Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.
Yet like everything else, there is always the other side of the equation. Companies and organizations either grow or face inevitable difficulties in sustaining the business. Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.
In this context, the question of risk appetite often arises. Risk appetite is the mutual understanding between executive management and the Board regarding the drivers of, and parameters around, opportunity-seeking behavior. It is a high-level view of how much risk the organization is willing to take (i.e., the aggregate of the acceptable level of volatility or variance in the company’s operations). Risk appetite may be expressed in terms of the overall enterprise and in terms of each of its major lines of business if their risk profiles are distinctively different.
Every organization has a risk appetite, whether it acknowledges it explicitly or not. Risk appetite manifests itself through an organization’s behavior over time. For example, a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business. The question is whether executive management pursues these growth objectives with full knowledge of the risks involved and whether the anticipated rewards and risks have been vetted with the Board of Directors. The ongoing dialogue between management and the Board is as much about making the best bets in the pursuit of value creation opportunities as it is about avoiding and hedging bets. As a tool for getting ahead of these conversations, the risk appetite dialogue opens up consideration of the full range of risk management options (avoid, accept, reduce, transfer and exploit) in executing the organization’s strategy.
Risk appetite is not the same thing as risk tolerance. The primary distinction between the two is the level of the conversation. Risk appetite relates primarily to the risks inherent in the business model, whereas risk tolerance relates primarily to performance variation around the entity’s objectives. An organization’s risk appetite reflects both its capacity to bear risk and a broader understanding of the level of risk that it can safely assume and successfully manage over a given time frame. Risk appetite is inherent in the organization’s strategy and in the execution of the strategy, in the form of both risks taken and risks avoided. By its nature, the risk appetite discussion is a strategic discussion.
Risk tolerance is a tactical matter. It is defined within the context of the related objective using the metrics in place to measure performance against that objective. Tolerances establish when the range of acceptable volatility or performance variance is exceeded. Once tolerances and the related limit structures are set, the organization must monitor performance measures and early warning systems to ensure performance is managed within those boundaries. In other words, risk tolerances ensure that performance variability is reduced to an acceptable level, whereas risk appetite represents executive management’s “view of the world” that drives strategic choices for the organization.
How can management and the Board of Directors become engaged with respect to risk appetite? With the business model as a context, we suggest companies begin with understanding their historical risk-taking characteristics and frame their risk appetite accordingly. For example, what risks are unacceptable to management and the Board? What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)? Are there certain risks that are typically transferred to other parties through hedging, insurance, a joint venture or some other risk-sharing mechanism? All of these and other elements help frame an entity’s historical risk appetite and provide a baseline for initiating an ongoing risk appetite dialogue.
The following considerations are important when sustaining the risk appetite dialogue:
(1) Acceptable or on-strategy risks that the organization intends to take because the risk taken is sufficiently compensated. These risks are typically foundational elements of the business strategy and are inherent in the organization’s strategy – for example, investing in developing countries to fuel market growth.
(2) Undesirable or off-strategy risks that should be avoided and for which zero/minimal tolerances should be set. These are risks that often require policy prohibitions (e.g., restrictions on the use of financial derivatives for profit-making purposes and the types of instruments used, and minimum criteria for counter-parties). For risks that an organization chooses to avoid, the company may acknowledge them as part of its risk appetite statement to communicate clearly that such risks are unacceptable.
(3) Parameters within which management runs the business. Parameters provide a framework within which a company’s risks are undertaken. They may impact decision-making during the planning cycle and also during the consideration of strategic priorities and the execution of the business plan. Parameters drive discussions between executive management and the Board when unforeseen opportunities arise, providing a framework within which risks may be undertaken. They may be expressed as targets, ranges, floors or ceilings, and may be strategic, financial or operational in nature. For example, strategic parameters include new products to pursue and avoid and the investment pool for capital expenditures and M&A activity. Financial parameters include the maximum acceptable level of loss or performance variation and include EPS variability, FCF growth/margin, EBIT growth/margin, target debt rating, target debt/equity ratio, EBIT/interest coverage ratio and derivative counter-party criteria. Operating parameters include capacity considerations, R&D investment pool, environmental requirements, safety targets, quality targets and customer concentration limits.
Taken together, the above considerations frame an organization’s risk appetite statement. In this way, the risks the organization is intent on taking are articulated and the parameters within which those risks are assumed become more evident to management and the Board. While not intended to unduly restrict management, the risk appetite statement becomes a benchmark for an ongoing dialogue around the implications of pursuing value creation opportunities as they arise.
While this approach is not the only way to frame a risk appetite statement, it is one that we’ve seen a number of companies apply successfully. It certainly provides an effective start for executive management and the Board.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.