The Board-Management Risk Appetite Dialogue

In 2017, the National Association of Corporate Directors (NACD) Advisory Council on Risk Oversight released a publication based on input obtained from a meeting with risk and audit committee chairs from Fortune 500 companies.^[1] This publication offers useful insights to directors and senior executives alike that are consistent with the Enterprise Risk Management Framework^[2] of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), also released that year, and that boards and executives can use to advance their risk appetite dialogue.

The practical advice offered by the NACD advisory council is framed around three major takeaways:

• Align the risk appetite statement with company strategy.
• Use the risk appetite statement to inform critical processes and decisions.
• Continually re–evaluate the risk appetite statement.

Each of these recommendations is discussed below.

The risk appetite dialogue offers executive management and the board of directors an opportunity to get on the same page regarding the drivers of and parameters around opportunity-seeking behavior. Once they reach agreement as to the types and amount of risk the entity is willing to take in creating value, the risk appetite statement serves as a guidepost for subsequent boardroom and C-suite discussions and the entire organization.

The NACD publication is stocked with sage observations from savvy directors who practice what they preach in working with their company’s management. There is no academic conjecture or suppositional expounding of theory anywhere in its 12 pages – just a crisp discussion of how and why risk appetite is used in the boardroom.

Align Risk Appetite with Company Strategy

Risks are inherent in every strategy, whether the organization chooses to express them explicitly or not. When determining the level of acceptable downside risk, directors and management should agree on the most critical risks, whether expressed qualitatively or quantitatively, and evaluate the organization’s tolerance level for each one. The idea is to frame the risk appetite statement as a means to optimize the competitive advantage unique to each company.

The NACD advisory council suggests the use of metrics to set boundaries around the risks the entity is willing to accept. These metrics may be expressed as targets, ranges, floors, ceilings or prohibitions that set parameters within which the company is to operate. For example:

• Strategic parameters consider matters such as new products to pursue or avoid and the investment pool for capital expenditures and M&A activity.
• Financial parameters consider matters such as the maximum acceptable variation in financial performance, risk-adjusted return on capital, target debt rating, target debt/equity ratio EBIT/interest coverage ratio and derivative counterparty criteria.
• Operating parameters consider matters such as capacity management, sustainability, environmental, social and corporate governance (ESG) requirements; R&D investment pool; safety targets; quality targets; and customer concentrations.

In addition, the advisory council recommended benchmarking against peer groups (e.g., the company’s cybersecurity risk rating compared to the rating of its competitor peer group). Taken together, these considerations help frame the entity’s risk appetite.

Use Risk Appetite to Inform Critical Processes/Decisions

Articulated crisply with both forward-looking and backward-looking metrics, a robust risk appetite statement can be used in the following ways:

• Establish performance targets: Risk appetite statements facilitate setting more balanced performance targets that avoid incentivizing excessive risk-taking behavior. In making risk-appetite assertions, executive management and the board predetermine where the trade-offs are in terms of promoting superior perfor­mance versus limiting exposure to unwanted risks.

Pushing these determinations down into the organization drives strategic alignment of processes and people, preventing trade-off decisions from being made in isolation. An effective risk appetite statement offers decision-makers a reasonableness test to avoid bad or risky deals or setting unrealistic performance goals that can lead to corner-cutting.

• Shape corporate culture: When the risk appetite statement is translated into actionable guidance with well-defined thresholds and tolerance levels that are used across the organization to measure and monitor the level of acceptable variation in performance, the risk awareness of the organization’s culture is influenced significantly. For example, an organization with a lower risk appetite may prefer less performance variation compared to an entity with a greater risk appetite.

When risk thresholds and tolerances are embedded into operating processes, employees are positioned to make thoughtful day-to-day, risk-adjusted decisions that are in line with executive management’s and the board’s expectations – particularly in areas that are either high priority for taking on more risk in the pursuit of enterprise value or where there is zero or low tolerance for risk.

• Improve communication, including reporting to executive management and the board: The advisory council agreed that an effective risk appetite statement is an important com­munication tool for driving alignment with and awareness of the strategy through a better and more transparent risk policy and more focused risk reporting. A robust statement of risk appetite clarifies the acceptable or on-strategy risks the organization intends to take and forces dialogue as to whether the upside rewards of the strategy warrant acceptance of the downside risks.

These risks are typically foundational elements of the business strategy (e.g., invest in developing countries to fuel market growth and innovate in specific areas to drive new revenue streams). The risk appetite statement also addresses the undesirable or off-strategy risks for which zero or minimal tolerances should be set in policy prohibitions (e.g., unacceptable risk concentrations, appropriate credit limits and adherence to core values). These assertions frame the specific issues that should be addressed in regular risk reports to executive management and the board and facilitate a risk es­calation policy that establishes formal lines of communication from management to the board at the first sign of a prob­lem or an emerging risk.

• Make decisions about compensation: A formal risk appetite state­ment can inform a company’s overall compensation philosophy with the objective of preventing employees from taking unacceptable risks to achieve performance targets. To that end, the NACD publication lists important questions executives and directors can consider when evaluating whether the design of incentive compensation plans may inadvertently encourage risk-taking that is in conflict with the company’s established risk appetite.

