Guide to ERM: Risk Limits and Controls

At the most fundamental level, enterprise risk management can be understood as a control cycle. In an insurance company’s risk control cycle, management needs to first identify the key risks.

Management then decides the risk quantity they are willing to accept and retain. These decisions form the risk limits. It is then imperative to monitor the risk-taking throughout the year and react to actual situations that are revealed by the monitoring.

Photo by Ann H on Pexels.com

The Risk Control Cycle

There are seven distinct steps in the typical risk control cycle:

1. Identify Risks – Choose which risks are the key controllable risks of the company
2. Assess – Examine what are the elements of the risks that need (or can be) controlled
3. Plan – Set the expectation for how much risk will be taken as an expected part of the plan and also the limits on how much more would be accepted and retained
4. Take Risks – Conduct the primary function of an insurance company
5. Mitigate – Take actions to keep the risks within limits
6. Monitor – Determine how risk positions compare to limits and report
7. Respond – Decide what actions to take if risk levels are significantly different from plan

Risk Control Cycle

The Complete Risk Control Process

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following.

• Identification of risks: The identified risks should be the main exposures which a company faces rather than an exhaustive list of all risks. The risk identification process must involve senior management and should consider the risk inherent in all insurance products underwritten. It must also take a broader view of overall risk. For example, large exposures to different investment instruments or other non-core risks must be considered. It is vital that this risk list is re-visited periodically rather than simply automatically targeting “the usual suspects”
• Assess risks: This is both the beginning and the end of the cycle. At the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year. At the end, management needs to assess how effective the control cycle has been. Did the selection process miss any key risks? Were limits set too high or perhaps too low? Were the breach processes effective?
• Plan risk taking and risk management: Based upon the risk assessment, management will make plans for how much of each risk the organization will plan to accept and then how much of that risk will be transferred, offset and retained to manage the net risk position in line with defined risk limits
• Take risks: Organizations will often start by identifying a list of potential risks to be taken based upon broad guidelines. This list is then narrowed down by selecting only risks which are aligned to overall corporate risk appetite. The final stage is deciding an appropriate price to be paid for accepting each risk (underwriting)
• Measuring and monitoring of risk: With metrics or risk measures which capture the movement of the underlying risk position. These risk positions should be reported regularly and checked against limits and, in some cases, against lower checkpoints . The frequency of these checks should reflect the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may choose to report regularly at a granular level that supports all decision making and potential breach actions. The primary objective of this step is facilitating upwards reporting of risk through regular risk assessment and dissemination of risk positions and loss experience using a standard set of risk and loss metrics. These reports convey the risk output from the overall ERM framework and should receive the clear attention of persons with significant standing and authority in the organization. This allows for action to be taken which is the vital Respond stage in the risk control cycle
• Risk limits and standards: Should be defined which are directly linked to objectives. Terminology varies widely, but many insurers have both hard “limits” that they seek to never exceed and softer “checkpoints” that are sometimes exceeded. Limit approval authority will often be extended to individuals within the organization with escalating amounts of authority for individuals higher in the organizational hierarchy. Limits ultimately need to be consistent with risk appetites, preferences and tolerances Additionally, there should be clear risk avoidance processes for risks where the insurer has zero tolerance. These ensure that constant management attention is not needed to assure compliance. A risk audit function is, however, often incorporated within the overall risk organization structure to provide an independent assessment of compliance.
• Respond: Enforcement of limits and policing of checkpoints, with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. In some cases, the risk environment will have changed significantly from when the limits were set and the limits need to be reassessed. Some risks may be much more profitable than expected and risk limits can be raised, while other have become more expensive and/or riskier and limits need to be lowered
• Assess risks: And the cycle starts again

The control cycle, and especially the risk appetite, tolerance and limit setting process can be the basis for a healthy discussion between management and the board.

Gaining the Greatest Benefit from the Risk Control Cycle

Ultimately, to get the most risk management benefit out of a risk control cycle, management must set limits at a level that matters and are tied to good measures of risk. These limits must be understood throughout the company and risk positions should be frequently and publicly reviewed so that any breaches can be identified.

But in addition to a policing function, the control cycle needs to include a learning element. With each pass through the cycle, management should gain some insight into the characteristics of their potential risks and associated mitigation alternatives, as well as the reactions of both to changes in the risk environment.

Advertisement

New Year’s ERM Resolution – A Risk Diet Plan

Why do you need an aggregate risk limit?

For the same reason that a dieter needs a calorie limit.  There are lots and lots of fad diets out there.  Cottege Cheese diets, grapefruit diets, low carb, low fat, liquid.  And they might work, but only if you follow them exactly, with absolutely no deviation.  If you want to make some substitution, many diets do not have any way to help you to adapt.  Calories provide two things that are desparately needed to make a diet work.  Common currency for substitutions and a metric that can be applied to things not contemplated in the design of the diet.

So if you do a calorie counting diet, you can easily substitute one food for another with the same calorie count.  If some new food becomes available, you do not have to wait for the author of the diet book to come up with a new edition and hope that it includes the new food.  All you need to do is find out how much calories the new food has.

The aggregate risk limit serves the exact same role role for an insurer.  There may be an economic capital or other comprehensive risk measure as the limit.  That risk measure is the common currency.  That is the simple genius of VaR as a risk metric.  Before the invention of VaR by JP Morgan, the risk limit for each risk was stated in a different currency.  Premiums for one, PML for another, percentages of total assets for a third.  But the VaR thinking was to look at everything via its distribution of gains and losses.  Using a single point on that distribution.  That provided the common currency for risk.

The diet analogy is particularly apt, since minimizing weight is no more desirable than minimizing risk.  A good diet is just like a good risk tolerance plan – it contains the right elements for the person/company to optimum health.

And the same approach provided the method to consistently deal with any new risk opportunity that comes along.

So once an insurer has the common currency and ability to place new opportunities on the same risk basis as existing activities, then you have something that can work just like calories do for dieters.

So all that is left is to figure out how many calories – or how much risk – should make up the diet.

And just like a diet, your risk management program needs to provide regular updates on whether you keep to the risk limits.

 

Transparency, Discipline and Allignment

Firms that have existed for any length of time are likely to have risk management.  Some of it was there from the start and the rest evolved in response to experiences.  Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness.  But some of the risk management that they might need is either missing or totally ineffective.  It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm.  Risk management happens in the background.  It may be done without thinking.  It may be done by people who do not know why they are doing it.  Some risks of the firm are very tightly controlled while others are not.  But the different treatment is not usually a conscious decision.  The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm.  The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.

---

 

Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management.  Those advantages are:

Transparency

Discipline

Alignment

ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm.  ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk.  The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.

Transparency is like the math teacher you had in high school who insisted that you show your work.  Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer.  When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing.  Transparency means the same sort of thing with ERM.  It means showing your work.  If you do not like having to slow down and show your work, you will not like ERM.

ERM is based upon setting up formal risk control cycles.  A control cycle is a discipline for assuring that the risk controlling process takes place.  A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.

A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline.  A school team may have a little talent or a lot and some school teams have some discipline as well.  A professional sports team usually has plenty of talent.  Often professional teams also have some discipline.  The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league.  Discipline allows the team to consistently get the best out of their most talented players.  Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they want to have.

ERM is focused on Enterprise Risks.  In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.

To use another sports analogy, picture the football huddle where the quarterback says “ok.  Everyone run their favorite play!”  Without ERM, that is what is happening, at least regarding ERM at some companies.

Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.

Doing ERM is the Control Cycle

RISKVIEWS has commented many times that Risk MANAGEMENT is not a spectator sport.  It is all about DOING.

If Risk Management never results in the firm DOING something different than what would have been done before Risk Management  – then STOP IMMEDIATELY.  You are wasting your time and money.

The DOING part of Risk Management is not particularly tricky or difficult.  Doing ERM is accomplished with a Control Cycle.

In fact Doing ERM is accomplished with one control cycle for each major risk and one control cycle over all risks in total.

