Risk Management Framework Guidance · PDF fileRisk Management Framework Guidance Notes 1....
Transcript of Risk Management Framework Guidance · PDF fileRisk Management Framework Guidance Notes 1....
Risk Management Framework
Guidance Notes
1. Background
Risk Management forms part of the University’s internal control (management) arrangements. This
document outlines the University’s approach to risk evaluation and subsequent management. The
University follows recognised practice in how it approaches risk as outlined within the Combined
Code (1999), and both “The Orange Book. Management of Risk – Principles and Concepts” and
“Thinking about Risk. Managing your risk appetite: A practitioners Guide” published by the HM
Treasury.
The University aims to take a pragmatic approach to risk management which ensures that its
processes are fit for purpose, integrated with the planning and management of the University and
proportionate to the administrative burden.
Whilst emphasis is placed on the management of risk it is important to note that the failure to
realise a genuine opportunity is equally a risk to the University and should be managed/monitored
through the same processes and procedures.
This most recent iteration of the Risk Management policy was developed in the autumn of 2015 and
was launched alongside the 2016/17 planning process.
2. Principles
The management of risk is key to ensuring the University successfully achieves its desired goals
whilst protecting the interests of its stakeholders. Risk is uncertainty of outcome, and good risk
management allows the University to:
have increased confidence in achieving its desired outcomes
effectively constrain threats to acceptable levels; and
take informed decisions about exploiting opportunities
Good risk management also allows stakeholders to have increased confidence in the organisation’s
corporate governance and ability to deliver.1
In developing the new framework the following principles have been applied:
that risk management should be integral to the University’s planning (at all levels);
that equal focus should be placed on the what’s happening in the external environment and
how this might impact on the University achieving its objectives, as that currently afforded
to the internal environment (relating to core operations or projects);
that a single framework be applicable for the whole University, that is able to span all risk
levels/types of risk;
that a more thematic approach be taken to risk management, with risks grouped according
to potential impact areas as well as source;
that risks are managed by those in a position to manage the risk and reported to those for
whom knowledge of how that risk is being managed is relevant;
that a more dynamic approach be taken to how the University manages risk;
1 The Orange Book. Management of Risk – Principles and Concepts. October 2004 (HM Treasury).
that an increased focus be placed on how assurance is sought/received in relation to risks
and their subsequent handling;
that ownership and accountability for the management of risk is essential to an effective risk
management process;
that both the approach to, and the management of, a risk be proportionate to the impact of
that risk (should it materialise).
3. Risk Appetite
Risk appetite is defined as:
“The amount of risk that the University is prepared to accept, tolerate, or be exposed to at any point
in time.”
The University’s overall statement of risk appetite is appended to this guidance as Annex One. It
should be recognised that whilst the University as a whole has a defined risk appetite, different
functions/activities might be more or less hungry for risk, and that, managed properly, this can be
entirely appropriate to the organisation delivering its wider objectives.
Should you want any further guidance on risk appetite i.e. how much of what sort of risk you are
prepared to take, then do please refer to the HM Treasury guide “Thinking about risk – managing
your risk appetite: A practitioners guide” (November 2006).
4. Risk Approach
For each type of risk the overall approach is to:
Identify risks which pose threats to fulfilment of strategic and/or operational goals. Risks
may relate to our People, our Finances, our Reputation, or the Operational Delivery of the
University’s functions;
Evaluate the possibility and impact of a risk materialising (the “risk assessment”) which is
used to prioritise risks;
Reflect on how the risk is best addressed - tolerated, treated, transferred, terminated or
taken (if an opportunity);
Consider those actions/controls already in place to manage the risk and assess whether they
are sufficient;
aim to Reduce the risk through establishing further mitigating actions/countermeasures
which might affect the impact or the possibility of the risk occurring;
Assess the residual risk rating i.e. that rating which might be possible to achieve if all the
mitigating actions/countermeasures are achieved and are successful;
Monitor the risk (to ensure that early warning signs are detected in order to put contingency
arrangements in operation) by identifying the most appropriate assurance mechanisms to
oversee that risk and, if currently insufficient, introduce additional mechanisms;
Review once a risk has been managed/passed to learn lessons and feed back into the
process of managing subsequent risks.
5. Risk Scoring
The University’s exposure to each opportunity/threat is a combination of the likelihood of a risk
materialising, and, if it were to materialise the impact it would have on the University. By definition
any assessment of likelihood and/or impact is going to be a largely subjective exercise, however
steps have been taken to bring objectivity to ensure consistency of both approach and assessment.
Particular focus has been placed on the calibration of the scoring mechanisms to help individuals
accurately assess the potential impact of a risk (with descriptors being provided from a number of
perspectives should that risk materialise):
Time (taken to resolve)
Cost
Reputational impact
Management Effort
Outputs (impact on goals, be that local or institutional)
Both likelihood and impact are scored on a scale of 1-5. Definitions for each are included in Figure 1
below. Likelihood ranges from Rare (1) to Almost Certain (5) and Impact from Insignificant (1) to
Catastrophic (5).
Figure One. Risk Scoring Matrix
6. Completing the Risk Register Template
The Risk Register template is appended to this guidance as Annex Two. The template can broadly be
subdivided into two sections:
a) an articulation and assessment of the risk itself; and
b) a consideration of specifically where assurance will be sought in relation to that risk.
Working left to right across the template:
a) Articulation/Assessment of Risk
Event is expected to
occur in most
circumstances
>90%Almost
Certain5
5 10 15 20 25
Event will probably
occur in most
circumstances
50-90% Likely 44 8 12 16 20
Event should occur at
some time30-50% Possible 3
3 6 9 12 15
Event could occur at
some time10-30% Unlikely 2
2 4 6 8 10
Event could occur only
in exceptional
circumstances
<10% Rare 11 2 3 4 5
1 2 3 4 5
Insignificant Minor Moderate Major Catastrophic
Resolution would be
achieved through normal
activity
Resolution would require
input from Head of School
or Director
Resolution would require
the mobilisation of a
dedicated project team
(VCEG approved)
Resolution would require
direction from Council
Resolution would require
external intervention
under £50k £0.05m to £0.5m £0.5m to £5m £5m to £50m over £50m
Little or no external
publicity/reputational risk
Adverse external impact
or reputational risk issues
unlikely
Some adverse but short-
lived external impact or
reputational impact likely
Substantial but short-lived
adverse external
publicity/impact
unavoidable
Sustained, ongoing,
adverse, highly critical
publicity/impact likely
At event, the impact of
which can be absorbed
through normal activity
At event, consequences of
which can be absorbed but
management effort is
required to minimise
impact
A significant event which
can be managed under
normal circumstances
A critical event which with
proper management can
be endured
A disaster with potential
to lead to collapse of
University
Negligible impact on
Dept/Function or common
goals
Impacts only on
School/Directorate rather
than University's common
goals
Impacts but not radically
on some goals/strategic
plan objectives
Major impact on current or
ongoing goals and
strategic plan objectives
Fundamental impact on
current and/or ongoing
goals/strategic plan
objectives
IMPACT
LIK
ELIH
OO
D
Time
Cost
Reputation
Management
Effort
Outputs
Ref.
To aid with collation/reporting we are asking that all risks be allocated a unique working reference.
This should be done locally and follow the convention of a short abbreviation relating to the
School/Directorate followed by a number e.g. for Planning, Governance & Compliance, the first risk
on the register might be PGC/1 or for the third risk on the Education and Social Work register:
ESW/3.
Risk Date
This should be the date on which a risk is formally escalated to the School/PS Directorate Risk
Register. We will be tracking/monitoring risks over time so understanding when they were first
identified and formally captured (and indeed when they are removed from the register) is beneficial
in helping understand whether mitigating actions/countermeasures are having the desired effect to
the timescales necessary.
Statement of Risk
Capturing the risk accurately is essential in helping to identify the best way to evaluate (and
subsequently address) that risk. Risks should be assessed and prioritised in relation to objectives, be
that at a local or institutional level. In stating risks, care should be taken to avoid stating impacts
which may arise as being the risks themselves, and to avoid stating risks which do not impact on
objectives; equally care should be taken to avoid defining risks with statements which are simply the
converse of the objective. A statement of risk should encompass the cause of the impact, and the
impact to the objective which might arise. Examples2 of well written statements of risk are provided
below in Figure Two.
Figure Two. Drafting of Statement of Risk
Primary Goal Impacted
One of the main enhancements of the “new” Risk Management Framework will be to organise risks,
irrespective of where they were initially identified, according to the goals of the University that they
might affect. This will align more closely with the revised approach being taken to planning for
2016/17 onwards. As well as helping us group “like” risks and agree thematic ways of managing
these risks, it will enable us to report risks to the appropriate governance mechanic for that area of
the University’s activity e.g. risks relating to the achievement of our Research goals should be
received/reviewed by the Research & Knowledge Exchange Committee (or sub-committee thereof)
alongside discussions of what we are doing to achieve those goals.
2 From “The Orange Book: Management of Risk – Principles and Concepts (October 2004)
The goals of the University (as defined within Making the Future: 2013-18) are broadly grouped as:
Research and knowledge exchange – delivering high quality research of lasting academic value and
with impact that benefits and enriches society;
Teaching, learning and the student experience – increasing the number of students getting an
Outstanding Sussex experience;
Our Falmer campus – creating a high-quality physical environment at Falmer to attract the best
students and staff where they will be able to enjoy their study and work;
External engagement – building more and stronger partnerships with external organisations,
institutions and individuals locally, nationally and internationally;
Economic and social impact – strengthening the economic and social impact of the University on the
wider region
Professional services – supporting academic excellence and the student experience with excellent
value professional services delivered by high-quality people working with the best facilities and
partners;
Sustainable operating – securing the platform for the University’s sustainable future
Risk Type
Many schemes exist to characterise risk types. Given the breadth of risks the University is exposed
to a simple four “type” scheme has been adopted.
a) Financial
b) Reputational
c) Operational
d) People-related
It is often the case that a single risk might be described as being of more than one type. Where this
is the case the dominant “type” should be recorded. What is most important is that the risk has
been recorded and is being appropriately managed, rather than how it has been categorised.
By recording the “type” of risk it encourages the University to take a broader, more balanced
approach to its consideration of risk, and not place unintended emphasis (or the converse) on
particular type areas.
The risk “type” is also important when it comes to producing your Risk Heat Map (see Section 7).
Current Controls
These are variously called the current controls, countermeasures or mitigating actions – those things
that the University is already doing to manage down the potential risk. The scoring of the risk
(above) will have taken into account those activities/measures already in place.
Most of these controls will be preventative i.e. they are designed to limit the possibility of an
undesirable outcome being realised, an example of this might be the introduction of a certain
procedure/policy to ensure that something runs smoothly, or a specific intervention designed to
address the risk materialising. The more important it is that an undesirable outcome should not
arise, then the more important it becomes to implement appropriate preventative/mitigating action.
Other types of control include:
a) corrective controls - those designed to correct undesirable outcomes e.g. insurance
b) directive controls - those designed to ensure that a particular outcome is achieved e.g.
requiring certain training to be completed before someone can undertake a particular task;
and
c) detective controls – designed to identify occasions of undesirable outcomes having been
realised, an example of which might be a Post Implementation review within a project to
detect lessons learned for application to future work.
All types of control are appropriate, what is most important is that the control put in place is
proportional to the risk. It is normally sufficient to limit controls to give a reasonable assurance of
confining likely loss within the defined risk appetite of the University. Every control action has an
associated cost (be that financial, time etc.) which needs to be considered when deciding on
whether required.
Owner
This should be the person ultimately responsible/accountable for the management of the risk. For
genuinely strategic risks (those with impact rating 4 or 5 to the University – see section on Risk
Rating) this would normally be a member of VCEG. For those rating 3-4 it might be a Head of School
or Professional Services director, and for lesser risks (1-2) then it would be appropriate for these to
be “owned” by a local manager or Head of Function/Department.
Given the complexity of the University it is recognised that, where risks might be identified/managed
in multiple places e.g. Health & Safety then it is possible for local registers to have local owners and
the institution as a whole to have an overall lead person.
Updater
It is recognised that it won’t always be the risk owner that updates and maintains the risk register for
the School, PS Directorate or University. Where this is the case it would help the Planning team if a
separate person were identified to be the “go-to” person when we need information on the risk or
how it is being managed.
Current Rating
An assessment of the current Likelihood and Impact of the risk using the methodology outlined in
Section 5 – Risk Scoring.
Overall Rating
This box will auto-populate on your template and is a function of the information inputted into the
previous cells relating to Impact and Likelihood. The overall gross risk score will range from 1-25.
1-5 Acceptable
6-10 Action necessary
11-15 Action essential
16-25 Action critical
n.b. the risk scoring matrix has been calibrated to the overall goals of the University, rather than
local strategies/goals, so it is unlikely (though not impossible) that a local register, at either School or
PSD level would contain a risk with an overall rating in excess of 15.
Change
When managing risk it is essential to monitor whether a risk is growing or diminishing over time.
This change might be a function of either the external environment in which we are operating, or the
relative importance of an outcome changing over time. It could also represent the impact of the
various controls/actions that might have been undertaken to manage the risk.
The template contains four options (chosen from the dropdown list) including NEW to highlight
when a risk is new to the register.
Previous Rating/Overall Rating
This information should be transposed from the last update made to the Register. If a new risk has
been added then these columns would not be applicable and should be left blank. The difference
between the previous rating and that of the current assessment constitutes the “change” referred
previously within the template.
Planned Mitigating Actions
The template thus far has captured the risk and those actions/controls already in place to
manage/ameliorate that risk. Any further actions necessary (but not already underway), which
would reduce the University’s exposure to that risk should be included in this section. The reason
these actions are not already underway might be an issue of timing or resource. The various types
of action that might be considered to mitigate a risk are the same as those described under the
“controls” section previously.
Commentary
Anything else that would help the reader of the Register better understand the risk. It might be used
to capture activity or developments between this version of the register and the previous, or where
something has happened in the wider environment that might have led to a change in the scoring of
a risk.
Residual Risk
A residual risk score is calculated in the same way (likelihood and impact) as the gross score. It
defines the level of risk to which the University might reasonably be exposed once the various
countermeasures/actions (both current and planned) have been put in place and are reducing the
impact/likelihood of that risk. This might not be the lowest possible exposure as (as has been stated
previously) all actions require some form of resource, and the University will take a response
regarding which actions to implement proportionate to the potential impact of the risk.
The aim should be that sufficient control/action is in place to manage a risk down to acceptable
levels (Overall Rating: 1-5). If a risk is assessed to have a residual rating greater than 10 then it is
likely that insufficient countermeasures/mitigating actions are in place (or are planned).
c) Assurance
The University has chosen to adopt the “Three Lines of Defence” approach to how it receives
assurance on risk. The approach helps clarify roles, responsibilities and accountabilities towards the
effective governance of risk management and assurance.
• involved in day-to-day risk management
•follow a risk process
•apply internal controls and risk responses
1st Line
Schools/PS Directorates
•oversee and challenge risk management
•provide guidance and direction
•develop risk management framework
2nd Line
Risk and Compliance
•review 1st and 2nd lines
•provide an independent perspective and challenge the process
•objective and offers assurance
3rd Line
Audit
Operational (1st line of defence)
The University (be that at an institutional or local) is responsible for ensuring that a risk and control
environment is established as part of day-to-day operations. The first line of defence provides
management assurance by identifying risk and mitigating actions, implementing controls and
monitoring/reporting on progress.
The various assurance mechanisms that might exist and which are relevant to the risk being
monitored/managed should be inserted into the vertical columns. It is recognised that individual
assurance mechanisms e.g. the local risk register, will provide assurance to multiple risks, hence the
solution of creating a column for each type of 1st line assurance against which a check can be placed
if appropriate to individual risks.
Internal Oversight (2nd line of defence)
These are generally the mechanisms that provide oversight, guidance and direction, normally
through policy/procedure. They might include such mechanics as Project Boards, Committees,
Management Groups or any other body internal to the University which have a monitoring role. The
process for recording these relevant to each risk is the same as for the 1st line.
Independent Assurance (3rd line of defence)
Generally provided by external means these are all the different assurance mechanisms that exist to
provide assurance to the University – the most obvious of which is our Internal/External Audit
functions. Dependent on the area of risk, other assurance mechanisms might exist such as
professional bodies, HEFCE, Health & Safety Executive etc. that have their own monitoring/oversight
functions to what we do. Again, this section should be completed as previously.
On a more general note, capturing the various assurance mechanisms across the whole of the
University will help the University ensure that the Terms of Reference/scope of these
functions/bodies accurately reflects the role they are required to carry out.
Control RAG
Above this section of the template are definitions for the RAG to be applied when assessing the
adequacy of the assurance controls in place. These are as follows:
Low: Significant concerns over the adequacy/effectiveness of the controls in place in proportion to the risks
Medium: Some areas of concern over the adequacy/effectiveness of the controls in place in proportion to the risks
High: Controls in place assessed as adequate/effective and in proportion to the risk
Insufficient information to judge the adequacy/effectiveness of controls
Based on these descriptors an assessment should be made as to whether there are sufficient
assurance mechanisms in place relative to the size of the risk. Based on this assessment a
judgement can be made as to whether the assurance currently in place is sufficient (Is Assurance
Sufficient?).
Where it is felt that additional assurance mechanisms are necessary to ensure the risk is managed as
effectively (proportionate to the potential exposure) then Improvement Actions should be
identified, and, if agreed, implemented. Actions can take a number of forms that might include:
- recruitment of technical expertise into a function (or professional training for existing staff) e.g.
around Health & Safety risks;
- reviewing the terms of reference of an existing Committee/Management Group to ensure an
oversight mechanism sits within our governance structures; or
- the need for an Internal Audit of a particular area of activity.
It is important to recognise that the opposite might also be true where, for a relatively low risk area
we have in place multiple, complex, often time-consuming assurance mechanisms. Once the various
assurance mechanisms are captured and mapped and this is felt to be the case then consideration
should be given as to whether they are all necessary and whether any of these can be ceased (and in
so doing free up resource). Where this is the case then stopping doing something might also be
regarded as an “improvement action”.
Commentary
An opportunity to provide any other information or progress updates on the assurance around that
particular risk.
7. Risk Heat Map
A graphical summary of the aggregated risk profile of the School/PS Directorate or Institution.
Figure Three. Risk Heat Map
8. Governance/Reporting
For the risk management system to be beneficial it needs to be fully embedded into both the
governance and planning frameworks of the University. Risks need to have pathways to be
escalated when appropriate and where mitigating actions/countermeasures are agreed on these
need to be included in the priorities/workload of the responsible individual, School or Department.
PEOPLE FINANCE
REPUTATIONOPERATIONAL
DELIVERY
IMPACT IMPACT
L
I
K
E
L
I
H
O
O
D
IMPACT IMPACT
L
I
K
E
L
I
H
O
O
D
L
I
K
E
L
I
H
O
O
D
L
I
K
E
L
I
H
O
O
D
Figure Four. Risk Management within the wider Planning Framework of the University
Ultimately Council is responsible for establishing and monitoring risk management policies,
strategies and the risk register. In so doing it looks to the Audit Committee “to advise Council on the
effectiveness of risk management” within the University.
The overall Risk Management Framework (and attendant procedures) is managed by the Planning,
Governance & Compliance Directorate with Professional Services, drawing on local processes within
Schools, PS Directorate and projects. Figure Five below provides a summary of how information in
relation to risk flows through the University.
CountermeasuresMitigating Action
Co
un
termeasu
resM
itigating A
ction
SchoolsPlanning
PSDPlanning
LocalRegisters
LocalRegisters
PlanningCollate & Review
Risk Framework
Environmental Scanning
PlanningCollate & Review
Monitoring
Major Projects
Project Portfolio
Risk Registers
Portfolio Risk Register
PlanningCollate & Review
INTERNAL[Business as Usual)
CHANGE
EXTERNAL
Council(Annual)
Audit / Performance/FI
Committees(Termly)
VCEG(Termly)
VCEG members
Teaching & Learning
Committee
Research & Knowledge Exchange
Committee
Human Resources Committee
Health, Safety & Environment
Committee
Thematic Reporting
Inst
itu
tio
nal
Rep
ort
ing
Others
Feedback
Feedback
Figure Five. Risk Management within the University.
Frequency of Reporting
Risks to the delivery of local/University goals and outcomes are generally identified and then
escalated via one of three routes:
- external - through notification/scanning of what’s happening in the environment in which
the University operates;
- projects (referred to as “change” in Figure Five); and
- locally at School/PSD-level
External – almost by definition these can surface at any time and might need the rapid mobilisation
of response if potentially highly impactful. They are often harder to influence through mitigating
action as most will be outside of the direct control of the University. Examples of these types of risk
(and/or opportunities) might be: changes to the overall governmental funding environment, or the
introduction of proposed changes to Tier 4 Visas for overseas students. Their likelihood is typically
(though not impossibly e.g. lobbying) difficult to influence, however with sufficient planning it is
normally possible to offset the potential impact through the introduction of countermeasures.