These questions pertain to such matters as incentive payout outliers, extreme outperformance versus peers, comparison of incentive targets with the industry and excessive upside payout opportunities, among other factors.

No one disputes that successful organizations must take risk to create value. The question is, how much risk should they take? A balanced approach to value creation means that the enterprise accepts only those risks that are prudent to undertake, given its capacity to bear risk, and that it can reasonably expect to manage successfully.

Continually Re-Evaluate Risk Appetite

As the business environment and strategic priorities change, the risk appetite statement should be revisited periodically. The risk appetite statement is a benchmark for discussing the implications of opportunistic value-creation pursuits as they arise and is not intended to handcuff management. Therefore, it is a living document that may change as the company’s perspective toward risk changes over time.

The NACD publication acknowledges that not all companies have a formal risk appetite statement. That said, the participating directors agreed that formulating a statement can help clarify strategic objectives, equip employees to make better decisions and make clear when it is time to escalate problems up the chain. More importantly, it can be an effective tool for getting everyone in the boardroom on the same page with respect to risk.

The four appendices to the NACD publication also provide useful insights. One appendix points out that an effective risk appetite framework has four core elements:

• A collection of principles that articulate the compa­ny’s philosophy about risk-taking;
• A set of limits that identify the thresholds of acceptability in key areas;
• An analytical tool that enables the development of those limits and facilitates reporting against them; and
• An implementation framework that describes how the risk appetite is deployed in corporate decision-making.

Of particular interest, the risk appetite analytics example illustrates net available cash flow to cover risk during the enterprise’s planning period. This example begins with starting cash (and presumably other liquid assets) and expected cash flow for the planning period before committed and noncommitted cash outflows. It then totals committed cash outflows for interest, dividends and maintenance capital expenditures and noncommitted cash outflows for such planned discretionary outlays as growth capital expenditures, M&A investment and share buybacks.

By deducting committed and noncommitted cash outflows from total cash available, one is able to calculate total cash available to cover risk. Whatever that number is, the question “is this sufficient based on the assessment of corporate risks?” is raised.

In our view, this conceptual illustration is important. A winning strategy exploits to a significant extent the areas in which the company excels relative to its competitors. The execution of any strategy is governed by the entity’s willingness to accept risk in its pursuit of value as well as its capacity to bear risk. From a strategy-setting standpoint, it is useful to have a notion as to when the capacity for bearing risk is encroached upon (i.e., when is the organization taking on too much risk?).

That is the point of the illustration, as it raises interesting questions as to whether the organization has sufficient margin for error and flexibility to cover unexpected extreme losses (so-called tail risk), unforeseen investment opportunities and other contingencies and, if it doesn’t, whether it should. For example:

• Is the enterprise’s capacity to bear risk (e.g., regulatory capital, borrowing capacity, expected free cash flow and other funding sources) adequate given the risks undertaken? What is the point at which the company’s appetite for accepting the risk of loss exposure is defined – meaning, is it at – or short of – the point of:
  • Canceling projects and deferring maintenance?
  • A profit warning?
  • A ratings downgrade?
  • A dividend cut?
  • The need to raise additional capital?
  • A loan default?
  • Insolvency?

Does management stress-test appropriate scenarios against the point at which the entity has defined its willingness to accept exposure to loss? Has the company’s history of performance variability and success in meeting market expectations been considered in developing its risk appetite?

• Are there aspects of the strategy that may be unrealistic and may result in unacceptable risk if managers are pressured to achieve unrealistic stretch performance goals?

There is no such thing as a standard risk appetite. Management and the board formulate a risk appetite statement with full understanding of the trade-offs involved and in the context of the entity’s chosen mission, vision and business objectives. The statement serves as a reminder of the core risk strategy arising from the strategy-setting process, considering the organization’s capacity to bear risk as well as a broader understanding of the level of risk it can safely assume and successfully manage over the planning horizon in executing its strategy.

Questions for Senior Executives and Boards of Directors

Following are some suggested questions senior executives and their boards may consider, based on the entity’s operations:

• Is there a periodic substantive dialogue in both the C-suite and the boardroom regarding management’s appetite for risk and whether the company’s risk profile, as measured through periodic risk assessments and stress tests against multiple future scenarios, is consistent with that risk appetite? Is risk appetite considered when significant matters – such as proposed M&A transactions, entering new markets and significant R&D outlays – are evaluated and approved?
• Do the board and management engage in a periodic dialogue covering such topics as:
  • The maximum acceptable level of performance variability in specific operating areas?
  • The implications of changes in the business environment on the core assumptions inherent in the strategy, including the desired risk appetite?
  • Aspects of the strategy that may be a stretch or even unrealistic, leading to unacceptable risk-taking to achieve performance goals?
• Does risk reporting to executive management and the board consider the organization’s key risk appetite assertions? Is the board informed on a timely basis of exceptions and near misses to the company’s risk tolerance parameters and the planned actions to address them? Is the risk appetite statement used to drive risk policy across the enterprise?

[1] “Board-Management Dialogue on Risk Appetite,” NACD Advisory Council on Risk Oversight, May 2017, available as complimentary content at www.nacdonline.org/insights/publications.cfm?ItemNumber=43377.

[2] Enterprise Risk Management – Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations, June 2017, available at www.coso.org.