WillisWire has recently featured a piece on risk limits and the risk control cycle that would apply to each major risk.

ERM Practices: Risk Limits and Controls

Which is from the 14 part ERM Practices for Insurance Company ORSA series.  The other pieces in that series so far are:

Risk Identification  and

Risk Measurement

RISKVIEWS has often posted about Control Cycles as well.  Here are two examples:

Controlling with a Cycle about the control cycles for each risks and

ERM Control Cycle about the overall ERM control of total risk

Reviewing a Risk Control Framework

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.

The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.

There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.

A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).

<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.

The RCF can act as a focus and ensure that:

• There are no gaps and that there is appropriate accountability
• Aligning organsiations objectives with the RCF
• The reporting mechanisms and management system is embedded – this could be a driver of culture
• A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured

Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.

A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.

When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-

Hard factors (tangible)
Systems

• Are there systems in place that can assist in risk identification and monitoring?
• Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
• What are the legal minimums with respect to certain risks, how is compliance measured?
• Is there information already gathered

Strategy

• Does strategic planning consider risk management, is it open to this, can risk management contribute?
• Does risk management have board level support?
• What is the organisations risk appetite?
• What is the organisations risk tolerance?

Structure

• Is the risk management function senior enough to have an influence?
• Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
• Is there a forum for considered emergent risks?
• Are there regional or location specific risks to consider, how integrated is the whole approach?

Soft factors (intangible)
Style

• The way management goes about solving problems, listening or dominant there are ways to measure this
• Passive vs active management
• Business goal driven or risk averse
• Who makes the key decisions – who is involved – is this structured?  Does risk management get a seat?

Staff

• The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
• How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
• Are staff time poor, are there dedicated risk staff in business units?
• Is risk perceived as compliance rather than business driven?

Skills

• adaptable, thoughtfull, processing?
• Is there suffienct understanding of what is risky and what is unknown?
• Are the risk able to be measured
• Are there enough skillfull communicators to ensure that messages sent are received in the same context internally

Shared Values

• infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
• Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
• Is there interdepartmental meetings happening or a siloed approach?
• How are decisions made, centralised vs local, is this effective, who has the final say?

The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.

The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-

• Risk identification
• Risk monitoring
• Policies and limits
• Risk Treatment
• Limit Compliance
• Feedback

Effectiveness

It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).

Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.

Ad Hoc Risk Control Framework

• Risk identification – Not all significant risk exposures have been identified.
• Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
• Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
• Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Basic Risk Control Framework

• Risk identification – Significant risk exposures are believed to have been identified.
• Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
• Policies and limits – Risk limits are documented,  but they have limited impact prior to an event that is they do not have any impact on operational decision making.
• Risk Treatment – Risk-management activities not laid out, but are raised to management
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Standard Risk Control Framework

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
• Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
• Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Advanced Risk Control Framework

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
• Risk monitoring – Company monitors all significant risks as a matter of course
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
• Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

ERM Control Cycle

The seven principles of ERM for Insurers can be seen as forming an Enterprise Risk Control cycle.

The cycle starts with assessing and planning for risk taking.  That process may include the Diversification principle and/or the Portfolio principle.

Next to the steps of setting Considerations and Underwriting the risks.  These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are  small and homogeneous or large and unique.

The Risk Control cycle is then applied to the risks that have been accepted.  That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks.  Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.

Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.

Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future.  The Future risk principle provides a path for that step.

For the ERM Cycle, there is actually no such thing as FINALLY.  As a cycle, it repeats infinitely.  The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.

The ERM idea sits in the middle of these seven principles.  The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks.  This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.

Most firms will put different degrees of emphasis on different elements.  Some will have very faint arrows between ERM and some of the other principles.  Some insurers will neglect some of these principles completely.

It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.

This a part of the discussion of the seven ERM Principles for Insurers

Controlling with a Cycle

No, not that kind of cycle… This kind:

This is a Risk Control Cycle.  It includes Thinking/Observing steps and Action Steps.  The only reason a sane organization would spend the time on the Assessing, Planning and Monitoring steps is so that they could be more effective with the Risk Taking, Mitigating and Responding steps.

A process capable of limiting losses can be referred to as a complete risk control process, which would usually include the following:

• Identification of risks—with a process that seeks to find all risks inherent in a insurance product, investment instrument, or other situation, rather than simply automatically targeting “the usual suspects.”
• Assess Risks – This is both the beginning and the end of the cycle.  As the end, this step is looking back and determining whether your judgment about the risk and your ability to select and manage risks is as good as you thought that it would be.  As the beginning, you look forward to form a new opinion about the prospects for risk and rewards for the next year.  For newly identified risks/opportunities this is the due diligence phase.
• Plan Risk Taking and Risk Management – Based upon the risk assessment, management will make plans for how much of each risk that the organization will plan to accept and then how much of that risk will be transferred, offset and retained.  These plans will also include the determination of limits
• Take Risks – organizations will often have two teams of individuals involved in risk taking.  One set will identify potential opportunities based upon broad guidelines that are either carried over from a prior year or modified by the accepted risk plan.  (Sales) The other set will do a more detailed review of the acceptability of the risk and often the appropriate price for accepting the risk.  (Underwriting)
• Measuring and monitoring of risk—with metrics that are adapted to the complexity and the characteristics of the risk as well as Regular Reporting of Positions versus Limits/Checkpoints— where the timing needed to be effective depends on the volatility of the risk and the rate at which the insurer changes their risk positions. Insurers may report at a granular level that supports all specific decision making and actions on a regular schedule.
• Regular risk assessment and dissemination of risk positions and loss experience—with a standard set of risk and loss metrics and distribution of risk position reports, with clear attention from persons with significant standing and authority in the organization.
• Risk limits and standards—directly linked to objectives. Terminology varies widely, but many insurers have both hard “Limits” that they seek to never exceed and softer “Checkpoints” that are sometimes exceeded. Limits will often be extended to individuals within the organization with escalating authority for individuals higher in the organizational hierarchy.
• Response – Enforcement of limits and policing of checkpoints—with documented consequences for limit breaches and standard resolution processes for exceeding checkpoints. Risk management processes such as risk avoidance for risks where the insurer has zero tolerance. These processes will ensure that constant management attention is not needed to assure compliance. However, occasional assessment of compliance is often practiced. Loss control processes to reduce the avoidable excess frequency and severity of claims and to assure that when losses occur, the extent of the losses is contained to the extent possible. Risk transfer processes, which are used when an insurer takes more risk than they wish to retain and where there is a third party who can take the risk at a price that is sensible after accounting for any counterparty risk that is created by the risk transfer process. Risk offset processes, which are used when insurer risks can be offset by taking additional risks that are found to have opposite characteristics. These processes usually entail the potential for basis risk because the offset is not exact at any time or because the degree of offset varies as time passes and conditions change, which is overcome in whole or in part by frequent adjustment to the offsetting positions. Risk diversification, which can be used when risks can be pooled with other risks with relatively low correlation. Risk costing / pricing, which involves maintaining the capability to develop appropriate views of the cost of holding a risk in terms of expected losses and provision for risk. This view will influence the risks that an insurer will take and the provisioning for losses from risks that the insurer has taken (reserves). This applies to all risks but especially to insurance risk management. Coordination of insurance profit/loss analysis with pricing with loss control (claims) with underwriting (risk selection), risk costing, and reserving, so that all parties within the insurer are aware of the relationship between emerging experience of the 
risks that the insurer has chosen to retain and the expectations that the insurer held when it chose to write and retain the risks.
• Assess Risks – and the cycle starts again.

This is one of the seven ERM Principles for Insurers

Risk Limits and Controlling

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

• Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read.  It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms.  Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy.  You are sitting there in an office building deciding what to set as the speed limit for a new transportation system.  That system has newly designed roads and vehicles.  You do not know the tolerances of either the roads or the vehicles.  You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds.  In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite.  In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience.  But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past.  For each of those situations, the backwards looking frequency can be assigned.  This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general.  That frequency is analogous to the weather.  Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.