financial
arrangements
Any requirements for new investment money
Any requirements for debt or bank loans

The business plan creates a broad, and hopefully specific, view of what the balance sheet and
P&L will look like at the end of the year. It also spells out financial activities that must occur to
support it.

Incorporating the Risk Appetite Statement

When integrating risk into your business plan, make sure to review your risk appetite. Your
risk appetite should be considered yearly.

BUDGETING RISK
By: Jecil Visitacion

The best organizations project the growth and mix of their businesses and then apply risk
measures. They do so in order to understand changes in expected loss and unexpected loss and how
diversification can affect the overall risks. These steps enable the company to estimate what sort of
reserves, buffers (capital), and other forms of mitigation will be required, all of which fall into the
budgeting process.

Ask yourself the following questions about your budget:

Have you developed an explicit budget for risk management?
Does it allow for continuous improvement?
Does it consider the changing profile of company risks and growth?
A quick tip: the core risk budget usually needs to increase if the company is growing.

Best Bets
When developing a budget, it is important to think about a few key things in order to adequately
include risk management. Consider the type of business you’ll be doing over the next year (your
mix of product sales) and how this might affect your risks. Next, forecast how much growth you will
experience in the next year, overall and in particular sectors. Factor in how much mitigation you
will require to manage the mix of risks and the growth of risk. Finally, determine which new
initiatives are required for risk management and how these might change your budgeted buffers
and reserves.

Once you have pinned down the basics, make sure your budget includes general enhancements to
the risk management process. It should contain necessary resources to address the growth and mix
expected for the coming year. These areas can include new improvements to measurements,
controls, and even personnel (education and hiring). Make sure your budget considers additional or
new mitigation or risk management approaches to support your plan.
With this information in hand, you will be able to finalize your company budget. Determine how
much you need for reserves, capital (equity), risk operations, and risk investments.

Definition
Capital allocation is the assignment of economic capital across core business operations, separate
businesses, or locations. It provides real capital to a department within a business to “hold” as a
buffer or to manage. This includes any buffers for risk. Companies can then attribute risk capital to
the aspects of the enterprise creating it.

Allocating Economic Capital

Determine how you want to split up capital within your company. This top-down process
starts with a measure of your total risk in terms of economic capital and expected loss. Evaluate
what that risk looks like for the company, then contemplate which segments need to be managed as
separate groups. Look for sensible splits that describe the way you run your business; manage
according to your risk-adjusted return. If you’re small, little or no major separation will be required.
If you operate in more than one location (separate franchised locations, production facilities, or
branches), manufacture more than one product, offer more than one service, or reach different
types of customers that you want to monitor separately, all of these scenarios create potential
opportunities to split the numbers in a meaningful way.

Monitoring Exposures

Routinely monitor your risks. Try to understand how your risks change as you conduct
business and further evolve when you take on new clients, add a division, begin a new product line,
or acquire another company.
For each risk, ask yourself: “How often will these risks change?” Next, establish time-lines and
methods for monitoring each risk. In your method, include the control and limits to be used as
checkpoints.

If you possess measures such as expected loss and unexpected loss for each exposure, you
can generally convert those figures into limits. Then you can rapidly check and compare exposures
against the total amount of risk-related loss that the company can survive. Often it is easiest to list
each exposure and check it against already established measures. Look for changes or trends in the
exposures. Are they growing? Why? Is the company approaching a limit?

Monitoring Groups of Risk

Checking and monitoring groups of risk is similar to checking and monitoring individual
risks, except that the additional characteristics require additional checks. Consider how your risk
groups combine and how the correlations among risks will be addressed (if at all). Monitor by type
of risk, originating business line or department, or product or service type. Also consider who will
be responsible for this measuring and monitoring. This leads to a new concept: the hierarchy of
assurance.

A typical hierarchy of assurance takes a predictable shape when depicting organized risk
management. Business department employees take responsibility for monitoring individual risks
and small groups of risks in their respective businesses or departments.

