Professional Documents
Culture Documents
Most companies run on some sort of annual cycle. This cycle defines the company’s business
rhythm. It may be finance-driven, beginning at the start of the financial year and moving into
development of strategic planning and budgeting.
Business rhythm is the cycle of activities that revolve around financial management and
monitoring. Usually the cycle is annual. It often starts with strategic planning and budgeting and
budget allocations, then progresses through the year with routine checks of the plan. It ends with
the production of yearly financial statements and the review of performance measures and
objectives.
Much of the company falls in line with plans, budgets, and reporting targets in some form or
another. The company should do the same with risk. Embed the consideration of risk in planning,
budgeting and reporting; they should integrate with the existing cycles. Even the smallest
companies operate on a cycle like this, although it may be a less formal process. If your business
includes any sort of shareholders, investors, or board members, then you utilize a business rhythm,
even if it’s lean. At the very least, you probably create plans, set a budget, and track it on some level.
That, too, is a business rhythm.
Good business rhythm starts with smart business plans. While a business plan discussion
may not seem relevant to risk management, it actually is vital to planning for risk.
Hopefully, you developed a business plan at some point and have refreshed it regularly—or
at least rethought its basics. Your business plan should be reviewed annually. At a minimum, it
should include the following elements:
Strategic direction of the company
Core initiatives to support those objectives
Initiatives to be met over the next year
The company business plan also provides a basis for the financial plan by laying out the
following information:
Growth expectations
Cost expectations to support growth
Initiatives requiring investment
New markets and key new customers or suppliers that may require special financial
arrangements
Any requirements for new investment money
Any requirements for debt or bank loans
The business plan creates a broad, and hopefully specific, view of what the balance sheet and
P&L will look like at the end of the year. It also spells out financial activities that must occur to
support it.
When integrating risk into your business plan, make sure to review your risk appetite. Your
risk appetite should be considered yearly.
BUDGETING RISK
By: Jecil Visitacion
The best organizations project the growth and mix of their businesses and then apply risk
measures. They do so in order to understand changes in expected loss and unexpected loss and how
diversification can affect the overall risks. These steps enable the company to estimate what sort of
reserves, buffers (capital), and other forms of mitigation will be required, all of which fall into the
budgeting process.
Best Bets
When developing a budget, it is important to think about a few key things in order to adequately
include risk management. Consider the type of business you’ll be doing over the next year (your
mix of product sales) and how this might affect your risks. Next, forecast how much growth you will
experience in the next year, overall and in particular sectors. Factor in how much mitigation you
will require to manage the mix of risks and the growth of risk. Finally, determine which new
initiatives are required for risk management and how these might change your budgeted buffers
and reserves.
Once you have pinned down the basics, make sure your budget includes general enhancements to
the risk management process. It should contain necessary resources to address the growth and mix
expected for the coming year. These areas can include new improvements to measurements,
controls, and even personnel (education and hiring). Make sure your budget considers additional or
new mitigation or risk management approaches to support your plan.
With this information in hand, you will be able to finalize your company budget. Determine how
much you need for reserves, capital (equity), risk operations, and risk investments.
Definition
Capital allocation is the assignment of economic capital across core business operations, separate
businesses, or locations. It provides real capital to a department within a business to “hold” as a
buffer or to manage. This includes any buffers for risk. Companies can then attribute risk capital to
the aspects of the enterprise creating it.
Determine how you want to split up capital within your company. This top-down process
starts with a measure of your total risk in terms of economic capital and expected loss. Evaluate
what that risk looks like for the company, then contemplate which segments need to be managed as
separate groups. Look for sensible splits that describe the way you run your business; manage
according to your risk-adjusted return. If you’re small, little or no major separation will be required.
If you operate in more than one location (separate franchised locations, production facilities, or
branches), manufacture more than one product, offer more than one service, or reach different
types of customers that you want to monitor separately, all of these scenarios create potential
opportunities to split the numbers in a meaningful way.
Monitoring Exposures
Routinely monitor your risks. Try to understand how your risks change as you conduct
business and further evolve when you take on new clients, add a division, begin a new product line,
or acquire another company.
For each risk, ask yourself: “How often will these risks change?” Next, establish time-lines and
methods for monitoring each risk. In your method, include the control and limits to be used as
checkpoints.
If you possess measures such as expected loss and unexpected loss for each exposure, you
can generally convert those figures into limits. Then you can rapidly check and compare exposures
against the total amount of risk-related loss that the company can survive. Often it is easiest to list
each exposure and check it against already established measures. Look for changes or trends in the
exposures. Are they growing? Why? Is the company approaching a limit?
