Today, financial services organizations are very familiar with the concept of a risk appetite – but often completely ignore their control appetite. And yet, while the risk appetite is usually a regulatory requirement, the control appetite can be where the proverbial rubber meets the road, in terms of delivering real value to the organization.
So why is the control appetite so often ignored? To begin with, many seasoned risk managers do not know what a control appetite is, or how it works. Nor do they understand how implementing a control appetite can bring together an organization’s approach to the way it thinks about and implements its control framework – into a unified whole.
Often, controls are viewed very much in isolation – they are applied to individual risks as a means of mitigation. While sometimes they are examined with an eye on how well they are working, often they are not – and very rarely is the success of a control looked at within the context of other controls on the same risk, or perhaps in the control’s relative success across the range of risks it is supposed to be mitigating.
Most firms do not know which of their controls are the most effective – or their least effective. Boards often feel that they do not have the information necessary to make informed decisions about further investment, or redistribution of investment, in controls programmes. Risk executives have difficulty supporting their business cases for controls investment, and struggle to have constructive discussions with the first line of defence about their control frameworks.
In short, without a controls appetite approach, it is very difficult to have a strategic approach to a controls framework across one of today’s financial services organisations.
A new article from Chase Cooper, Controls Appetite – The Other Half of the Risk Framework, defines the concept of control appetite and outlines the benefits of a control appetite for the overall risk framework as well as organizational decision-making.
The article also talks about the two major categories of control appetite that organisations should have – the causes controls appetite, and the effects controls appetite. These two main categories are then broken down further. This important taxonomy of the controls appetite enables organizations to better understand the purpose of the controls they have in place for a particular risk, and the type of mitigation effect those controls will have on that risk. It will also help the organization to articulate the financial cost that controls are having on the size of the risk it faces – whether it’s the mitigation of either frequency or scale of impact.
Putting a controls appetite framework in place – using a risk-centric GRC solution designed with this approach in mind – can help a firm be sure that its approach to managing controls is aligned with its approach to managing risk. A correctly designed controls appetite can help ensure that the risk appetite framework is operating both efficiently and effectively, reducing operational loss and increasing shareholder value.
To learn more about the concept of a controls appetite, and how to implement one, read the new article from Chase Cooper, Controls Appetite – The Other Half of the Risk Framework by filling out the form below: