Dunn says AMP's next steps are to get line managers reporting their risk budget. "We're moving to a point where in addition to having a budget for profit and a budget for capital and within that a more detailed budget for revenue and costs, they will then have a risk budget," he says.
"When they submit their business plans they will be setting out what their tolerance for risk is in their part of the organisation and what risk budget they're working to. Then you are getting an iterative budget process of top down, bottom up."
Less is more
More smaller companies outside the finance sector are trying to quantify their acceptable level of risk, Richard Gossage, PwC head of risk & control solutions says.
"At the executive level, what you're seeing is a greater need to articulate risk appetite [with] a higher degree of quantification at a lower level of granularity," he says.
One organisation his group is working with, which has a high need for system reliability, has determined an acceptable failure rate for its processes.
"[Once it's set that,] it's then a question of asking how it calculates the number of transactions that would fall outside that, how it works through its remediation of those, then how much does it spend on achieving a throughput level to achieve the desired customer aim or an operational aim?"
In addition, he says, there are many companies that would have "pretty good risk profile documents", that are now trying to put that into practice. "They ask how they should train their people in the call centre," he says. "It's how to convert it from risk-speak and put it into operation."
Sign up for CIO Asia eNewsletters.