Checking and monitoring groups of risk is similar to checking and monitoring individual
risks, except that the additional characteristics require additional checks. Consider how your risk
groups combine and how the correlations among risks will be addressed (if at all). Monitor by type
of risk, originating business line or department, or product or service type. Also consider who will
be responsible for this measuring and monitoring. This leads to a new concept: the hierarchy of
assurance.
A typical hierarchy of assurance takes a predictable shape when depicting organized risk
management. Business department employees take responsibility for monitoring individual risks
and small groups of risks in their respective businesses or departments.
The hierarchy of
assurance shows how the
greatest level of responsibility
for monitoring risks and groups
of risks falls with the common
workforce.
REPORTING ON RISK
By: Kathleen Joy Santillan
Consider your audience. If your organization contains more than one management tier,
think carefully about who needs to know specific types of information, and at what level. As a rule
of thumb, the higher you climb in an organization, the more important it is to limit the amount of
information you include. This becomes increasingly challenging, because more risks usually appear
as your reporting “rolls up” toward the top.
Risk Factors
Ever hear of the “rule of less than seven”? The human mind can remember fewer than seven items
simultaneously (which is why phone numbers were originally built on seven-digit number series!).
The mind also responds to items in odd-numbered clusters. When reporting risk processes, aim for
three or five key points. That way, recipients are more likely to retain, and hopefully act upon, the
key messages.
Always keep your focus on the top risks. Most likely, the CEO only cares about the top five for the
entire organization. It’s likely the maximum that the organization can handle at one time.
For multiple-site or multiple-department businesses, managers in different locations or
departments will require different information, which may need to be tailored to them. What does
the human resources department need to know? What does legal require? How is that different
from what the head of a business department needs?
Don’t generate too many reports; they take too much time and effort. But in certain cases where
groups or risks are large, multiple reports are often worthwhile.
Create an Impact
Now that you have generated the risk report, how do you disseminate it to others? This
requires more than simply submitting the document. Actually, you will be seeking a much more
dynamic platform—one that creates impact. After all, you’re reporting on risk processes, which
many high-powered businesses would rather ignore than implement. Thus, you need to deliver the
goods with as much impact as if you were pitching a business plan to investors or a proposal to
prospective clients.
Create that impact by tightening up the material you have gathered. Make it very concise.
You have identified the company’s top risks; hopefully, you have also narrowed them down to the
top five or so for each audience. You know the trends and explanations behind them. Now, see if
you can condense that information into a report about two pages long! Or put it on an intranet with
a risk dashboard. Keep it very brief and to the point. By doing so, you will make an immediate
impact on your board members and senior management.
Definition
The risk dashboard is a reporting tool used by risk managers to see all information about risk in an
easy, accessible format. Often, it consists of a website in which the risk manager can drill down into
different layers of information. If your company has an intranet, then risk dashboards are perfect.
Be sure the report spotlights not only pure risks but also risks versus return. That way, you can gain
perspective over the entire view of the key risks’ relationship to your business. Don’t forget to build
in some good news as well, such as successfully implemented risk mitigation or an averted risk
event. Make sure that risk is viewed positively, particularly when you are working toward a change
in the company’s culture and attitude toward risk.
Set a Schedule
Determine a schedule for generating risk reports and follow that schedule consistently.
When determining the frequency with which you will issue reports, consider the following
questions:
How often can you realistically update information on risks?
How meaningful is the update? How often do the types of risks move or change?
What sort of reviews or reporting cycles would generate the need for a report?
Most companies prepare monthly or quarterly reports. If you carry more financial risks, then
your reporting frequency would increase, perhaps becoming monthly. (Some risks move even
faster, such as trading risks.) If you have more operational risks, then you might consider quarterly
or semiannual reports. Strategic risks may require only semiannual or annual summaries.
Keep in mind that every business contains notable differences in operations, strategy, finances, and
types of risk. Ultimately, the frequency of reporting will be determined by how often your risks
change—and how they shift the company’s overall landscape.
Successful risk management is directly tied to a company’s ability to gauge its risk appetite
and work within its parameters.
The risk appetite serves as both a benchmark and a reminder of the company’s overall willingness
to take risk. They articulate how much risk the company is willing to take, in what areas, and for
what sort of return.
The risk appetite is the key mechanism for setting the tone from the top. It embodies all of
the key directions that the organization requires at a high level and provides the key pieces of
information required to manage risk.
What is the maximum loss you could sustain and still survive?
The answer will certainly establish one clear boundary. It shouldn’t reflect a comfortable pull-
through, but a situation in which the company barely survives. If you need to hold additional
capital for investment or dividends, consider those in your final number. That will leave you with
an established maximum economic capital figure for your risks.
