Is Your Company Exposed to the Right Risks?

Protiviti Board Perspectives
Is Your Company Exposed to the Right Risks?

Are we taking the right risks? This rhetorical question may occur from time to time in a boardroom, particularly in a strategic dialogue. It is a deceptively simple question that defies a simple response. And it leads to another important question: How do we know?

Key Considerations

Risks are implicit in any organization’s strategy, whether management and the board are aware of them or not. Risk is inherent in any decision to expand into new markets, introduce new products, acquire a different line of business, build a new plant, or invest in uncharted research and development activities. The point is that a company’s strategic direction and its ability to execute on that direction are both fundamental to its risk-taking. Therefore, risk assessment should be an integral part of the strategy-setting process. Strategic risks should be supported or rationalized by management’s determination that the upside potential from taking those risks is sufficient to warrant acceptance of the downside exposure.

Every evaluation of risk ultimately leads to a decision to accept or reject the risk based on an assessment of whether it is desirable or undesirable. A desirable risk has three characteristics: (1) it is inherent in the institution’s business model or normal future operations; (2) the institution can effectively measure and manage it; and (3) the upside potential clearly outweighs the exposure to downside costs. Such risks are good bets. When a risk is determined to be desirable, management will generally make a decision to retain some level of exposure. This means the organization will do any number of things, including accept the risk at its present level, accept the risk but pass through its costs to customers, or self-insure the risk.

A major factor in this discussion is the organization’s risk appetite. The dialogue around developing a risk appetite statement can be an important determinant of which risks the organization should accept, the risks it should avoid, and the strategic, financial and operating parameters within which the organization should operate. These are the three elements of a risk appetite statement.1
Risks an organization concedes it is willing to accept outright tend to be foundational elements of the current business model and related strategy to create enterprise value. These risks are so fundamental to the business they may not be included in a risk appetite statement.

Yet, they will often appear as significant risks in a risk assessment and are an integral part of the existing risk profile. These risks are likely the ones that are “paying off” through effective execution of the strategy, compensating the company with satisfactory returns. To illustrate, a non-diversified business model (such as making a bet on a commodity like oil, or a precious metal such as gold) versus managing risk through portfolio diversification are both examples of an acceptable risk put in play by the selected strategy and business model. For bets on a product concept, the level of acceptable risk is driven by the product’s positioning on the product life cycle curve, as many products have a limited life and ultimately fall into decline. A global organization accepting the challenges of operating in diverse countries, cultures and regulations in pursuit of new markets is another example of acceptable risk, assuming a satisfactory risk/reward balance and a determination by management that the organization can execute the strategy effectively. A choice to make significant investments to expand into or acquire a new line of business outside the company’s current core business is yet another, as long as execution risk is reduced to an acceptable level.

With respect to risks management has chosen to avoid, these are exposures management concludes the organization cannot manage effectively. For example, management may decide against:

  • Executing an acquisition because of concerns over the ability to integrate the operations of the acquired entity
  • Investing or remaining in politically unstable countries with significant economic uncertainty and currency risk or with exposure to confiscatory acts by a sovereign or to corruption
  • Introducing a new product because of concerns over execution or the downside risk
  • Using exotic derivative instruments for speculative/profit-seeking purposes or using any derivatives for any purpose that does not meet “plain vanilla” criteria

Management may, and should, have zero tolerance for: egregious violations of anti-bribery laws; high-profile environmental catastrophes; product defects that create serious health and safety issues; overriding approved safety standards using cost and schedule performance metrics; and human rights or workplace abuses embedded within the supply chain. These exposures can result in events that could severely damage reputation and brand image. Therefore, management and the board of directors would be expected to have zero tolerance or appetite for them. However, that doesn’t mean these catastrophic events won’t happen because the organization may be engaged in activities that create exposure to them. That is why these exposures must be managed through effective policies and procedures within a zero-tolerance culture.

