Forming an Initial Risk Appetite Statement

A risk appetite statement establishes a common understanding between executive management and the board of directors regarding desirable risks underlying the execution of the enterprise’s strategy.

Key Considerations

In a Protiviti survey on board risk oversight, only 14 percent of participating directors reported that discussions regarding acceptable levels of risk are sufficient for the board’s purposes.¹ Defining risk appetite is a challenge for many organizations because not all risks are quantifiable. This may be why many non-financial companies do not have an explicit risk appetite statement.

Every company has an appetite for risk, whether it chooses to acknowledge it explicitly or not. When defining risk appetite, we suggest companies begin with understanding their historical risk-taking characteristics and then frame their risk appetite in the context of their strategies and business models. For example, what risks are unacceptable to management and the board? What ceilings are placed on M&A and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets)? These and other elements provide the baseline for starting the risk appetite dialogue.

Illustrative Risk Appetite Assertions
•   Market growth: We will aggressively pursue regional strategies to meet our market growth objectives (increase of 2 percent in market share) by investing in China, India and Latin America.
•   Reputation and brand image: We will manage/avoid situations/actions that could have a negative impact on our reputation and brands.
•   Investment limits: We will limit capital expenditures to an amount that still allows the company to achieve its annual free cash flow target of $225 million.
•   Target debt rating: We seek to maintain an enterpriselevel debt rating of investment grade or better.
•   Self-sustaining growth: New business will maintain our working capital ratio between 1 and 1.5 percent.
•   Financial strength: We will maintain an EBIT/interest ratio between 4 and 5 percent.
•   Loss exposure: We will manage our operational activities and exposures to avoid losses to pre-tax operating margins of more than $25 million.

Consider the following when formulating assertions to include in a risk appetite statement:

Acceptable or on-strategy risks the organization intends to take because the risk taken is sufficiently compensated. These risks are the bets management makes to fuel growth (e.g., invest in certain countries, build new plants and hire more people). Risk tolerances are often set for these risks (e.g., spend limits, time horizons, etc.).
Undesirable or off-strategy risks that should be avoided, and for which zero/minimal tolerances should be set. Policy prohibitions may be set for these risks – for example, restrictions on the use of financial derivatives for profit-making purposes, the types of instruments used, and minimum criteria for counterparties. The company may acknowledge risks it chooses to avoid in order to communicate clearly that such risks are unacceptable.
Parameters within which management runs the business and undertakes risk. Parameters may impact decision-making during the planning cycle and as strategic priorities and the business plan are executed. They also may drive discussions between management and the board when unforeseen opportunities arise. Parameters provide a framework within which risks may be undertaken. Expressed as targets, ranges, floors or ceilings, they may consist of:

Strategic parameters – These include new products to pursue or avoid, and the investment pool for capital expenditures and M&A activity.
Financial parameters – These represent the maximum acceptable level of loss or performance variation. They include EPS variability, FCF growth/margin, EBIT growth/margin, ROA or ROIC, target debt rating, target debt/equity ratio, and EBIT/interest coverage ratio.
Operating parameters – These include capacity management, sustainability response, R&D investment pool, environmental requirements, safety targets, quality targets, and customer concentrations.

Taken together, the assertions developed using the above considerations frame the organization’s risk appetite statement. The risks the organization is intent on taking are articulated and the parameters within which those risks are assumed become more evident to management and the board. While not intended to “handcuff” management, the risk appetite statement becomes a benchmark for discussing the implications of pursuing value-creation opportunities as they arise.

Questions for Boards

Following are suggested questions that directors may consider, based on the entity’s inherent risks:

Does the board understand, and appropriately challenge, the organization’s strategy and its underlying assumptions and inherent risks?
Is there a periodic dialogue between management and the board on acceptable risks to take in achieving strategic objectives?
Does the organization define its risk appetite in a qualitative and/or quantitative manner? If so, is risk appetite revisited when circumstances change significantly or unforeseen opportunities arise?
Is the board satisfied that the expression of risk appetite enables management to establish appropriate limits on risk-taking activities in the organization?

How Protiviti Can Help

Protiviti assists boards and executive management with developing a risk appetite statement. We facilitate initiating and sustaining the risk appetite discussion and help organizations identify and prioritize the risks that can impair their reputation and brand image.