In the face of the many recent failures of financial institutions, following market and asset crises, and in the context of mounting regulatory demands, including the impending SMR (Senior Managers Regime) which will now apply to asset managers, hedge funds and the Bank of England itself, risk management is a topic high on the executive agenda. In particular, much emphasis has been placed on risk appetite and the role it has to play in an enterprise risk management approach, as part of an overall strategy execution process.
But what is Risk appetite?
First and foremost, risk appetite is a necessary dimension of an organisation’s policy that sets the boundaries within which their executive team, and others within the business, execute strategy and take risk. It is set at board level and it is not something that can or should be delegated, either to the executive team or to the risk team.
What the Standards Say
The Committee of Sponsoring Organisations of the Treadway Commission’s (COSO) Enterprise Risk Management – an Integrated Framework (2004), defines risk appetite as the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. COSO makes two key points related to appetite. Firstly, it states that risk appetite ‘reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style’. Secondly, COSO establishes the link between appetite and strategy, stating explicitly that risk appetite is directly related to an entity’s strategy.
The Risk Management Code of Practice from the British Standards institution (BS31100:2008) defines risk appetite as the amount and type of risk that an organisation is prepared to seek, accept or tolerate. This standard also relates appetite to strategy and governance stating: ‘considering and setting a risk appetite enables an organisation to increase its rewards by optimising risk taking and accepting calculated risks within an appropriate level of authority’.
What We Say
We define risk appetite as the amount and type of risk that an organisation is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders. By adding ‘and must take’, our definition expresses that taking risk is an inherent part of strategy execution and value creation. Risk is not just about avoiding potential losses, but also about taking advantage of opportunities.
Why is Risk Appetite Important?
On multiple occasions, history has demonstrated that companies having a ‘performance-only’ approach to strategy execution are more prone to losses and failures once adverse circumstances emerge. The cascade of bank failures trapped into excessive credit derivatives exposures in 2008, the hard landing of the US economy after a widely identified, yet widely disregarded, asset bubble, the gigantic losses of the insurance sector in the aftermath of the technological bubble burst, the recent struggle of continental banks stuck with excessive exposure to European sovereign debt, billions of rogue trading losses at Société Générale and UBS, the failure of MF Global after a strategy push for proprietary trading and most recently HSBC’s record fine and role in the FIFA scandal; examples pleading for a risk based approach to strategy execution are countless.
A decision at board level on the amount of risk the organisation is capable and is willing to take will translate into a Risk Appetite Statement.
The Necessary Features
A Risk Appetite Statement needs to be defined at the top, in line with the strategy and the value drivers of the business; transparent, unambiguous and cascaded down through all decision levels of the organisation. Rather than asking “are we on track to hit our targets?” board members and executives must ask a different questions: “is the organisation operating within appetite?” This question puts the alignment of risk-taking to strategy at the heart of the strategic conversation and incorporates both the performance and risk dimensions of strategy execution.
As a board level tool, we believe that the definition of risk appetite must be closely coupled with the definition of strategy. Therefore, one of the first steps in the risk appetite definition process is to define a clear set of business drivers related to the organisation’s business model and strategy. Once the board and executive have determined the business drivers, those few key determinants of success, these should then be used to define the organisational risk appetite.
Two key features highlighted by the Senior Supervisors Group in their report on the risk management lessons from the 2008 crisis, included board involvement in setting and monitoring adherence to firms’ risk appetite, and the presence of actionable elements that articulate firms’ intended responses in cases of breaches in limits.
A Risk Appetite Statement is a set of limits within which a company is allowed to operate. Any breach of those limits during the execution of the strategy must be reported to the Board, who will either allow an exception, revise its risk appetite based on due justification, or take appropriate actions to reduce to risk exposure and realign the exposure of the business within its appetite.
With thanks to Risk Management Magazine for publishing a previous version of this piece. Subscribe to their newsletter here.