Understanding and Communicating Risk Appetite
What is Risk Appetite?
The concept of risk appetite is something that is discussed and debated on a regular basis. COSO defines risk appetite as the “amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” In many organizations, risk appetite is a nice theoretical topic to discuss, but it is rarely integrated into strategic planning. However, if companies simply talk about risk appetite and don’t do anything about it, they are missing the opportunity to set a boundary around how much risk a company is willing to take. Having a risk appetite articulated can allow a company with a robust risk appetite to set goals accordingly, with the same being true for risk adverse companies.
To help boards and senior executives articulate its appetite for risk taking, COSO recently issued a new thought paper, Enterprise Risk Management: Understanding and Communicating Risk Appetite. The thought paper describes three steps that should be taken to properly consider risk appetite:
1. Develop risk appetite
2. Communicate risk appetite
3. Monitor and update risk appetite
Developing Risk Appetite
A common misperception about the development of a risk appetite statement(s) is that an organization will then look to eliminate all risks because it doesn’t want to lose any money. It must be remembered that no risk taking leads to no reward. Thus, we need to define the amount of risks we are willing to take as we pursue reward opportunities. There is no “correct” size of a risk appetite. Just like every company is different, the risk appetite the companies have will be different.
COSO outlines four considerations that need to be taken when considering the risk appetite of the organization. They consist of the following:
1. Existing Risk Profile: What are the current risks across the entity in the various risk categories?
2. Risk Capacity: How much risk is the organization able to handle in order to achieve its objectives?
3. Risk Tolerance: What is the acceptable level of deviation an organization is willing to accept in shooting for its goals?
4. Attitudes Towards Risk: What is the risk culture in the entity? Would the company “bet the farm” on any risks?
Other aspects that should be considered are the competitive nature of the market in which the entity is competing. For example, a telecommunication company should consider the rapid way their business environment changes. The overall theme of developing a risk appetite is to learn that risk and strategy are intertwined and must be considered together as one, not two separate things.
Effective risk appetite statements all have similar characteristics, some of which are listed below:
• Directly links risk taking to the organization’s objectives
• Clearly stated to allow smooth communication, monitoring, and adjusting if needed
• Facilitates proper personnel placement
• Communicates clearly to outside users
• Recognizes that there is a portfolio of risks that mitigate other risks
An example of a risk appetite statement is:
• The Organization operations within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives.
Communicating Risk Appetite
COSO outlines three different methods of communicating an entity’s risk appetite:
1. Broad Risk Appetite Statements
2. Expressing Risk Appetite for Each Major Class of Organizational Objectives
3. Expressing Appetite for Each Category
Broad risk appetite statements can even use graphics that look similar to a heat map to show what risks are acceptable and within the risk appetite of the organization and what risks are not. If an entity decides to talk about risks in terms of their objectives – they will discuss all the major goals and strategies of the organization and the risk appetite associated with that objective. The example given above is an example of this type of risk appetite statement. Finally, other organizations categorize risks using generic terms economic, environmental, political, personnel, or technology as categories for the risk. The advantage of communicating risk in this way is that management can exercise judgment about acceptable levels given the various risks that go in each of those categories.
It is also important to understand and communicate that these risks are not “silo”ed. It is also important to not silo the communication of the risk appetite to only include certain aspects of the business. A good way to remember this communication requirement is to consider the ERM Cube, as designed by COSO.
Monitoring and Updating Risk Appetite
Risk appetite must be revisited and reinforced by management on a regular basis. It should be incorporated into the fabric of the corporate culture. Some organizations will have to review and revisit the risk appetite through monitoring activities such as KPI and KRIs. Other ways to ingrain risk appetite into the culture of an organization is to do ensure the following:
• Consistent implementation across units
• Effective monitoring and communication of risk and changes in risk appetite
• Consistent understanding of risk appetite and related tolerances for each organizational unit
• Consistency between risk appetite, objectives, and relevant reward systems.
Any deviations from the risk appetite should be immediately reported to upper management as part of the normal internal reporting process.
With that said, it is very important for roles within an organization to be filled appropriately to ensure that the risk appetite is actually a factor in business decisions on a daily basis. The board should oversee management and monitor the risk monitoring process on the entity level, including monitoring risk appetite. Effective board oversight includes:
• Clear discussion of the organization’s objectives and risk appetite
• Oversight of the organization’s compensation plan for consistency with risk appetite
• Oversight of management’s risk identification when pursuing strategies to determine whether the risks exceed the risk appetite
• Oversight of strategies and objectives to determine whether the pursuit of some objectives may create unintended consequences
• A governance structure that requires regular conversations on risk appetite