Securities & Corporate Governance Group

SCGG Articles

Determining Risk Appetite

June 19, 2013 Enterprise Risk Management
feature

As an organization determines its core strategic goals and steps to achieve those goals, it must also identify the risks involved and determine whether they are worth it. Risk appetite analysis is the “yin” to strategic planning’s “yang” and, accordingly, permeates every step of the strategic planning process.

This is the first of a five‑part series that examines foundational risk management issues through a practical lens. Click here to read part two, The Link between Risk Management and Compliance, and click here to read part three, Time to Dust Off Your Risk Register – Steps to ERM Implementation

I was reading an article in Mental Floss Magazine about Bryan Fry, a man bitten by venomous snakes over 26 times. Why does he continue to risk his life? As a zoologist at the University of Queensland, Australia, his goal is to study the chemical attributes of venomous animals (including their effect on victims) in order to uncover their potential medicinal uses (which, to date, have included viper-derived treatments for high blood pressure).

Bryan Fry has a high risk appetite. He takes on a large amount of risk in pursuit of what he believes is a very valuable goal. Similarly, an organization can have a high risk appetite. For instance, if a company anticipates that its principal product will be overshadowed by a competitor’s new technology, it can decide that it must stay relevant and pour significant resources into developing a new, technologically competitive product. If the play is not successful, the company may fail. However, it might perceive that it is in a “do or die” situation. Conversely, another company with a lower risk appetite might focus on stable growth of its existing products with balanced R&D. It is less likely to take on significant risk and will settle for modest returns.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk appetite as the “amount of risk, on a broad level, an entity is willing to accept in pursuit of value.”

From these examples, you can see that as an organization determines its core strategic goals (strategic planning) and steps to achieve those goals (strategic execution), it must also identify the risks involved and determine whether they are worth it (strategic boundaries). Risk analysis is the “yin” to strategic planning’s “yang.” Accordingly, risk appetite analysis permeates every step of the strategic planning process. The challenge is to inject proactive risk thinking into strategic planning in a seamless, noninvasive way.

Although each company’s strategic planning process is distinct, in all cases management and the Board must together set strategy and make resource allocation decisions. Inserting risk appetite analysis into the process begins with a dialogue to identify the company’s overall risk appetite in the context of its big picture strategy. Note that the exercise is not to create the company’s risk appetite (since all organizations already have one), but rather, for management and the Board to reach a consensus about what it is and how it impacts and guides the company’s core strategic goals.

A good starting point for the risk appetite dialogue is a discussion of recent material developments and reactions to them, which allows the Board and management to identify risks that are integral to the business and those that have been historically avoided. Whether the dialogue is in the form of group facilitated discussions or one-on-one interviews depends on the culture of the company. What is important is that management and the Board emerge from the exercise with an understanding of the company’s risk appetite — the organization’s roadmap for what risks are acceptable and at what magnitude.

What is a risk appetite statement? It is a statement that clearly articulates to an organization the acceptable limits within which a key objective may be pursued. There is no, nor should there be a, simple, one-size-fits-all approach to crafting such a statement. Depending on the organization, its business, culture, objectives and tolerance for risk, some statements are several sentences long and some are a short phrase; some are quantitative and some are qualitative. The key is that the statement be simple enough to be absorbed by the entire organization, but substantive enough so that everyone, at all levels, may use it as a guidepost for defining appropriate risk taking.

Although there are several possible approaches to drafting a risk appetite statement, Protiviti’s straightforward approach is a good place to start. They suggest that the statement include three elements:

  •     Articulated risks that are on-strategy (acceptable).
  •     Articulated risks that are off-strategy (undesirable).
  •     Defined parameters serving as a framework within which risks are undertaken.

Each element may include multiple assertions. However, the entire risk appetite statement, meaning all three elements and the assertions within them, considered as a whole must provide a snap-shot of the organization’s overall risk appetite for the core strategy.

The assertions made in each element, in turn, drive important strategic thought. For on-strategy risks, you will establish risk tolerances to manage accepted risk. For off-strategy risks, you will craft policy prohibitions or restrictions to avoid or mitigate the risks. In creating and revisiting parameters, you will empower the necessary risk dialogue that helps guide your strategic planning.

As an example following the Protiviti model, a car company looking to drive growth in new markets (core strategy) might include the following assertions for the on-strategy risk element:

  • “Aggressively target developing markets (the BRIC countries, principally China) through joint ventures and other growth opportunities.”
  • “Continue to focus on cost reduction and productivity improvement initiatives that can be adapted to integration activities.”

A related off-strategy risk assertion might be:
“Avoid any situation that threatens the company’s reputation for safety and, if such situation arises, manage it proactively and aggressively.”

And finally, examples of appropriate parameters may include:

  • A cap or floor figure for a key safety indicator to reconcile the market expansion and cost and productivity assertions in the “on-strategy” element with the safety assertion in the “off-strategy” element.
  • A limitation on investment amounts to ensure that the aggressive market expansion does not adversely affect necessary free cash flow.

Again, it is critical that all of the assertions in the boxes above be communicated together and looked at as a whole. If not, each separate assertion will read like an objective of the organization, rather than a complete statement of the organization’s risk thinking from a bird’s eye view.

Finally, what is the use of having a risk appetite statement if it is not communicated across the organization and utilized in day-to-day decision making? So often organizations fail to effectively make enterprise-wide communications of their strategic planning efforts — leaving them with just a few useless pieces of paper. Both strategy and risk appetite must be communicated through an initial launch and through continuous, periodic communications both organization-wide and amongst separate business units, departments and functions. It is also necessary for business leaders within the organization to encourage their people to consider strategic goals and risk appetite together in light of their individual and group functions and performance goals. Being mindful of integrating risk thinking into pre-existing communication methods (whether they are publications, e-mails, organizational meetings or training sessions) is the quickest path to success.

“A ship is safe in harbor, but that’s not what ships are for.”

― William G.T. Shedd.

Risk is not inherently bad, but ignoring risk can be disastrous. Those who set goals without considering the associated risks often bite off more than they can chew. Organizations, like individuals, must act as a unit when working towards their goals, in part by understanding the appropriate level of related risk. An enterprise-wide understanding of risk appetite is, therefore, an essential aspect of setting strategy and achieving objectives.

 

Share This Article FacebookTwitterLinkedInGoogle+PinterestEmail