This was the original post that was triggered a lot of discussion around the concept of risk appetite in non-financial companies. Again.
I semi-changed my mind on risk appetite. Separate risk appetite statements are still stupid (because there is a better way), but despite that risk appetites should be calculated.
Because if done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk.
The discussion quickly turned weird with a lot of strange concepts like risk-bearing capacity, risk appetite, tolerance and limits flying around.
I, on the other hand, believe risk appetite to be a very simple and overrated concept, so I took to the challenge to write an article without ever mentioning any of the terms because they actually don’t matter.
This is what a typical non-financial company should have:
At the Board level
- A Board level policy outlining acceptable or unacceptable actions/behaviour for any risk or activity where having such policy is required by law or regulator (health and safety, anti-money laundering, corruption, environment).
- Delegation limits, deal or transaction approvals and segregation of authority documented within a finance or investment policy or other Board level document.
- Existing Board level policies have a notion of high, medium, low-risk activities. Usually, the policy will have different boundaries for different risk levels. This may include:
- different risk levels for vendors (higher risk vendors require more attention)
- different risk levels for investment projects (higher risk projects have higher return expectations and more stringent monitoring rules)
- no more than 20% of capitals can be invested in high-risk ventures
- etc, etc.
- An overall statement in a policy or guideline “Generate a reasonable rate of return at the moderate level of risk (expected volatility 10-20%) through a diversified portfolio of projects.”
It is then up to the risk manager to come up with the methodologies how to calculate risk levels or moderate level of risk (expected volatility 10-20%). If done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk. This is a great opportunity for the risk manager to help decision makers take on more of the good risk.
At Executive level
- Performance targets are set not as single values, rather as ranges, where performance outside of range is escalated to the oversight body.
- Key decision criteria are calculated based on the risk levels, for example, NPV and IRR for an investment project are calculated depending on the risk level (usually replacing WACC with variable discount rate based on risk or running Monte-Carlo to calculate NPV range)
- Some significant management assumptions and risks are constantly or periodically monitored through manual or automated indicators.
- Risks are calculated for key decisions to see that they are within management authority or need to be escalated to the oversight body.
That’s it. Nothing else*
No risk appetite statements, no risk-bearing capacity reports or presentations, no new Board-level policies or guidelines, no mention of risk tolerances or limits (even though all examples above are risk tolerances/limits).
* I am sure there are other examples, that was just a quick snapshot to give you an idea.