The hierarchy of assurance describes responsibilities for monitoring risk relative to

seniority and location in the company, as well as the level of reporting that takes place relative to
that position. This is similar to the four lines of defense concept addressed earlier in the book.
In larger companies, they may be assisted by a risk officer. As groups of risk “roll up” within an
organization, line management and perhaps higher levels of management swing into action. They
take responsibility for monitoring across their spans of control (again, generally aided by risk
people). However, they are looking for broader conclusions about the movements of risks. They are
also more concerned about the
coverage and effectiveness of
controls. The funnel narrows
even further at the final review
point—the audit. This area of
focus will be fairly narrow and
generally wrapped around
compliance.

The hierarchy of
assurance shows how the
greatest level of responsibility
for monitoring risks and groups
of risks falls with the common
workforce.
REPORTING ON RISK
By: Kathleen Joy Santillan

The Key Elements of a Report

Most risk reports have the following four major components:
The key risks
Why they are critical
How they are changing over time
What you are doing to stop or mitigate them

Identify Your Audience

Consider your audience. If your organization contains more than one management tier,
think carefully about who needs to know specific types of information, and at what level. As a rule
of thumb, the higher you climb in an organization, the more important it is to limit the amount of
information you include. This becomes increasingly challenging, because more risks usually appear
as your reporting “rolls up” toward the top.

Risk Factors
Ever hear of the “rule of less than seven”? The human mind can remember fewer than seven items
simultaneously (which is why phone numbers were originally built on seven-digit number series!).
The mind also responds to items in odd-numbered clusters. When reporting risk processes, aim for
three or five key points. That way, recipients are more likely to retain, and hopefully act upon, the
key messages.
Always keep your focus on the top risks. Most likely, the CEO only cares about the top five for the
entire organization. It’s likely the maximum that the organization can handle at one time.
For multiple-site or multiple-department businesses, managers in different locations or
departments will require different information, which may need to be tailored to them. What does
the human resources department need to know? What does legal require? How is that different
from what the head of a business department needs?

Don’t generate too many reports; they take too much time and effort. But in certain cases where
groups or risks are large, multiple reports are often worthwhile.

Create an Impact

Now that you have generated the risk report, how do you disseminate it to others? This
requires more than simply submitting the document. Actually, you will be seeking a much more
dynamic platform—one that creates impact. After all, you’re reporting on risk processes, which
many high-powered businesses would rather ignore than implement. Thus, you need to deliver the
goods with as much impact as if you were pitching a business plan to investors or a proposal to
prospective clients.
 Create that impact by tightening up the material you have gathered. Make it very concise.
You have identified the company’s top risks; hopefully, you have also narrowed them down to the
top five or so for each audience. You know the trends and explanations behind them. Now, see if
you can condense that information into a report about two pages long! Or put it on an intranet with
a risk dashboard. Keep it very brief and to the point. By doing so, you will make an immediate
impact on your board members and senior management.

Definition
The risk dashboard is a reporting tool used by risk managers to see all information about risk in an
easy, accessible format. Often, it consists of a website in which the risk manager can drill down into
different layers of information. If your company has an intranet, then risk dashboards are perfect.

Be sure the report spotlights not only pure risks but also risks versus return. That way, you can gain
perspective over the entire view of the key risks’ relationship to your business. Don’t forget to build
in some good news as well, such as successfully implemented risk mitigation or an averted risk
event. Make sure that risk is viewed positively, particularly when you are working toward a change
in the company’s culture and attitude toward risk.

Set a Schedule

Determine a schedule for generating risk reports and follow that schedule consistently.
When determining the frequency with which you will issue reports, consider the following
questions:
How often can you realistically update information on risks?
How meaningful is the update? How often do the types of risks move or change?
What sort of reviews or reporting cycles would generate the need for a report?

