We are often asked “how do you define the risk appetite of a business”. If done correctly, risk appetite is an outcome of a well-planned and rigorous risk management analysis approach and not a precursor. It’s the difference between choosing the buffet or the ala-carte menu. While the buffet may tempting, having too many options will likely have you feeling full, for only short period of time. The ala-carte menu however will likely have you feeling satisfied by decisive choices for the right price.
“From our experience approximately 25% of companies haven’t formally articulated their risk appetite, and don’t know how hungry they are.”
How hungry are you?
Has your senior management team or Board recently debated its view of the organisation’s risk appetite? Is is written down?
- Can you describe the appetites of all of your main stakeholder groups?
- At a managerial level, do you know what level of risk you should take?
If you have answered ‘No’ to any of the questions above, chances are it’s time to carefully evaluate your organisations risk appetite and the effect that ‘feast or famine’ may have on your organisation.
Menu for the Boardroom Table
While there are thousands of questions to be asked to determine risk appetite, having a menu of focused and deliberate questions can leave your risk management team with a sense of comfortable confidence and satisfaction.
“Hot & Spicy”
How mature is risk management in the organisation? Have you bench-marked it against ISO 31000 or COSO?
Has the board and management team reviewed the capabilities of the organisation to manage the risks that it faces?
What capacity does the organisation have in terms of its ability to manage risks?
Are there any particular issues of which the Board should be aware?
What are the parameters within which management runs the business and takes risks? Strategic? Financial? Operational?
What specific factors should the risk appetite take into account in terms of the business context?
Does the Board understand and challenge the underlying assumptions and inherent risks with the strategy?
At which levels would it be appropriate for the board to consider risk appetite?
Do you revisit the risk appetite when circumstance change significantly or unforeseen opportunities arise?
Do you believe there are risks considered to be above the organisation’s existing risk appetite that need to be reduced?
What are the main features of the organisations risk culture in terms of tone projected by the executive management team? Governance> Competency? Decision Making?
How much does the organisation spend on risk management each year? How much does it need to spend?
What is the cost versus the benefit of reducing (or adding) risk?
What is our projected financial capacity for risk taking under various best and worst case scenarios?
“Must Have Side Dishes”
Are management’s strategies communicated sufficiently for there to be meaningful discussion of risk appetite in pursuit of those strategies, both at the broad organizational level and at the operational level, and for consistency to be analysed?
Does an understanding of risk permeate the organisation and its culture?
At a managerial level, do you know what level of risk you should take?
Is the view consistent at differing levels of the organisation? Is the answer to these questions based on evidence or speculation?
To embed risk appetite effectively in the business requires management to establish limits for each risk type and cascade them to lower levels in the organisation. Establishing a clearer statement of risk appetite has important consequences in terms of management information and performance management requirements. The value of a risk appetite statement is more than just as a set of benchmarks, it is also a means of communication. By bringing together the performance of the corporation and its commercial operations in a single framework, it triggers discussion about the key financial drivers and associated risks.
Consisting of only a few pages that should include a crisp statement with clear tolerance thresholds, and a financial model that supports the analysis of risk-bearing capacity, the statement assists management teams to reach a consensus with respect to their tolerance for variance and acceptable levels of risk taking. Equally important, it helps management and the Board to engage in communication and focus attention on high-level, meaningful targets at the intersection of risk, strategy, and performance.