After discussing how to measure risk appetite using operational risk software last week, this time Tony and John discuss the role of control appetite, which is the cost and resources associated with controlling risks.
This exert is taken from their book Mastering Risk Management…
Some people may think that risk appetite includes controls. However, control appetite is fundamentally different. As an example, consider the risk ‘Loss of key staff’ and two of its controls ‘Performance appraisal’ and ‘Salary surveys’. The quantitative risk appetite for ‘Loss of key staff’ may be the loss of one key person every three years. This is achieved by a control appetite for performance appraisal that the appraisals are completed every 12 months, and a control appetite for salary surveys that all salaries are within the second quartile.
It is therefore clear that risk appetite is linked with control appetite, but that control appetite is completely separate. This is analogous to the link between key risk indicators (KRIs) and key control indicators (KCIs). Control appetite is the amount a firm is willing to spend (in time, money and/or resources) to mitigate a risk(s) to an acceptable net level.
Definition of Control Appetite
The definition explicitly recognises that management has a finite willingness to mitigate risks and implicitly recognises that certain risks cannot be mitigated or mitigated further.
It should be noted that this definition focuses control appetite internally to the firm. This is in contrast to the definition of risk appetite, which can be as much affected by external factors as by internal factors. This is very helpful from a practical perspective as it allows management to focus on controls that can be improved. The definition above, of course, only covers the business-as-usual control appetite. There are also control appetites at an unexpected level of loss and at an extreme (scenario) level of loss.
Describing control appetite
Control appetite can be described in simple terms and it can be modelled. Just like risk appetite, control appetite can be described through the tools that are used in risk management. For example, control appetite can be expressed as:
- an acceptable level of control assessment (within a risk and control self-assessment)
- a reduction in the assessed risk level from gross (inherent) to net (residual) risk
- targets and threshold of key control indicators
- reductions in the number and/or value of events and losses
- the monetary benefit that the control makes to the reduction in the risk profile (this can use mathematical modelling of the risks and controls in order to determine a value)
- the money spent on risk profile reduction.
As noted above, control appetite can be analysed in different ways. Consequently, the interpretation of control appetite may vary at different levels of the firm.
Control appetite also links to internal audit work and to LEAN/Six Sigma. Internal Audit tends to focus on the effectiveness of controls within the firm and its work is therefore valuable in determining what the control appetite of the firm is in reality (as opposed to what the firm says it has as a control appetite). It is often true that controls in an area will be improved following an internal audit as senior management may not have been aware of the poor functioning of certain controls. However, it is also true that (unless action plans are in place and being actioned) the current state of the firm’s control profile is an accurate reflection of its actual control appetite (notwithstanding what it may say to the contrary).
Breaking down control appetite into its components
Control appetite itself splits into two main parts: causes appetite which concerns preventative control appetite, and effects appetite which concerns corrective control appetite (drawing on the four internal audit control types of directive, preventative, detective and corrective).
Causes appetite is linked to management’s view of the likelihood of the risk and also splits into two. Preventative controls are often automatic controls. They also often have a significant cost (often IT costs primarily) and occupy a significant amount of management thought and time. They are the immediate, obvious and visible side of the control environment. Thus management’s risk appetite is actually often focused on its appetite for the causes of risks.
The other part of causes appetite is directive control appetite which is linked to management’s willingness to implement governance, as directive controls consist of policies, procedures, committees and the power of the board.
Corrective control appetite is linked to management’s willingness to correct for the effects of the impact on the business. Corrective controls are often relatively cheap and unused (until an event happens). They are also therefore often under-rated, do not figure largely in management’s thinking and are under-tested. When they are required, it is almost always too late to implement and test them. For this reason, prudent management should consider carefully its effects appetite, alongside its causes appetite.
To conclude the appetite analysis of the four types of control, detective control appetite is linked to management’s willingness to identify events once they have happened. However, the focus for action is of course on correction and this is often considered more necessary than detecting the event. In reality therefore there is often only tacit acceptance of the need for detective controls, despite the obvious necessity of needing to detect an event before you can correct for its effects. This leads to a very low level of appetite for spending money on standard detective controls such as reconciliations.
Control appetite is another element of risk appetite, which as a whole can appear either confusing or daunting. However, as we’ve stated before, having an appetite is fundamental to the management of risk. If appetite is broken down into its component parts and then analysed one part at a time, appetite becomes both manageable and of value to the business.
Taken from Mastering Risk Management by Tony Blunden and John Thirlwell and published with kind permission from Pearson Education Published. Readers of this blog are entitled to a 25% discount on Mastering Risk Management through the following URL: https://www.pearson.com/en-gb/
For more information contact us today on email@example.com
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
167 City Road
+44 207 377 2250