Part 3  |  Risk Managers at Risk:  7 Things You Need To Do To Save Your Company…. And Your Job

Part 3 | Risk Managers at Risk: 7 Things You Need To Do To Save Your Company…. And Your Job

Select a Taxonomy and Draft Risk Appetite Statements

Our previous article discussed possible roles the ERM function may assume in organizations.  This article addresses what are, from our perspective, the most two most overlooked steps in the entire ERM process:  

  1. How to build Risk inventories using a standard Risk Taxonomy? and
  2. What is required to create an effective and useful Risk Appetite Statement (RAS)?  

Quite simply, organizations do not invest enough time or effort into organizing the risks they identify into logical groups, or into drafting Risk Appetite Statements that are useful.  This is a critical shortcoming that often handicaps the entire ERM process, because these two elements provide the overall direction and risk boundaries for every unit of the organization.  And when done properly, they ensure that risk ownership and management extend to the business unit level.

The good news, however, is that these problems can be quickly addressed with just a bit of focused attention. Let’s lay out the steps required for you to strengthen your processes and build that ownership within your organization.

When beginning the ERM process, organizations typically jump into the process of inventorying and defining the specific risks they face, based on their individual situations and the specific industries to which they belong. This is good, but the results are too specific and often idiosyncratic.  And why reinvest the wheel?  Many detailed and useful Risk Taxonomies currently exist which provide comprehensive risk inventories and descriptions, which in turn vastly simplify the process of benchmarking performance with peer companies in the future.  In the Insurance industry, for instance, ISO 31000, COSO, and the NAIC all have industry-specific taxonomies.  If you are just starting out, try to use one of them. If you already have a risk inventory, try to harmonize your work with these established frameworks.  It will organize your existing work into groupings that facilitate peer comparisons, and enable you to generate reports and comparisons that will intrigue your company executives, and are increasingly being requested by regulators and rating agencies.

Once the high-level risk identifying and organizing are completed, you must over-invest in creating high quality Risk Appetite Statements, first at the corporate and then at the Line of Business level.  The Risk Appetite Statement is the company’s formal pronouncement of desire or reluctance to assume specified risks, and at what levels.  It is, in effect, the Company’s “Strategic Plan” for Risk, and should be closely integrated with the Company’s overall strategic plan.  Very few of the RASs that we have reviewed, however, even come close to meeting this objective.

At a minimum, the Corporate RAS should provide a general narrative on the company’s risk management philosophy and contain the following elements:

  • A description of the 5-10 critical risks the company faces,
  • Quantitative metrics for the Risk Appetite for the Risk,
  • Descriptions of Key Risk Indicators or target ranges, typically in “traffic light” groupings or target levels to be maintained.  

These groupings form the basis for the Risk Reporting templates which are developed at this time and included as part of the RAS effort. Higher quality RASs often include some discussion on the exact mechanisms for risk measurement, monitoring, and frequency, and what the control and governance processes are as they relate to the individual risk groups. They may also delegate these tasks to specific business units. Occasionally, RASs also include a brief glossary of Risk Terms and Definitions as an addendum.  We strongly endorse this practice, as it promotes the establishment of a common risk language and vocabulary across the organization.  RASs may also discuss ways to align overall compensation on a risk-adjusted basis, but these goals remain largely aspirational.  The CFO or CRO is often the Executive Sponsor for the Corporate RAS effort, and the Board typically approves the Corporate RAS after significant input and deliberation from the C-suite and other stakeholders.

Many ERM organizations miss an opportunity to help their organizations and create value by neglecting to extend this process to the individual lines of business.  Once the Corporate RAS has been accepted, it sets the aggregate risk tolerances and limits. How do these aggregate limits align with the sum of business unit risks?  How do they change as the postures of each of the business units change? And what are the interactions?   These are hard questions that must bead dressed—especially by the ERM function. Very few of them do so effectively, however.

Yet, most of the raw materials for risk managers to develop these insights are available if they are willing to partner with their business counterparts.  Every business unit creates a budget and strategy document (admittedly of varying qualities!).  Translating these objectives into Key Risk Indicators and Tolerances, at least initially, is something that Risk Management should be doing proactively.  And drafting an LOB-specific RAS is a straightforward process, based on the parameters established in the Corporate RAS and on what can be inferred from the LOB budget and strategy documents.  

A more strategic perspective greatly enhances both ERM’s effectiveness and your personal stature in the organization.  Moreover, information is power.  No other organization in the company has the mandate to review and own risk across business lines or to manage it.  And the insights you can create are tremendously valuable to the organization.  Knowing our defined corporate risk capacity, what businesses are exceeding or “overusing” that capacity?  Why? Is this contemplated, accidental, or intentional?  And how can it be managed most effectively, both immediately and over the longer term? No individual business manager can answer these questions, and many might not even want to know the answers even if they could find them.  But you can, and in service to your organization’s health and future, you should.  

Why aren’t you seizing the opportunity?

Share your email below to access sample templates of a detailed Risk Appetite Statement for corporate, reputational and third party risk.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework

Subscribe to receive alerts when new insurance related thought leadership content is published by our ERM subject matter experts:


Book an


discovery session

enterprise risk management for credit unions
Three ways to tap into the people, technology and insights of SRA Watchtower.
We're focused exclusively on the serving the financial & Insurance industries.


Discovery Session
Schedule a 30 minute discovery call with an SRA Watchtower risk expert to understand your challenges or opportunities ahead to see how Watchtower's holistic risk intelligence platform can support your goals.


watchtower demo
Look inside Watchtower, the holistic risk intelligence platform to learn how it helps executives navigate risk and drive growth.

Risk Intel

Risk Intel Podcast
Listen and learn from SRA Watchtower risk enthusiasts, customers, and experts across the financial industry through our weekly risk focused podcast.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework