Bringing risk appetite and tolerance to life

 Being good at risk management isn’t about avoiding risks altogether but monitoring them, understanding them, and making the right decisions because of them. I regularly undertake activities that on the surface seem at odds with my job, maybe not quite Evel Knievel but scuba diving and rock climbing certainly get your adrenaline going. In fact, I am about to take part in the Clipper round the world race, arguably one of the most challenging endurance tests in sailing. The point is, risk management doesn’t mean you don’t do something, it means you do it but in safe and risk-considered way. It’s a key decision making tool to help the organisation make the right decisions.

If I had to, I would say NEST’s main risk is linked to its success. We are growing exponentially. From a standing start in 2012 we now have over 5.3 million members and counting. We regularly see over 1,000 employers sign up each day. We need to continually evolve to deal with the large volumes of data we receive. We also need to keep ahead of cyber-crime. There is a concept in evolution called Red Queen Hypothesis, which is about ‘running to stay still’ and continually adapting and improving to stay still.

This year, I’ve been focused on improving the way we think analyse and report on risk. I wanted to build on the risk register method and develop an approach that incorporated meaningful risk appetite and tolerance levels.

At NEST we have been looking at how to bring risk appetite and tolerance to life, and after researching several different ways, we have developed a method that works for us. This dashboard enables us to set clearly defined appetite and tolerance levels based on our key risk indicators that can be tracked over time and then reported to the board.

This involved identifying a set of principal risks which are material to the development, performance, position or future prospects of NEST. There are currently a handful of these risks, and for each one we have created a dashboard that pulls together key data points from across the business.

One of these data points is our key risk indicators (KRI). For each KRI we have established a set of red-amber-green (RAG) tramlines that outline what good, and bad, looks like. This means we can monitor the KRI to determine whether the risk environment is getting better or worse. We then set RAG levels for the KRI, and can identify whether performance is cause for concern. Each of these KRI tramlines were proposed by the risk owner, challenged by the executive and the Risk Committee and agreed by our Trustee board. It is these tramlines which, taken collectively for each principal risk, outline our appetite and tolerance towards the risk.

But what does that mean? And how does it work in practice? Let me bring it to life for you. As one of the largest pension schemes in the UK, one of our principal risks is keeping members’ data and assets safe. So how do we measure this? A KRI for this risk is the number of data breaches in the past three months. A data breach occurs when information is disclosed to a third party without consent, which for example could be if an organisation sends a letter to a member’s old address after their address has changed. We have to decide our tolerance. Using these tramlines, red would mean we have no tolerance for taking risks that result in the risk indicator performing at this level. Amber would mean we have low tolerance and green would mean we are performing within our appetite. After the RAG appetite and tolerance levels have been agreed by the Trustee board, the business can use them to guide their approach to managing the risk.

Each of our principal risks generally has between six and eight indicators. When management are considering how to respond to an indicator in an amber or red zone they will normally review performance against all indicators collectively rather than one indicator in isolation. Management response will vary from risk to risk but, in general terms, movement into the amber performance zone will trigger a review of the risk environment and consideration of whether action should be taken. A move into a red performance zone will trigger a more in-depth review with a stronger emphasis on taking action to bring the risk back in line with appetite; this is likely to include introducing additional mitigation activity on either a temporary or permanent basis.

Data and cyber security is such a hot topic at the moment, mainly because of the recent cyber-attacks and data breaches. We have a responsibility to our members, over 5 million of them, to look after their data and assets and we take that seriously. This dashboard approach, with KRIs, helps us do just that. The dashboard is just one aspect of our approach to good governance. We’ve taken other steps, like ensuring that the information security management systems, our scheme administrator and our IT managed services provider are all independently certified to the ISO 27001 standard, as another layer of protection.

The first prototype of the dashboard was built in October last year and, following a successful pilot, NEST is now in the process of applying it to each of its principal risks. They are already helping us to see when things are ‘getting hotter’ and to identify the need to take action.

We believe our newly developed dashboard gives us more comprehensive, well-rounded way of monitoring against our principal risks. We must take risks in order to deliver our strategic priorities, but integral to this is to understand the risks we face and how best to control or mitigate them.

Dan Davis is chief risk officer at NEST, the pension scheme set up by the UK government to support the auto enrolment programme. With 5 million members and counting, Davis is responsible for risk management at one of the largest pension schemes, by membership, in the UK, helping to improve the retirement prospects for millions.