Frank Maher of Legal Risk LLP Solicitors discusses the importance of risk appetite statements as part of a risk framework and offers guidance for assessing a company’s risk appetite
Last year, the Finsbury Park Mosque received an unexpected letter from its bankers advising that they had closed the account. The letter went on to explain that the bank had ‘recently conducted a general review and has concluded that provision of banking services to Finsbury Park Mosque now falls outside of our risk appetite’.
More recently, I was advising a new highly specialist law firm setting up in practice. It requires professional indemnity insurance in order to obtain authorisation from the Solicitors Regulation Authority (SRA). One insurer which was approached by a broker was unwilling to offer terms, saying that their risk appetite for new start-ups was low.
These are two very different examples of risk appetite being applied in practice. But why might it matter to in-house lawyers?
The rise of risk appetite
Risk appetite is starting to rise up the agenda of corporate governance and it is an integral part of developing a risk framework because that cannot be done in the abstract. The Financial Reporting Council (FCR) issued Guidance on Risk Management, Internal Control and Related Financial and Business Reporting in September 2014 to accompany the 2014 edition of The UK Corporate Governance Code . While it is primarily aimed at companies listed on the London Stock Exchange, it is hoped that it will be useful to other companies too.
The FRC’s guidance stipulates monitoring and review of the risk management and internal control systems. Under the heading ‘Board Responsibilities for Risk Management and Internal Control’, it includes ‘determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its ‘risk appetite’)’.
The board’s annual review of effectiveness is required to consider ‘the company’s willingness to take on risk (its ‘risk appetite’), the desired culture within the company and whether this culture has been embedded’. Appendix C sets out questions for the board to cover, and it poses the questions ‘How has the board agreed the company’s risk appetite? With whom has it conferred?’
The risk management agenda cannot be addressed by a board in isolation
The risk management agenda cannot be addressed by a board in isolation: it must involve all parts of the business. The global financial crisis has increased the recognition of the role of in-house lawyers in corporate governance.
The role of the in-house lawyer in risk appetite assessment
But the development of the in-house lawyers’ role was evident before the financial crisis. One example is the scandal which surrounded the accounts of Shell over a decade ago, over misreporting of its oil reserves. This led to a report by US law firm Davis Polk & Wardwell, which revealed that despite Shell having the largest legal department of any UK company, its disclosure strategy was signed off at meetings of the company’s committee of managing directors without legal advice.
The responsibilities of an in-house lawyer include identifying where the company’s business operations may result in breaches of the law and identifying the control mechanisms to mitigate the risks.
A further reason why the organisation’s risk appetite needs input from in-house lawyers may arise in relation to the services they provide, in most cases primarily to their employer, but increasingly to members of the public and other third parties. In some cases this is because the organisation may be an ABS, in others, it may be operating within the permitted exceptions for in-house lawyers to provide services to the public, for example solicitors working for insurance companies acting for their employers’ insureds.
It is important to recognise that perceptions of risk and a lawyer’s role in mitigating it may differ around the business units
It is also important to recognise that perceptions of risk and a lawyer’s role in mitigating it may differ around the business units. An extreme example on which I was asked to advise involved a financial institution which imposed supervision processes on the legal department. This effectively bypassed the principal solicitor, who was nominally head of the department, and rendered it practically impossible for the solicitor to comply with her obligations under the SRA Code of Conduct. The institution was mindful of its regulatory obligations to the Financial Conduct Authority, but apparently unwilling to recognise the solicitor’s own regulatory obligations to the SRA.
In-house lawyers’ roles may change in the light of the SRA’s forthcoming review of the restrictions on in-house practice. The specific outcomes of that review are hard to predict, but it seems likely that they will result in some increase in the extent to which in-house lawyers can provide services to the public – providing previously unexplored ground for claims and complaints.
Identifying the company’s risk appetite
So where does one start in identifying the company’s risk appetite, and indeed, a risk framework? Some help can be derived from guidance issued by other bodies.
In the context of financial institutions, the Financial Stability Board (FSB) describes itself on its website as ‘an international body that monitors and makes recommendations about the global financial system’, and is based at the Bank for International Settlements in Basel. In November 2013 it published Principles for An Effective Risk Appetite Framework . This explains what is required for a risk appetite framework, including policies, process, controls and systems, and the roles and responsibilities of those overseeing and implementing it. It explains that the framework must include consideration of reputational risk, and it needs to be aligned with the institution’s strategy, business plan, capital planning and compensation schemes.
It defines a risk appetite statement as:
‘The articulation in written form of the aggregate level and types of risk that a financial institution is willing to accept, or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and conduct risks as well as money laundering and unethical practices.’
An organisation which is completely risk averse will ultimately wither and die on the vine
The FSB explains that an effective framework should be driven by both top-down board leadership and bottom-up involvement of management at all levels. Importantly, it also identifies that the framework should ‘evaluate opportunities for appropriate risk taking and act as a defence against excessive risk-taking’: this is a useful reminder that risk management is not just about avoiding negative impacts on the business, but identifying opportunity for risk taking. An organisation which is completely risk averse will ultimately wither and die on the vine.
The American Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five accounting and financial organisations. It published a useful paper entitled Understanding and Communicating Risk Appetite by Dr Larry Rittenberg and Frank Martens in October 2012.
COSO’s Enterprise Risk Management - Integrated Framework defines risk appetite as follows:
‘The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.’
The paper sets out a process for management to develop a view of the organisation’s risk appetite, putting it into a form for communication across the business and monitoring it. It provides some practical examples for a variety of organisations.
It also addresses the issue of risk tolerance:
the ‘acceptable level of variation relative to achievement of a specific objective.’
So a bank might require zero tolerance in relation to its decision not to provide services to online gambling companies, because of the risk of criminal and regulatory enforcement action in the United States.
Helpfully the paper sets out a series of questions which can be used in order to facilitate discussion at management and board level. It concludes with the observation that ‘Risk appetite does not exist in a vacuum: rather, it is an integral part of an organization’s strategies for achieving objectives. The concept of risk appetite permeates all organizations, from charities and governments to small businesses and publicly traded corporations.’
A culture, not an event
Remember, though, that the process for developing the risk appetite statement, and indeed the whole of the risk framework, is not something to be enshrined in tablets of stone and then forgotten, but the beginning of a continual process of monitoring and review: risk management is a culture, not an event.