- Core reading (CMP chapter 9, pg 5) defines:
2. The same page also defines "Risk limits: this is a group of guidelines that set limits on acceptable actions that might be taken today. If risk limits are adhered to then each individual unit of the business should be deemed to be working within its permitted risk tolerances. Risk limits can be regarded as a component of risk capacity." Please elaborate on how a risk limit is set on "an individual unit of the business" and how is it different from a tolerance or Key risk indicator (KRI)?
[Are risk limits set by Board, working level or external regulator - for example a limit on % of cyber policies/risky assets that an insurer is allowed to sell/buy?
Appreciate that terminology is quite subjective but my basic understanding is that risk capacity shows maximum possible (if Board 100% risk-seeking), risk appetite is the Board indicating how much risk it actually wants to take while risk tolerances are set-up to ensure risk doesn't excess the risk appetites (unless justified/approved). And KRIs are the the same concept as tolerances but monitored at working level rather than at Board level.]
3. The Acted notes in several places comments that risk tolerances could theoretically be qualitative, although typically they are statistical. What would be a practical example of a qualitative risk tolerance? [The Risk function I work for defines "Risk Tolerances are the quantitative measures and qualitative assertions for the maximum risk allowed by the appetite." But in practice all the tolerances it monitors are numerical metrics eg.£mn currency mismatch, % investments with low credit rating etc]
4. Lam (Chapter 25, pg 443)and Acted notes (Chap 10 pg 11) mentions concept of a dashboard giving an overview plus option to click through to see more detail. Lam notes that "dashboards are becoming more common at the consumer level." This is basically the format of any phone app - opening screen provides an overview of app services (or account balances for banking app) which can then click through to see service/transaction details. And presume the Acted Forum overview (https://www.acted.co.uk/forums/index.php) counts as a 'Dashboard' showing 'forum statistics' as well as links to click through to latest posts (like this one
However, Lam (pg 442) adds that "With more advanced ERM dashboards that integrate not only information but also analytics, the board and management can review current risk sensitivities, as well as the impact of alternative strategies in real time. In other words, traditional reporting is data-driven while dashboard reporting is more action driven." How can a dashboard show the impact of alternative strategies in real time - does this mean that his ideal 'ERM dashboard' can immediately predict and display the risk-return impact of hiring more staff, changing investment strategy, launching new products etc?
Thanks very much in advance for answers to any of the above.