Most companies prepare monthly or quarterly reports. If you carry more financial risks, then
your reporting frequency would increase, perhaps becoming monthly. (Some risks move even
faster, such as trading risks.) If you have more operational risks, then you might consider quarterly
or semiannual reports. Strategic risks may require only semiannual or annual summaries.
Keep in mind that every business contains notable differences in operations, strategy, finances, and
types of risk. Ultimately, the frequency of reporting will be determined by how often your risks
change—and how they shift the company’s overall landscape.

RISK APPETITE LEVEL: Determining of the Right Level

By: Jennifer Zabala

Successful risk management is directly tied to a company’s ability to gauge its risk appetite
and work within its parameters.
The risk appetite serves as both a benchmark and a reminder of the company’s overall willingness
to take risk. They articulate how much risk the company is willing to take, in what areas, and for
what sort of return.

The risk appetite is the key mechanism for setting the tone from the top. It embodies all of
the key directions that the organization requires at a high level and provides the key pieces of
information required to manage risk.

Inbroad conceptyour risk appetite encompasses the following broad concepts:

The overarching statement of risk appetite. As a company, how hungry are you for risk?
The risk appetite statement is both a physical document and a process. The main goal is to
write down your business’s disposition toward risk relative to return.
The risk appetite statement has three goals:
o To set the risk tolerance for the company (appetite and measures)
o To provide the basis for a risk limit structure consistent with this tolerance and
strategy
o To provide management guidance for annual business and the strategic planning
process
How much risk you expect to carry. What is the right amount of risk? Try to answer these
questions in quantitative, numerical terms.
Your risk versus return profile. What return will you seek for your risk? What mix of risk
and return will you see across your products and services?
Your threshold for risk. How will you control your threshold so you can manage within
the company’s set risk appetite?

What is the Right Amount of Risk?

Risk management experts have identified two ways in which companies can think about their risk
appetite quantitatively. These are best described using the following questions:

What is the maximum loss you could sustain and still survive?
The answer will certainly establish one clear boundary. It shouldn’t reflect a comfortable pull-
through, but a situation in which the company barely survives. If you need to hold additional
capital for investment or dividends, consider those in your final number. That will leave you with
an established maximum economic capital figure for your risks.

What is your own company’s default probability?

Instead of considering your customers’ likelihood of defaulting on their loans, think about your
own likelihood of default. In other words, if someone were to lend you money, how would they
perceive you? Could you pay them back? Or would you become the bad debtor we’ve been talking
about?
RETURN TARGETS
By: Aizel Thea Vito

Target Risk and Return

Part of the risk appetite must also consider the reward side. After all, you are in business to
make money for the products or services you provide. And your ability to make money depends on
how well the risk versus reward relationship runs in your company.

Start by considering how your return target aligns with your capital target. If you merely
align these targets, will you be satisfied? Some industries set benchmark returns that need to be
topped. Often investors expect some sort of return for their capital investment. How well do these
expectations line up with the risk-adjusted return (implied by the economic capital threshold
described in the previous section)?

Definition
A hurdle rate is the rate of return the company will try to meet or exceed. It is especially handy if
you have a company with multiple departments or sales people. It allows you to set a rate in line
with the risk-adjusted return implied by your risk appetite.
Use budget and forecasts to set up risk-return expectations. How much revenue do you expect to
achieve this year? This should be based on your forecasts. Will there be any reserves required?
Work this out to achieve a risk-adjusted return number. Next, divide by the economic capital
implied by these activities. At this time, set the hurdle rate for the company.

How Do I Take Control?

Once you have quantified key aspects of your risk appetite, take control. Begin to adjust
your company to meet your risk appetite. Set thresholds that can be monitored. Establish a target
view of economic capital (and possibly reserves, in line with risk appetite expectations) for the year.
Then, monitor the risks as they accumulate through the year. You can monitor qualitative
statements of risk as well, if you use that approach.

