The concept of risk-appetite has been around for years, yet so many risk practitioners still find themselves confused and unsure how to quantify, formalize and document it. Well, the short answer is YOU DON’T NEED TO. There is a better way.
First, disclaimers. The following article only applies to non-financial companies, just like everything else I publish. In banks, risk appetite may still work fine. I wouldn’t know 🙂 Whenever I say something is broken I offer an alternative that works much better. You just have to be patient and finish reading the article.
Most organizations have already documented their appetites for different common decisions or business activities. Segregation of duties, financing and deal limits, vendor selection criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organizations set risk appetite. Appetites for different kinds of risks has been around for decades. Not all risks, but most of them.
So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern day consultants tell us, I believe that any attempt to aggregate risks into a single risk appetite statement in non-financial companies is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.
After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions. Or is it something else? Share your view in comments.
Instead of creating separate new risk appetite statements, risk managers should start by reviewing existing Board level policies and procedures to identify:
- significant business decisions that already have a certain risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organizations that utilize child labor or fall under economic sanctions. Or it may have a documented requirement not to invest in high-risk projects above a certain limit (my old company, for example, would not finance high-risk ventures through debt, only through equity with some oversight control). Or the company may have a finance policy not to keep more than 20% of cash in a single bank. Or the company may have a policy not to give additional trade credit to bad debtors. And many many more examples. In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. Let me make this very clear, 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
- for the risks where no appetite has been previously set by any of the existing policies or procedures, the risk manager should work with the business owners to develop risk limits and incorporate them into existing policies and procedures. Risk limits can be divided into three groups: “zero tolerance”, acceptable within quantitative limits or acceptable within qualitative limits. This is the other 20%. Risk managers should use Monte-Carlo simulation, scenario analysis or decision trees to document risk appetites. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable.
I strongly believe that risk appetites should and can be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements.