Last year our Board recruited three new members, one of whom has become the new chair of the Board Risk & Governance Committee. He’s a pretty cautious fellow who likes to gain a deep understanding. He has a background in regulated industry and has seen a fair few risk frameworks. He’s got a few war stories of what happens when things go wrong too, which is always useful for sobering up folk when they get a bit gung-ho.
Wednesday morning saw us all convene for our bi-monthly Board Risk & Governance Committee. Top of the agenda was getting the approach to risk appetite signed off.
I was reminded of a conversation the CRO and I had with a senior member of the exec team when we began work revising the framework. We were talking about the objective of risk management. “The objective of the exercise is to ensure we have a risk framework so that we meet the regulatory requirement to have a framework” he told us. A tiny part of me died when I heard this.
“Kind of.” We told him, trying to be diplomatic. “But since we are required to have a framework anyway, why not make the objective of it to drive transparency and contribute to great decision making?”
Our new Board R&G Comm Chair has repeated and amplified this message over and over, which is why he’s turned out to be such a great ally.
We have built a risk framework which classifies risks by type. So given that we may be happy to take bigger risks of one type than another, it makes sense to give each risk type its own defined appetite threshold. We started with Fraud risk.
Inevitably we got the natural response within the room at first:
“But I don’t want us to take any risk at all as a business. We need to protect our reputation.”
This is a noble intention, but sadly completely impractical, I explained. If we set all our risk appetites at zero risk, the Board will be called on to sign off every risk outside appetite which doesn’t have a mitigation plan. Potentially that’s a very high number of risks, and some of them will be so inconsequential that the task will become infuriating. The risk appetite threshold should give the business automatic approval to not mitigate further where the risk is acceptable.
Furthermore, the idea of the appetite threshold is to give the business a target so they know what their risk mitigation plan needs to achieve. If we give them all a target of zero risk, the mitigation plans will respond to that and go over the top, or never actually complete.
All in all, it’s a fine balance.
Our new Chair was rather less diplomatic when addressing the room.
“You say you have an appetite for zero risk around fraud and yet we lost almost half a million in known fraud last year and the project to improve the anti-fraud controls has just been cancelled in favour of cost saving. We need to be pragmatic about this and make the stated appetite and our decisions align. You may want to lose no money to fraud… but as long as we are in business, we are probably going to lose some. And once we’ve made the decision about what we have appetite for in terms of fraud, we can decide whether or not we want to insist the project is reinstated.”
I reminded them this was a first shot at appetite thresholds; we can always adjust them later if they are too lenient or too strict. However, there is an element of risk in simply doing business, so what’s important here is that we formally acknowledge how much risk the Committee is comfortable for the business to take in pursuit of its objectives and ultimately, profit.
It is perfectly understandable that the idea of any fraud at all feels entirely unacceptable, but as with most risks, pretending we are able to manage them to zero is just living in a state of denial. Unless of course you are prepared to take the ultimate mitigating action to remove all risk from the business; close down the business!
Who is the Secret Risk Manager?
The Secret Risk Manager is a senior risk professional working in the City. Over the years, they’ve seen a variety of risk practices - good, bad and ugly - across a variety of industries.
Like many risk professionals, the Secret Risk Manager’s CV has a large unspoken element. They are called upon to be in turns, therapist, coach, detective, mediator, behavioural scientist, parent, mind reader, futurologist, story-teller, philosopher and diplomat.
These articles do not pretend to constitute advice, but only to provide a frank and hopefully thought provoking look into the often frustrating world of those people who help organisations manage their risks. The subject matter is experience based, but fictional.
Any resemblance to actual incidents or persons living or dead is purely coincidental. But let’s face it, there’s not much new under the sun so you’ve probably seen it before.