When establishing risk appetite, view the company as a whole. Determine your steps to
monitor individual departments or risk classes. These often set the starting point for additional risk
limits and controls you may enact for more specific aspects of your business. Companies can
monitor risk groups or departments at a high level through the reporting process to make sure that
the broad standards set up by the risk appetite are continually being met. You can even set up a
formalized limit structure on these high-level targets and build it into your regular reporting,
particularly at the board level.

If you take this path, be sure to set up a buffer or trigger point before the limit or target is
reached. This will give you time to react and respond to risks. This is important for most limits, but
especially true of anything that touches or involves the absolute company limit. If it nudges the
absolute limit, it might signal or precipitate a serious issue that could threaten the company’s
survival.

Target risk versus return.

Use the specific measures you just set to project the risk-adjusted return on economic
capital, RAROC, or economic profit implied by this plan. Test to ensure that it aligns with
expectations.

RISK BOUNDARIES
By: Emma Rey Sanchez

Risk- implies future uncertainty about deviation from expected earnings or expected outcome. Risk
measures the uncertainty that an investor is willing to take to realize a gain from an investment.

Boundaries- something that indicates or fixes a limit or extent.

Setting Boundaries

Your risk appetite statement will only serve the company effectively if you establish
realistic boundaries and thresholds. Without them, the statement becomes like a fenceless yard: the
shape seems obvious, but individual shoots or entire sections will overtake the boundary before
trouble is noticed.

Red Flags
When setting boundaries for your risk appetite statement, avoid the temptation to create precise
thresholds that can hamper daily operations. Instead, focus on the overarching thresholds into
which all risks should fit. Don’t scrutinize the level at which each customer is considered or the
controls set for the production line; doing so will make the exercise too complex and unrealistic.

It is vital for you to remember that these are high-level thresholds. They create the starting point
for other limits—hard and soft, quantitative and qualitative—to set in the future. They are not
intended to be day-to-day limits—at least not on most days.

Now for a few pointers. Once you’ve set the thresholds, monitor and manage them like any other
limit, but on a less frequent basis (normally, anyway). Make your boundaries actionable and able to
be checked. Include a trigger or buffer so you have time to react in case of a risk event or potential
disruption.

Finally, build the process to monitor and report on the status of thresholds while also addressing
any breaches of triggers that might occur.

Do You Know Your RMF Boundaries?

The first step in the six step risk management framework (RMF) process is categorizing
your system. The first step in categorizing your system is establishing the system boundary. The
boundaries of your system and how you categorize it will drive your risk management strategy.
Your risk management strategy in turn defines your ongoing risk posture assessment, continuous
monitoring program, and the critical elements of successful use of RMF. Choose your boundary
carefully.

Flexibility to Optimize Your Boundaries

Program managers, solutions architects, security engineers, risk management executives

and authorizing officials have a great deal of flexibility in defining what constitutes an information
system. This is an opportunity to optimize system boundaries to maximize the effectiveness of risk-
based cyber security. Selecting reasonable system boundaries avoids systems that are overly
complex and difficult to defend or having too many systems that require their own system security
plans, plans of action and milestones (POAMs), continuous monitoring plans, reporting and
dashboards, and risk assessments. Selecting system boundaries requires careful analysis of the
complexity of the physical system, the data it stores and moves around, the end-points that allow
humans and other systems to interact with it, and the people and organizations that use, maintain,
and protect it.

The process of establishing boundaries for information systems and the associated security
implications is an agency-level activity that should include discussion and careful negotiation
among all key participants—taking into account the mission/business requirements of the agency,
the technical considerations with respect to information security, and the programmatic costs to
the agency. Stakeholders need to agree and know the system boundaries at the beginning of the
RMF process so that everyone shares the same understanding of where a system begins and ends
and who is responsible for what.

The system boundary is the security perimeter of what you are protecting. The system
boundary defines what you will be present in your security plan, the controls you select and the
controls you inherit, the monitoring technology you acquire, the scope of what your independent
assessors will test and assess, and what you will be continuously monitoring to determine your risk
posture. The system boundary defines what you will be protecting from threats and emerging
vulnerabilities. Choose your boundary carefully.