RISK PLAN, THE RISK BUDGET, AND THE RISK MONITORING PROCESS The Risk Plan The following discussion of what constitutes a risk plan may at first blush seem highly theoretical. But upon closer review, the reader will see that sound financial planning standards already incorporate many of the elements that are discussed. We expect many of the ideas referred to here already exist within the body of a comprehensive strategic planning document. For example, most strategic plans include a strengths, weaknesses, opportunities, and threats (SWOT) section in which major risks to the organization are discussed. By introducing the concept of a separate risk plan, however, we are proposing an even greater degree of formality for discussion of risk themes and issues. We believe that the risk plan should be incorporated as a separate section of the organization's strategic planning document. As such, it should receive all of the vetting and discussion that any other part of the planning document would receive. When in final form, its main themes should be capable of being articulated to analysts, auditors, boards, actuaries, management teams, suppliers of capital, and other interested constituencies. The risk plan should include five guideposts: 1.    The risk plan should set expected return and volatility (e.g., VaR and tracking error) goals for the relevant time period and establish mileposts which would let oversight bodies recognize points of success or failure. The risk plan should use scenario analysis to explore those kinds of factors that could cause the business plan to fail (e.g., identify unaffordable loss scenarios) and strategic responses in the event these factors actually occur. The risk plan helps ensure that responses to events-be they probable or improbable-are planned and not driven by emotion. Difficult business climates have happened before and they will happen again. The planning process should explore the many "paths to the long term" and prepare the organization, and its owners and managers, for the bumps3 along the way. If any of these bumps are material, concrete contingency plans should be developed and approved by the organization's owners and managers.4 2.    The risk plan should define points of success or failure. Examples are acceptable levels of return on equity (ROE) or returns on risk capital (RORC). For the purposes of the planning document, risk capital might be defined using Value at Risk (VaR) methods. Since organizations typically report and budget results over various time horizons (monthly, quarterly, annually), separate VaR measures for each time interval should be explored. The VaR (or risk capital) 3In statistical terms, a "bump" might be defined as a three or greater standard deviation event in a relatively short period of time. 4Note that scenario analysis can be explored qualitatively as well as quantitatively. In fact, many extreme events lend themselves more to qualitative analysis than quantitative methods.