Core reading (CMP chapter 9, pg 5) defines: "Risk capacity: this is the volume of risk that an organisation can take as measured by some consistent measure, such as economic capital." Is this simply the total amount of the firm's available capital resources or is this calculated for individual risks (and if so, how)? 2. The same page also defines "Risk limits: this is a group of guidelines that set limits on acceptable actions that might be taken today. If risk limits are adhered to then each individual unit of the business should be deemed to be working within its permitted risk tolerances. Risk limits can be regarded as a component of risk capacity." Please elaborate on how a risk limit is set on "an individual unit of the business" and how is it different from a tolerance or Key risk indicator (KRI)? [Are risk limits set by Board, working level or external regulator - for example a limit on % of cyber policies/risky assets that an insurer is allowed to sell/buy? Appreciate that terminology is quite subjective but my basic understanding is that risk capacity shows maximum possible (if Board 100% risk-seeking), risk appetite is the Board indicating how much risk it actually wants to take while risk tolerances are set-up to ensure risk doesn't excess the risk appetites (unless justified/approved). And KRIs are the the same concept as tolerances but monitored at working level rather than at Board level.] 3. The Acted notes in several places comments that risk tolerances could theoretically be qualitative, although typically they are statistical. What would be a practical example of a qualitative risk tolerance? [The Risk function I work for defines "Risk Tolerances are the quantitative measures and qualitative assertions for the maximum risk allowed by the appetite." But in practice all the tolerances it monitors are numerical metrics eg.£mn currency mismatch, % investments with low credit rating etc] 4. Lam (Chapter 25, pg 443)and Acted notes (Chap 10 pg 11) mentions concept of a dashboard giving an overview plus option to click through to see more detail. Lam notes that "dashboards are becoming more common at the consumer level." This is basically the format of any phone app - opening screen provides an overview of app services (or account balances for banking app) which can then click through to see service/transaction details. And presume the Acted Forum overview (https://www.acted.co.uk/forums/index.php) counts as a 'Dashboard' showing 'forum statistics' as well as links to click through to latest posts (like this one However, Lam (pg 442) adds that "With more advanced ERM dashboards that integrate not only information but also analytics, the board and management can review current risk sensitivities, as well as the impact of alternative strategies in real time. In other words, traditional reporting is data-driven while dashboard reporting is more action driven." How can a dashboard show the impact of alternative strategies in real time - does this mean that his ideal 'ERM dashboard' can immediately predict and display the risk-return impact of hiring more staff, changing investment strategy, launching new products etc? Thanks very much in advance for answers to any of the above.
Hi Bill, 1. This is explained further in Chapter 30, Section 3. 2. The way I think about it is in certain levels: - the risk capacity covers the maximum volume of risk allowed, and the risk appetite is set by the Board - this is then broken down into risk tolerances per Business Unit by the risk function (eg by a number of statements) - these are then broken down further by the risk function into various risk metrics which are the day-to-day assessment of the risk. Risk limits are cap on the risk metric (eg your risk metric may be volume of business, whilst the risk limit may be 10m), and out of these a KRI is a very important (or 'key') risk metric. 3. The example in the notes is preventing individuals with criminal records from being employed in assurance functions. Another could be having a zero tolerance to any operational risk which may result in a loss of life. 4. Yes, that's my understanding! In an ideal world, Lam is referring to a fully interactive dashboard, where users can input different strategies and see in real time the impact on KRIs and other metrics. In practice, dashboards have moved from a static representation of data to include more interactivity (eg where you can see and compare the results of various options, or switch on / off strategy features / risks and see the impacts) but those are still dependent on the desired scenarios / functionality of the developer. Alvin.
