What is Risk Appetite?
Before the board can determine if management’s risk taking behavior is appreciate, it has to have some sense of the stakeholders overall appetite for risk taking. The concept of a risk appetite is fairly new and can be a bit confusing. A recent thought paper by PricewaterhouseCoopers (PwC) attempts to explain risk appetite in plain English. PwC defines risk appetite as “the amount of risk an organization is willing to accept in pursuit of strategic objectives”.
Benefits of Articulating Risk Appetite
How will an organization benefit from a well-developed risk appetite statement and process? A well-developed risk appetite statement and process can:
- Help a company better manage and understand its risk exposure
- Help management make informed risk-based decisions
- Help management allocate resources and understand risk/benefit trade-offs
- Help improve transparency for investors, stakeholders, regulators and credit rating agencies.
Risk appetites are unique to each and every organization because they are based on specific strategies and attributes that influence organizational behaviors. A risk appetite statement should communicate the following:
- Corporate Values: What risks is the organization unwilling to take and what risks should be avoided?
- Strategy: What risks are inherent to the strategy?
- Stakeholders: How much and what kind of risk can they take on?
- Capacity: How much risk can the organization absorb?
Developing a Risk Appetite
The board of directors is not the initial creator of a risk appetite statement. It is ultimately management’s responsibility. The directors approve and confirm whether the appetite is in line with the organization’s strategy and stakeholders’ perspectives of the company. Management must first understand the company’s strategy, goals, risk taking experience, risk culture and its stakeholder’s perspectives. Once management has an understanding of the corporate values and risk taking culture, it can begin the risk appetite process. In developing a risk appetite, management must analyze the following:
- Risk profile: What are the top risks of the organization and the controls to mitigate those risks?
- Risk capacity: How much risk can the organization absorb?
- Qualitative risk assessment: What is the ranking and categorization of the company’s risk, taking into account controls and risk/reward relationships?
- Quantitative risk analysis: What types of analysis establishes boundaries within which management can operate? For example, there could be a limit on the amount of debt issued to one company or the organization may decide to grant credit to organizations with a certain credit rating.
After analysis of the above, management should be able to articulate the company’s risk appetite in writing. The statement should guide company behavior and strategic decision-making. It should start at a high level of the company and flow down to all levels. In addition to the overarching risk appetite statement, there should be more granular tolerance levels. These risk tolerance boundaries help lower level managers seize opportunities and avoid unnecessary risks and are used for specific risks. And finally, formal training should be conducted so that decision-makers fully understand the company’s risk appetite.
Board’s Role In Risk Appetite
The board is primarily responsible with overseeing the initial risk appetite development process and in monitoring the organization to determine whether any changes should be made to the risk appetite. Boards can monitor risk appetite by having management report to the board when a risk tolerance level has been exceeded. The board should then determine whether the risk tolerance was too low and needs to be changed (this could be because of changes in the business environment, a new strategic initiative, or it was too low to being with). The board should also determine whether the risk tolerance levels are not being obtained. This could be because managers aren’t taking enough risk to maximize shareholder value. To conclude, the board should determine whether the organization has the following:
- A risk assessment process and the risks identified should be in line with the organization’s strategy?
- Is this profile and assessment being updated frequently?
- Does the company have the capacity to deal with the risks identified today and the risks that are likely to impact future strategic initiatives?
- Are the organization’s risk appetite and tolerance levels being continually evaluated for accuracy and relevancy?
- Are changes being communicated to the organization and key stakeholders?