The concept of risk-appetite has been around for years, yet so many risk practitioners still find themselves confused and unsure how to quantify, formalize and document it. Well, the short answer is YOU DON’T NEED TO. There is a better way.
First, disclaimers. The following article only applies to non-financial companies, just like everything else I publish. In banks, risk appetite may still work fine. I wouldn’t know 🙂 Whenever I say something is broken I offer an alternative that works much better. You just have to be patient and finish reading the article.
Most organizations have already documented their appetites for different common decisions or business activities. Segregation of duties, financing and deal limits, vendor selection criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organizations set risk appetite. Appetites for different kinds of risks has been around for decades. Not all risks, but most of them.
So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern day consultants tell us, I believe that any attempt to aggregate risks into a single risk appetite statement in non-financial companies is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.
After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions. Or is it something else? Share your view in comments.
Instead of creating separate new risk appetite statements, risk managers should start by reviewing existing Board level policies and procedures to identify:
- significant business decisions that already have a certain risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organizations that utilize child labor or fall under economic sanctions. Or it may have a documented requirement not to invest in high-risk projects above a certain limit (my old company, for example, would not finance high-risk ventures through debt, only through equity with some oversight control). Or the company may have a finance policy not to keep more than 20% of cash in a single bank. Or the company may have a policy not to give additional trade credit to bad debtors. And many many more examples. In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. Let me make this very clear, 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
- for the risks where no appetite has been previously set by any of the existing policies or procedures, the risk manager should work with the business owners to develop risk limits and incorporate them into existing policies and procedures. Risk limits can be divided into three groups: “zero tolerance”, acceptable within quantitative limits or acceptable within qualitative limits. This is the other 20%. Risk managers should use Monte-Carlo simulation, scenario analysis or decision trees to document risk appetites. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable.
I strongly believe that risk appetites should and can be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Alex, shouldn’t a risk appetite statement be a quantification of acceptable risk for a class of risks versus a Loss Exceedance Curve which is generated for the individual risk, itself?
If we assume that we are talking about non-financial company, then there shouldn’t be a risk appetite statement at all. Risk appetite is the decision making criteria/boundaries and should be documented in the existing Board level documents that outlines that type of decision, like for example investment guidelines would have appetites across various investment decisions or financial policy will have appetite for bank counter-parties, concentration, cash management and risk profile.
I agree that generally speaking Policies should articulate the risk appetite. However, policies often imply lower risk acceptance than actually the management and BoD can live with, and focus on preventative measures rather than specifically determined residual risk. Take IT security for example; IT security policy typically fails to recognice a threshold of security incidents as performance measure, which, if exceeded, should warrant additional procedures and cost. A pre-determined threshold (appetite) also serves as operational tool to communicate performance levels.I see mor epotential in incorporating appetite descriptions (quantitative and qualitative) in to coprporate policies, especially when set policy targets do not reflect acceptable minimum levels.
I don’t understand your point. Surely, if that is indeed the case, it makes more sense to fix existing Board level policies instead of creating additional new risk appetite documents. Risk management is not about adding new, it’s about changing existing to be more risk-based. That goes for everything.
Agreed. Disclaimer: I work for a financial institute… but the following should be true for non financial companies as well. And yes, I can appreciate authors trying to be controversial 🙂
In my experience it makes sense to define the risk appetite framework itself in a dedicated risk appetite policy, not scattered around in other policies. But this policy stipulates just the principles & governance – not concrete limits! That policy should contain the high-level risk appetite targets based on strategic objectives, and a principle like: “for all risk types major to our company, a measurable risk tolerance limits should be in place and monitored” . It should also contain an uniform way to respond to risk appetite breaches, because executive management needs to be reported about any risk tolerance breach, no matter what the topic is and the related policy. The reason for having this in one “umbrella” policy is to have the same governance for all breaches, no matter who the risk owner is.
But I fully agree with Alex that when that is in place, concrete limits should be part of the 1st line policies themselves to ensure proper ownership (for instance travel policy for allowed number of senior staff in one vehicle, IT security policy for system availability or number of hacking attempts, BCM policy for recovery times objectives etc).
Historically risk appetite and tolerance are not the same thing. It was not a mix up of terms or semantics. When educating leaders on risk management especially capital planning, emerging markets and strategy, definitions and meanings are very important. But there seems to be a bit of new age risk concepts lately so to each its own. Also thanks for sharing your link. I am glad you made it clear that you are not talking about financial services. I think where non-financial services organizations struggle is making the transition and translating risk appetite and tolerance. But like financial services there is market risk especially if you are doing anything with CMS. From a risk management perspective you may have a left or right sided tale instead of a standard distribution. However, each org needs a risk person that can translate what it means to you. Every entity type should have a tolerance and appetite definition. Even in your own household and family it should be defined. You should know what your limits are and what scenarios allow you to change tolerance from one goal/objective to another. Very interesting
Reblogged this on GAMONT S.A..
I agree policies setting should align/reflect with risk appetite, but its hardly efficient or cost effective to have every business area constantly reviewing every policy to determine the originations appetite. Having a one or two page document that can be easily referred that demonstrates the originations position on common themes does make life easier.
Wrong assumption.