Defining risk appetite and using it to inform business decisions proactively is a complex process – one that many asset managers have yet to attempt, let alone master. Aviva Investors, which manages £352 billion ($468 million), may be an exception following the successful overhaul of its operational risk framework with this goal in mind; a project it began in 2016.
“Two years ago, our executive leadership made a conscious decision to accept risk ownership. This drove a top-down cultural change, emphasising the importance of risk and control management to the rest of the business,” says Liezl de Villiers, head of risk identification at Aviva Investors.
A pre-existing informal structure was replaced with one that formally assigned ownership directly to executives and defined their responsibilities. “Executives made time to regularly meet with their divisions discussing risk and control management, thereby embedding top-down senior management views with middle management’s day-to-day experiences.”
During the first year of the programme, Aviva focused on educating staff at every level of the business on the importance of risk. In the second year, risk profile discussions increased and risk events fell by around 50%, even as the core business continued to grow – a change considered a vindication of the new approach.
Risk events – measured by Aviva in terms of potential financial impact – were defined as the occurrence of any event, incident, failure or error (internal or external) whereby one or more risks materialise due to inadequate or failed processes, people, systems or the occurrence of external events. De Villiers identifies transaction errors as a typical risk event.
Staff at all levels have been encouraged to talk more openly about risk, but the transformation has not been achieved solely through education and dialogue. A new methodology for determining risk, and the accompanying terminology for describing it, has been critical. At the heart of the project was the overhaul of Aviva’s risk appetite statement.
“We developed quantitative and qualitative methods for breaking the risk appetites of the board into granular tolerances used by the risk and control self-assessment processes, as well as equipping employees with the appropriate qualitative parameters when performing their roles,” says de Villiers.
The company’s risk and control-management infrastructure has been developed around the risk appetite statement – a surprisingly unique structure that brings risk appetite to the core of the business, rather than allowing it to be sidelined on a day-to-day basis.
Looking forward, Aviva Investors’ next challenge is becoming masters in risk data insightsLiezl de Villiers, Aviva Investors
“This transitioned the risk appetite statement from a theoretical concept into a practical risk management tool, providing more meaningful qualitative statements and quantitative limits, balancing the business’s and board’s appetite towards risk whilst achieving the strategy,” de Villiers says.
In recognising most financial losses can be expected to emanate from its trading function, Aviva has allocated a significant portion of its risk appetite to this area, setting it within a major operational risk group. It sets two distinct risk tolerances: one for financial, and the other for conduct and reputational.
Dialogue and negotiation between the board of directors and the business on the setting of risk appetite and tolerance is critical, of course. Risk tolerance originates in the risk appetite statement and the business can get involved at an early stage in the setting of risk appetite, while the board can, in turn, provide its own input into this process.
This negotiation process was highlighted recently in the case of cyber risk, where the business had expressed a high tolerance while the board preferred a much lower tolerance, and a compromise was ultimately reached between the two views.
For de Villiers, who was promoted to head of risk identification in April 2017, risk data will be the next frontier in the evolution of Aviva’s risk function.
“Looking forward, Aviva Investors’ next challenge is becoming masters in risk data insights. The model produces a continuous flow of risk profile data, which we are analysing daily. We have made significant strides in achieving this goal by investing in automated solutions, providing the risk profile to the business at the click of a button,” she says.
De Villiers believes challenges will continue to develop: “Risk management will always evolve. We will therefore never stop challenging the methods used and discovered to achieve the best solution. Risk and control management forms part of the business DNA, ensuring customers’ and stakeholders’ best interests are at the heart of everything we do.”