This was the original post that was triggered a lot of discussion around the concept of risk appetite in non-financial companies. Again.
I semi-changed my mind on risk appetite. Separate risk appetite statements are still stupid (because there is a better way), but despite that risk appetites should be calculated.
Because if done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk.
Amazing opportunity!
The discussion quickly turned weird with a lot of strange concepts like risk-bearing capacity, risk appetite, tolerance and limits flying around.
I, on the other hand, believe risk appetite to be a very simple and overrated concept, so I took to the challenge to write an article without ever mentioning any of the terms because they actually don’t matter.
This is what a typical non-financial company should have:
At the Board level
- A Board level policy outlining acceptable or unacceptable actions/behaviour for any risk or activity where having such policy is required by law or regulator (health and safety, anti-money laundering, corruption, environment).
- Delegation limits, deal or transaction approvals and segregation of authority documented within a finance or investment policy or other Board level document.
- Existing Board level policies have a notion of high, medium, low-risk activities. Usually, the policy will have different boundaries for different risk levels. This may include:
- different risk levels for vendors (higher risk vendors require more attention)
- different risk levels for investment projects (higher risk projects have higher return expectations and more stringent monitoring rules)
- no more than 20% of capitals can be invested in high-risk ventures
- etc, etc.
- An overall statement in a policy or guideline “Generate a reasonable rate of return at the moderate level of risk (expected volatility 10-20%) through a diversified portfolio of projects.”
It is then up to the risk manager to come up with the methodologies how to calculate risk levels or moderate level of risk (expected volatility 10-20%). If done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk. This is a great opportunity for the risk manager to help decision makers take on more of the good risk.
At Executive level
- Performance targets are set not as single values, rather as ranges, where performance outside of range is escalated to the oversight body.
- Key decision criteria are calculated based on the risk levels, for example, NPV and IRR for an investment project are calculated depending on the risk level (usually replacing WACC with variable discount rate based on risk or running Monte-Carlo to calculate NPV range)
- Some significant management assumptions and risks are constantly or periodically monitored through manual or automated indicators.
- Risks are calculated for key decisions to see that they are within management authority or need to be escalated to the oversight body.
That’s it. Nothing else*
No risk appetite statements, no risk-bearing capacity reports or presentations, no new Board-level policies or guidelines, no mention of risk tolerances or limits (even though all examples above are risk tolerances/limits).
* I am sure there are other examples, that was just a quick snapshot to give you an idea.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.