Whilst the Planning office will conduct routine environmental scanning, if anyone identifies a
significant risk/opportunity to the University they should notify the Planning Office who will
undertake the appropriate assessment and provide guidance as to how (and whether) the risk needs
to be added to the overall framework.
Projects – are recognised as being integral to the University achieving its goals. Separate guidance
exists as to the University’s approach to managing projects (incl. their governance). The
management of risk within the project environment is key to their successful delivery. The
University is establishing a central Programme Office, working with the various functions/teams that
already exist, to monitor the portfolio of projects and programmes underway in the University at any
one time. Irrespective of the complexity/scale of a project risk needs to be considered – for smaller
projects this might purely be identification and management, larger projects will probably have their
own risk registers which are reported into/monitored by formally established Project Boards. Risks
to Major Projects will, in addition, be part of the more formal reporting to VCEG, Performance
Committee and ultimately Council.
The Programme Office reports to VCEG bi-monthly (and Performance Committee termly) on the
status of Major/Mid-Tier projects within the University. This includes an assessment of the major
risks to the successful delivery of those projects.
Locally – risk registers for Schools and Professional Services Directorates also need to be maintained.
Whilst progress in managing individual risks might vary according to the potential exposure of the
risk, Schools/PSDs will be required to submit their full registers termly. A full review of your risk
register should be undertaken alongside your planning process in Oct-Jan, and lighter-touch reviews,
to capture any changes (be that to the scoring or any “new” risks that might have emerged and need
to be added to the Register) towards the end of the Spring and Summer terms. It is anticipated that
Schools/PSDs would normally review their registers (and progress on managing any significant risks)
as part of their SMT meetings.
Source Frequency of reporting3
External As requested/agreed (dependent on type/potential exposure)
Projects Cat 1/2a Bi-monthly, alongside Highlight Reporting to Programme Office
Cat 2b/3 Locally and/or into Relevant Programme Board (as required)
Schools/PSDs Termly (Full – Planning Round; Light-touch – Spring/Summer terms)
Onward Reporting
As described previously a key feature of the University’s risk management framework is the ability to
group risks and ensure they are considered by the most appropriate assurance mechanism. The Risk
Register template requires individuals to associate their risks to specific goals. This will allow the
Planning Office to group risks, collated from whatever source, and ensure they are reported to the
3 For substantive risks, where the University’s risk exposure is significant, specific reporting mechanisms/regimes will be agreed.
most appropriate assurance mechanism e.g. all Health & Safety risks from around the institution,
need to be brigaded to a central Health & Safety risk register and this form part of the routine
reporting to the Health, Safety and Environment Committee. Similarly any/all risks identified in
relation to us achieving one of our academic goals will be grouped and shared with the appropriate
University Committee; aggregated financial risks to the Finance & Investment Committee and so on.
The Vice Chancellors Executive Group (VCEG) formally review the Institutional Risk Register termly
ahead of subsequent reporting to the key Committees of Council (described below). Where a
specific significant risk is “live” and requires more regular monitoring/consideration then it will do
this through its weekly meetings.
Performance Committee, have a specific role “for strategies, projects and plans and areas of
operation, to monitor the management of the main risks”. To enable them to fulfil this function they
will be routinely updated on the status and plans for all risks deemed to have an impact defined as
either major/catastrophic and a likelihood of 3 (possible) or above.
Audit Committee have the responsibility delegated from Council as to the overall effectiveness of
the Risk Management Framework. In addition to the reporting on major risks received by the
Performance Committee they will also receive assessments as to the various assurance
arrangements and whether these are operating effectively. They might decide to seek further
assurance on certain risks if they have specific concerns.
Finance and Investment Committee (or their delegated Sub-Committees) will receive updates to
their meetings as to the overall financial risk profile of the University and on any specific financial
risks where the potential exposure is in excess of £5m.
Council is ultimately responsible for the strategic oversight of risk management within the University
as a whole. It has a statutory requirement to own the Institutions Risk Register. The involvement of
Council in risk management is helpful as members can provide a more complete picture of risk for
the University, ensuring that it is integrated into wider processes and also help define the overall risk
appetite.