Risk parameters provide a framework within which risks may be undertaken. These strategic, financial and operational risk parameters guide decision-making as strategic initiatives are executed, and drive discussions between executive management and the board when unforeseen opportunities arise or the parameters themselves are breached. Examples of targeted parameters are provided in the following graphic:

The chief executive officer (CEO) and executive team must collaborate in selecting and evaluating the appropriate parameters. This is not a new task. Parameters are already implicit in the executive team’s business plans, “road show” presentations and annual budgets supporting the strategy. They are considered in aligning business plans with the company’s messaging to analysts and investors. Many of these parameters may be viewed by management as objectives rather than as risk appetite assertions; nonetheless, they set constraints on the execution of the business model. They represent executive management’s view of the level of acceptable variation in the pursuit of the enterprise’s strategic objectives. As seen in the graphic on the previous page, parameters may be expressed as targets, ranges, floors or ceilings, and may have a strategic, financial or operational focus. All told, an explicit risk appetite statement enables executive management and the board of directors to get on the same page on the above issues.

More importantly, if management acts on its risk appetite dialogue with the board, it provides assurance that business activity is aligned with the organization’s determination of acceptable and unacceptable risks. Each of the three elements of a risk appetite statement results in various assertions that lead to specific actionable steps for executive management to undertake. For example:

  • With respect to risks that are acceptable or on-strategy, risk tolerances are established with the intent to accept, reduce, share or exploit these risks.
  • With respect to risks that are undesirable or offstrategy, policy prohibitions and restrictions to avoid or transfer those risks are defined and communicated.
  • With respect to strategic, financial or operating risk parameters, they are decomposed into more specific risk tolerances using the same unit of measure supporting relevant performance metrics and driven downward into the organization. They impact the planning cycle and decision-making as strategic objectives are pursued and trigger discussions between executive management and the board when near misses, exceptions or unforeseen opportunities arise.

As illustrated in the following graphic, limit structures and performance metrics are useful and actionable tools when decomposing risk parameters.

If it isn’t clear whether a risk is desirable, it is not unusual for management to defer its decision as to whether to accept or reject it. The decision to defer a determination reflects the reality that the organization doesn’t always have all of the information it needs to make an informed decision at a given point in time, particularly when future outcomes are unclear and conclusions based on “gut instincts” carry significant risk of either major opportunity loss or excessive cost. Elapsed time can be a great clarifier in some instances. In uncertain times, it may make sense to revisit the strategy and determine how the organization can undertake pre-emptive action to reduce its uncertainty.2

Questions for Directors

Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:

  • Does the board understand, and appropriately challenge, the organization’s strategy and its underlying assumptions and inherent risks?
  • Is there periodic dialogue between management and the board on the acceptable risks to take in achieving strategic objectives? 
  • Does the organization define its risk appetite in a qualitative and/or quantitative manner? If so, is the risk appetite statement revisited periodically when circumstances change significantly or unforeseen opportunities arise?
  • Is the board satisfied that the risk appetite dialogue with management enables the organization to establish appropriate tolerances and limits on risktaking activities throughout the organization?

How Protiviti Can Help

Protiviti assists directors and executive management in public and private companies with identifying and managing the organization’s key risks. We provide an experienced, unbiased perspective on issues separate from those of company insiders and an analytical assessment approach that is aligned with the unique characteristics of the risks the organization faces. Through our risk assessment methodology, we facilitate the risk appetite discussion and help organizations identify and prioritize the risks that can impair their reputation and brand image.

1See Issue 20 of Board Perspectives: Risk Oversight, “Formulating an Initial Risk Appetite Statement,” available at
2“Strategy Under Uncertainty,” by Hugh G. Courtney, Jane Kirkland, and S. Patrick Viguerie, June 2000, McKinsey & Company, adapted from an article that appeared in Harvard Business Review, November-December 1997.

Board Perspectives: Risk Oversight (Issue 47)

Click here to access all series

Ready to work with us?