A risk appetite statement establishes a common understanding between executive management and the board of directors regarding desirable risks underlying the execution of the enterprise’s strategy.
• Market growth: We will aggressively pursue regional strategies to meet our market growth objectives (increase of 2 percent in market share) by investing in China, India and Latin America.
• Reputation and brand image: We will manage/avoid situations/actions that could have a negative impact on our reputation and brands.
• Investment limits: We will limit capital expenditures to an amount that still allows the company to achieve its annual free cash flow target of $225 million.
• Target debt rating: We seek to maintain an enterpriselevel debt rating of investment grade or better.
• Self-sustaining growth: New business will maintain our working capital ratio between 1 and 1.5 percent.
• Financial strength: We will maintain an EBIT/interest ratio between 4 and 5 percent.
• Loss exposure: We will manage our operational activities and exposures to avoid losses to pre-tax operating margins of more than $25 million.
Consider the following when formulating assertions to include in a risk appetite statement:
- Acceptable or on-strategy risks the organization intends to take because the risk taken is sufficiently compensated. These risks are the bets management makes to fuel growth (e.g., invest in certain countries, build new plants and hire more people). Risk tolerances are often set for these risks (e.g., spend limits, time horizons, etc.).
- Undesirable or off-strategy risks that should be avoided, and for which zero/minimal tolerances should be set. Policy prohibitions may be set for these risks – for example, restrictions on the use of financial derivatives for profit-making purposes, the types of instruments used, and minimum criteria for counterparties. The company may acknowledge risks it chooses to avoid in order to communicate clearly that such risks are unacceptable.
- Parameters within which management runs the business and undertakes risk. Parameters may impact decision-making during the planning cycle and as strategic priorities and the business plan are executed. They also may drive discussions between management and the board when unforeseen opportunities arise. Parameters provide a framework within which risks may be undertaken. Expressed as targets, ranges, floors or ceilings, they may consist of:
- Strategic parameters – These include new products to pursue or avoid, and the investment pool for capital expenditures and M&A activity.
- Financial parameters – These represent the maximum acceptable level of loss or performance variation. They include EPS variability, FCF growth/margin, EBIT growth/margin, ROA or ROIC, target debt rating, target debt/equity ratio, and EBIT/interest coverage ratio.
- Operating parameters – These include capacity management, sustainability response, R&D investment pool, environmental requirements, safety targets, quality targets, and customer concentrations.
Taken together, the assertions developed using the above considerations frame the organization’s risk appetite statement. The risks the organization is intent on taking are articulated and the parameters within which those risks are assumed become more evident to management and the board. While not intended to “handcuff” management, the risk appetite statement becomes a benchmark for discussing the implications of pursuing value-creation opportunities as they arise.
Questions for Boards
Following are suggested questions that directors may consider, based on the entity’s inherent risks:
- Does the board understand, and appropriately challenge, the organization’s strategy and its underlying assumptions and inherent risks?
- Is there a periodic dialogue between management and the board on acceptable risks to take in achieving strategic objectives?
- Does the organization define its risk appetite in a qualitative and/or quantitative manner? If so, is risk appetite revisited when circumstances change significantly or unforeseen opportunities arise?
- Is the board satisfied that the expression of risk appetite enables management to establish appropriate limits on risk-taking activities in the organization?
How Protiviti Can Help
Protiviti assists boards and executive management with developing a risk appetite statement. We facilitate initiating and sustaining the risk appetite discussion and help organizations identify and prioritize the risks that can impair their reputation and brand image.
1See Board Risk Oversight – A Progress Report, available at www.protiviti.com.
Board Perspectives: Risk Oversight (Issue 20)