Risk appetite, when properly understood and articulated, can be a powerful tool for managing risk and enhancing overall business performance by better aligning decision-making and risk. This paper, published by KPMG, explains that risk appetite is the amount of risk an organization is willing to take on or is prepared to accept in pursuing its strategic objectives. Risk appetites vary across organizations and across business units and risk types within organizations. A well-articulated risk appetite provides a cornerstone for an organization’s risk management framework and often incorporates a mix of quantitative and qualitative measures. Commonly used measures in risk appetite statements examined were: earnings volatility (80%), economic capital requirements (60%), reputation (60%), external credit or debt ratings (40%), and regulatory standing (40%).
The following are characteristics of a well-defined risk appetite:
- Reflective of strategy
- Reflective of all key aspects of the business
- Acknowledges a willingness and capacity to take on risk
- Documented as a formal risk appetite statement
- Considers what is needed to manage and monitor risk exposures
- Inclusive of a tolerance for reasonably quantifiable loss or negative events
- Periodically reviewed taking into account evolving industry and market conditions
- Approved by the board
Current Marketplace Observations
Most organizations have not yet formalized risk appetites and so are unable to realize the benefits, one of which is providing a link to achieving strategy. Only 25% of risk executives indicated their organizations have a formal risk appetite statement, and the majority of those were prepared in response to regulatory expectations. While risk appetite may be defined in pockets across an organization, those definitions may not be aligned and consistent.
Developing Risk Appetite
A structured approach to developing an effective risk appetite statement can help an organization gain a better understanding of its strategic goals, culture, marketplace, regulatory requirements, and financial sensitivity to risk.
First, organizational strategic objectives should be identified. This is often accomplished by understanding the drivers of objectives, both short and long-term. Risk appetite should be revisited as organizational strategy changes to ensure it supports achieving current objectives.
Next, align the risk profile to business and capital management plans by identifying risks that could prevent the organization from achieving its strategic objectives. Measure the aggregate risk profile and level of unexpected losses the organization is willing to accept and understand the current risk taking capacity of the organization. The organization’s risk appetite will determine the capital buffer required between the risk taking capacity and the aggregate risk profile of the organization. Finally, identify any zero tolerance risk exposures.
Third, determine risk thresholds. Identify tolerance ranges for specific risks, allowing high-level risk appetite to be communicated into actionable measures. Risk thresholds also help ensure reporting and monitoring processes can be implemented to effectively manage these risks.
The last step of the process is to formalize and ratify a risk appetite statement. This statement should be approved by the board and then communicated throughout the organization.
Linking Risk Appetite to Performance Monitoring and Reporting
To be effective, risk appetite needs to be linked to performance monitoring and reporting. Risk appetite should be integrated into the enterprise-wide decision making process at all levels, so there are policies and procedures, escalations and delegations of authority, and appropriate mitigation strategies if tolerance levels are exceeded. Risk appetite also sets the tone for the risk culture of the organization and its integration into the performance management framework ensures consistent application.
Business Benefits of a Defined Risk Appetite
Risk appetite provides the foundation for an effective risk management system and can generate many business benefits. Understanding risk appetite improves the board and management’s ability to link business decisions to business strategy. Effectively communicating risk appetite throughout the organization encourages consistent behaviors. Communicating the risk appetite externally promotes transparency and accountability. Understanding risk appetite can increase an organization’s capacity to take on risk through efficient allocation of risk management resources. Reporting frameworks will be more sensitive to risk tolerance levels allowing for more meaningful early warning indicators and risk limits. Finally, organizations will benefit from the value of actually putting together a risk appetite statement.
Click below to read full article.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.