The concept of risk-appetite has been around for years, yet so many risk practitioners still find themselves confused and unsure how to quantify, formalise and document it. Well, the short answer is you don’t need to. There is a better way, writes writes Alex Sidorenko, chief executive of Risk Academy
But first, disclaimers.
The following article only applies to non-financial companies. In banks, risk appetite may still work fine. People who do know tell me it doesn’t, but I haven’t verified this myself.
Whenever I say something is nonsense, I offer an alternative that works much better. You just have to be patient and finish reading the article.
Risk appetite is a perfect example of how risk consultants take something that existed forever, used to be a powerful decision-making tool, and then Frankenstein it into something that literally no one except the Audit Committee and some Board members will ever care about.
Why? Because most organizations have already documented their appetites for different common decisions or business activities. Segregation of duties, financing and deal limits, vendor selection criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organizations set risk appetite. Appetites for different kinds of risks has been around for decades. Not all risks, but most of them.
So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern-day risk consultants or external auditors tell us, I believe that any attempt to aggregate risks into a single risk appetite statement in non-financial companies is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.
After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions.
Instead of creating separate new risk appetite statements, risk managers should start by reviewing existing Board level policies and procedures to identify:
- Significant business decisions that already have a certain risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organizations that utilize child labor or fall under economic sanctions. Or it may have a documented requirement not to invest in high-risk projects above a certain limit (my old company, for example, would not finance high-risk ventures through debt, only through equity with some oversight control). Or the company may have a finance policy not to keep more than 20% of cash in a single bank. Or the company may have a policy not to give additional trade credit to bad debtors. And many, many more examples. In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. Let me make this very clear, 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
- For the risks where no appetite has been previously set by any of the existing policies or procedures, the risk manager should work with the business owners to develop risk limits and incorporate them into existing policies and procedures. Risk limits can be divided into three groups: “zero tolerance”, acceptable within quantitative limits or acceptable within qualitative limits. This is the other 20%. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable. Documented inside existing Board level policies, not in separate risk appetite statements… obviously.
Want more examples? Can’t quite imagine what risk appetite should look like? No problem. This is what a typical non-financial company should have:
At the Board level
A Board level policy outlining acceptable or unacceptable actions/behaviour for any risk or activity where having such policy is required by law or regulator (health and safety, anti-money laundering, corruption, environment).
Delegation limits, deal or transaction approvals and segregation of authority documented within a finance or investment policy or other Board level document.
Existing Board level policies have a notion of high, medium, low-risk activities. Usually, the policy will have different boundaries for different risk levels. This may include:
- different risk levels for vendors (higher risk vendors require more attention)
- different risk levels for investment projects (higher risk projects have higher return expectations and more stringent monitoring rules)
- no more than 20% of capitals can be invested in high-risk ventures
- An overall statement in a policy or guideline “Generate a reasonable rate of return at the moderate level of risk (expected volatility 10-20%) through a diversified portfolio of projects.”
It is then up to the risk manager to come up with the methodologies how to calculate risk levels or moderate level of risk (expected volatility 10-20%). If done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk. This is a great opportunity for the risk manager to help decision makers take on more of the good risk.
At Executive level
- Performance targets are set not as single values, rather as ranges, where performance outside of range is escalated to the oversight body.
- Key decision criteria are calculated based on the risk levels, for example, NPV and IRR for an investment project are calculated depending on the risk level (usually replacing WACC with variable discount rate based on risk or running Monte-Carlo to calculate NPV range)
- Some significant management assumptions and risks are constantly or periodically monitored through manual or automated indicators.
- Risks are calculated for key decisions to see that they are within management authority or need to be escalated to the oversight body.
That’s it. Nothing else
No risk appetite statements, no risk-bearing capacity reports or presentations, no new Board-level policies or guidelines, no mention of risk tolerances or limits (even though all examples above are risk tolerances/limits).