Risk Appetite is such a simple concept that everyone thinks they know but invariably misunderstand. COSO and other regulatory requirements for boards to issue a Risk Appetite Statement has led to a belief a business has an overarching level of risk tolerance. Personally I don’t believe these Risk Appetite Statements add any value but regulators are regulators.
This week I thought I’d share the contents of a talk I prepared earlier this year on this subject. Although a well overdone topic, I believe it still to be a major issue.
First things first – some definitions:
- Risk culture: Behaviour of individuals within an organization in which they identify, understand, discuss and act on the risk the organization confronts and takes.
- Risk appetite: Total exposed amount that an organization is prepared to undertake on the basis of risk-return trade-offs for expected outcomes.
- Risk tolerance: Amount of uncertainty an organization is prepared to accept within any particular circumstance.
Such definitions are in terms of default probability or capital coverage to extreme events, whereas other nonfinancial industries may have more simplified definitions in terms of loss of market share, earnings or share price.
Indexes such as Enterprise Shock Resistance (ESR) to report on aggregated risk may look good in historical reporting but are not helpful in day to day decision making. So let me quickly look at some of my key principles relating to Risk Appetite.
Why is it so hard to integrate risk appetite throughout the organisation?
- Fact 1 – You don’t have one Risk Appetite
- Fact 2 – Has to match Operational Culture
- Fact 3 – Risk Appetite NOT Risk Anorexia
- Fact 4 – Appetite depends on awareness
- Fact 5 – Risk Appetite = Opportunity
Fact 1 – You don’t have one Risk Appetite
I have covered this previously (/blog/bid/398561/Axe-archaic-attitudes-on-Risk-Appetite) so I won’t rehash again other than to reiterate that Risk Appetite:
- Varies by Dept
- Varies by Risk Type
- Varies by Market
- Varies by Time
- Varies by Seniority
This is the first reason for the difficulty in integrating the concept within the organisation. Tackling from this premise supports the next principle below.
Fact 2 – Has to match Operational Culture
- Not enough staff will ignore the system or leave
- Too much a “rogue trader” culture will develop
- Need to understand and match
- Needs to match Market perception
Risk Appetite must be supported by the organisational capability, in simple terms it must be able to provide what it sells. Setting targets that you don’t have the capacity to achieve is obviously bad management. But so it is with Risk Appetite. If your Risk Culture doesn’t have the capacity to achieve your Risk Appetite you need to invest in upgrading that capacity. Over Production tends to result in loss of quality and care, which in turn will bite you in the butt. As with production, the desired risk appetite must match the risk culture’s capability to implement it. And as with production, if it doesn’t, it’s yours to change.
Risk Appetite is a reputational resource. Too much and financiers & investor with desert you, too little and you will lose market influence. In fact leaning toward the higher side gives you market leadership, with all its rewards.
Fact 3 – Risk Appetite NOT Risk Anorexia
- Beware Risk Adverse Manager
- Elite sportsmen have body masses greater than average
- Avoidance of acceptable risks and underperformance
This is the worst misconception on Risk Appetite and can cause of irreparable damage to some organisations. Risk Appetite is NOT about avoiding risk, it’s about having a healthy attitude towards it. Beware Risk Adverse Manager, naysayers can always point to why things can’t work and how it is someone else’s fault it didn’t. Risk like diet needs to be balanced to be healthy. For sports people to be successful at an elite level they need to consume more than the average person. So it is with business. Avoidance of acceptable risks and underperformance is as dangerous as the “rogue trader”. In these volatile times both will kill your business.
Fact 4 – Appetite depends on awareness
- Ignorance = fear
- Risk-return trade-offs
- We accept flying
- The secret is EDUCATION
If the overall framework cannot be disaggregated in a way that individual business units can readily assess whether decisions are in line with the framework, then this can also pose implementation issues. The secret is EDUCATION. People do not have an innate sense of what is acceptable in a complex and fluid environment.
Fact 5 – Risk Appetite = Opportunity
- Perceived Risk Appetite trails Actual
- Business development requires taking risks
In a KPMG research report on operational management, they found regularly that parties assessed their own risk appetite to be more risk averse than they have been in practice, once compared to historical events. This means that the risk appetite they profess is far more conservative than the risk profile that the organisation runs by, often successfully.
Any form of business improvement or development strategy will involve doing something different from your competitors, and therefore taking a risk. Doing it better, faster or cheaper exposes risks of cost overruns, incorrect market targeting, and reduction in quality. Not taking those risks, in today’s agile business environment, is a sure path to business failure.
Take away – Increase your Risk Appetite
- Appetite = Risk
- Risk = Objectives
- Appetite = Objectives
- Increase Appetite = Increase Objectives
So if you don’t accept your current Risk Appetites to be correct how do you ascertain what they should be? As with most management systems your need a Framework and it has to start with Context. As we are talking Risk your context has to be centred around your Strategic and Corporate Objectives. These you should already have quantified from your ERM.
To establishing the Risk Appetite Context:
- Establish a Risk Appetite Framework (RAF)
- Categorise by Strategic & Corporate Objectives
- Quantify Risk (use Scenarios)
- Understand Intent
- Risk Appetite = commitment
The obvious first step is to place Risk Limits around your objectives but before you do you really have to come to grips with their intent. This is where most implementations of Risk Appetite fall down. The true purpose of Risk Appetite is to gain the commitment needed to ACHIEVE those goals. Remember, people who don’t make mistakes don’t make anything.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.