Part of the risk appetite must also consider the reward side. After all, you are in business to
make money for the products or services you provide. And your ability to make money depends on
how well the risk versus reward relationship runs in your company.
Start by considering how your return target aligns with your capital target. If you merely
align these targets, will you be satisfied? Some industries set benchmark returns that need to be
topped. Often investors expect some sort of return for their capital investment. How well do these
expectations line up with the risk-adjusted return (implied by the economic capital threshold
described in the previous section)?
Definition
A hurdle rate is the rate of return the company will try to meet or exceed. It is especially handy if
you have a company with multiple departments or sales people. It allows you to set a rate in line
with the risk-adjusted return implied by your risk appetite.
Use budget and forecasts to set up risk-return expectations. How much revenue do you expect to
achieve this year? This should be based on your forecasts. Will there be any reserves required?
Work this out to achieve a risk-adjusted return number. Next, divide by the economic capital
implied by these activities. At this time, set the hurdle rate for the company.
Once you have quantified key aspects of your risk appetite, take control. Begin to adjust
your company to meet your risk appetite. Set thresholds that can be monitored. Establish a target
view of economic capital (and possibly reserves, in line with risk appetite expectations) for the year.
Then, monitor the risks as they accumulate through the year. You can monitor qualitative
statements of risk as well, if you use that approach.
When establishing risk appetite, view the company as a whole. Determine your steps to
monitor individual departments or risk classes. These often set the starting point for additional risk
limits and controls you may enact for more specific aspects of your business. Companies can
monitor risk groups or departments at a high level through the reporting process to make sure that
the broad standards set up by the risk appetite are continually being met. You can even set up a
formalized limit structure on these high-level targets and build it into your regular reporting,
particularly at the board level.
If you take this path, be sure to set up a buffer or trigger point before the limit or target is
reached. This will give you time to react and respond to risks. This is important for most limits, but
especially true of anything that touches or involves the absolute company limit. If it nudges the
absolute limit, it might signal or precipitate a serious issue that could threaten the company’s
survival.
Use the specific measures you just set to project the risk-adjusted return on economic
capital, RAROC, or economic profit implied by this plan. Test to ensure that it aligns with
expectations.
RISK BOUNDARIES
By: Emma Rey Sanchez
Risk- implies future uncertainty about deviation from expected earnings or expected outcome. Risk
measures the uncertainty that an investor is willing to take to realize a gain from an investment.
Setting Boundaries
Your risk appetite statement will only serve the company effectively if you establish
realistic boundaries and thresholds. Without them, the statement becomes like a fenceless yard: the
shape seems obvious, but individual shoots or entire sections will overtake the boundary before
trouble is noticed.
Red Flags
When setting boundaries for your risk appetite statement, avoid the temptation to create precise
thresholds that can hamper daily operations. Instead, focus on the overarching thresholds into
which all risks should fit. Don’t scrutinize the level at which each customer is considered or the
controls set for the production line; doing so will make the exercise too complex and unrealistic.
It is vital for you to remember that these are high-level thresholds. They create the starting point
for other limits—hard and soft, quantitative and qualitative—to set in the future. They are not
intended to be day-to-day limits—at least not on most days.
Now for a few pointers. Once you’ve set the thresholds, monitor and manage them like any other
limit, but on a less frequent basis (normally, anyway). Make your boundaries actionable and able to
be checked. Include a trigger or buffer so you have time to react in case of a risk event or potential
disruption.
Finally, build the process to monitor and report on the status of thresholds while also addressing
any breaches of triggers that might occur.
The first step in the six step risk management framework (RMF) process is categorizing
your system. The first step in categorizing your system is establishing the system boundary. The
boundaries of your system and how you categorize it will drive your risk management strategy.
Your risk management strategy in turn defines your ongoing risk posture assessment, continuous
monitoring program, and the critical elements of successful use of RMF. Choose your boundary
carefully.
The process of establishing boundaries for information systems and the associated security
implications is an agency-level activity that should include discussion and careful negotiation
among all key participants—taking into account the mission/business requirements of the agency,
the technical considerations with respect to information security, and the programmatic costs to
the agency. Stakeholders need to agree and know the system boundaries at the beginning of the
RMF process so that everyone shares the same understanding of where a system begins and ends
and who is responsible for what.
The system boundary is the security perimeter of what you are protecting. The system
boundary defines what you will be present in your security plan, the controls you select and the
controls you inherit, the monitoring technology you acquire, the scope of what your independent
assessors will test and assess, and what you will be continuously monitoring to determine your risk
posture. The system boundary defines what you will be protecting from threats and emerging
vulnerabilities. Choose your boundary carefully.