In recent years, many companies have scrambled to meet the stringent post-recession regulatory requirements by instituting new ERM plans or augmenting existing programs. However, regulatory compliance is not enough. In order for ERM to create value, companies must seamlessly integrate risk practices into the organization's day-to-day business processes at every level. A key lever for this is to implement a comprehensive risk policy that establishes metrics, exposure limits, and governance processes to ensure enterprise-wide risks are within acceptable levels.
At the heart of such a policy is the risk appetite statement (RAS). An RAS is a concise document that provides a framework for the board of directors and management to address fundamental questions with respect to strategy, risk management, and operations, including:
- What are the strategies for the overall organization and individual business units? What are the key assumptions underlying those strategies?
- What are the significant risks and aggregate risk levels that the organization is willing to accept in order to achieve its business objectives? How will it establish governance structures and management policies to oversee and control these risks?
- How does the company assess and quantify the key risks so that it can monitor exposures and key trends over time? How does it establish the appropriate risk tolerances given business objectives, profit and growth opportunities, ...