How Risk Appetite Should Impact Behavior

Protiviti Board Perspectives
How Risk Appetite Should Impact Behavior

As we have discussed in previous issues of this publication, there are three elements of a risk appetite statement: risks that are acceptable or on-strategy, risks that are undesirable or off-strategy, and important strategic, financial and operational risk parameters. Taken together, the assertions included in each of these elements frame the organization’s risk appetite.

A risk appetite statement is a reminder to management and the board of directors of the core risk strategy arising from the strategy-setting process. A winning strategy exploits to a significant extent the areas in which the company excels relative to its competitors.

The discussion below addresses how a risk appetite statement should be used.

Key Considerations

The execution of any strategy is governed by the willingness of the organization to accept risk in the pursuit of value creation, as well as by its capacity to bear that risk. From a strategy-setting standpoint, it’s important to have a sense of when the organization’s capacity for bearing risk is reaching a tilting point (i.e., when is it taking on too much risk?). Otherwise, how can the organization’s risk profile be managed?

To elaborate further, consider the following questions: 

  • What is the desirable relationship between the capacity to bear risk, which is the maximum level of risk the organization can assume given its capital base (i.e., paid-in capital and retained earnings) and liquidity under present and stress conditions, and management’s appetite for taking risk?   
  • Does it make sense to take all of the risks an organization is capable of undertaking without reserving capital, borrowing capacity and other financial resources for unexpected extreme losses, investment opportunities and other contingencies?
  • Is it appropriate to retain a significant risk when options for transferring that risk are available at reasonable cost?
  • Are there certain aspects of the strategy that may be unrealistic and result in unacceptable risks if managers are stretched to achieve established performance goals?

These questions should be considered as part of a disciplined approach to protecting enterprise value. The risk appetite statement helps to facilitate this discipline, as it serves as a guidepost when a new market opportunity or significant risk emerges. A robust “think-outside-of-the-box” process is needed to establish and sustain this vital dialogue between management and the board so risk tolerances and limit structures can be developed and applied by lines of business and process owners. Our experience is that the number of directors satisfied with their board’s discussions with management regarding acceptable levels of risk is a small minority.1

Since market conditions cannot be forecast over time with certainty, a risk appetite statement must be dynamic; that is, it must establish boundaries without becoming excessively rigid. It therefore must be flexible enough to respond to changes in the business environment. At the same time, the assertions in a risk appetite statement must be viewed as authoritative benchmarks that have been vetted and approved by the board such that any movement away from the core risk strategy they portray will be recognized as a deliberate decision to move outside of established boundaries.

If a risk appetite statement is constantly altered to accommodate every emerging opportunity or to rationalize violations of risk tolerances and limits, it loses its value as a disciplinary rudder for navigating through unpredictable and rough waters.

Executive management should avoid being so influenced by short-term market pressures that they allow the company to ignore the parameters set by the risk appetite statement in order to do whatever it takes to meet analysts’ expectations. Profits can mask risks, good times can drive risky behavior, and tough times can drive lack of discipline. But none of these circumstances makes risks go away. Bottom line, this is what gets management teams into trouble. Strategic drift can lead to lack of focus in managing the organization’s risk profile.

By contrast, a well-articulated risk appetite statement that is communicated effectively to operating units in the form of risk tolerances and limit structures they can apply day to day can provide clarity and focus to the resource allocation process and surface the need for dialogue as market conditions change. An ongoing risk appetite dialogue can facilitate specific management decisions and actions over time. Following are 10 illustrative examples of specific actions arising from an ongoing dialogue comparing the organization’s risk profile with its risk appetite:

  1. Facilitate more effective decisions about acquisitions, divestitures, new business lines and new products.
  2. Scale down the size of a noncore or excessively risky business.
  3. Influence exiting from a business not aligned with the firm’s desired risk profile.
  4. Adjust the compensation structure of a particular operating unit to (a) address incentives and constraints articulated in the risk appetite statement to take into account the desired level of risk, and (b) hold unit management accountable for performance against these expectations.
  5. Articulate policies codifying the types of risk the firm is willing to bear and under what conditions, as well as the risks the firm is unwilling to assume, and translate these expectations into supporting policies and processes that align the actions of individuals throughout the organization (or in specific lines of business) with the expressed intent of the board of directors and executive management.
  6. Identify risk areas requiring improved measurement methodologies, including establishment of risk tolerances and limit structures.
  7. Align the operational emphasis on specific geographies and markets, customer segments, counterparties, risk areas, research and development (R&D) projects, capital spending, and products and services with established boundaries and limits.
  8. Recalibrate the business mix to emphasize those operating units with the desired risk/reward trade-offs.
  9. Modify the composition of the capital structure according to established target working capital levels, regulatory and economic capital thresholds, target leverage ratios, target credit ratings, and optimum liquidity ratios, among other things.
  10. Determine whether to increase Value at Risk (VaR) limits when breaches occur or take measures to reduce VaR exposures within established limits.

The above decisions and actions can be challenging when a business is highly profitable. As evidenced by the financial crisis, continued highly profitable performance can create the illusion that the good times will never end. Everyone loves to make money. The irony is that such situations may be just the time to take a close look at risk levels. Because most measures of performance are not adjusted for risk, it takes a disciplined management team to recognize that the focus of a risk appetite statement is strategic and longer term, not short term.

Boards that invest time and effort in articulating a firm’s risk appetite statement will have a greater stake in overseeing its implementation. Once the risk appetite statement is agreed upon, management must ensure it is adhered to and used to guide decision-making at both the corporate and operating unit levels. In addition, there should be a process in place for periodically determining whether the risk appetite statement should be updated to reflect changed circumstances in the marketplace.

Companies with a well-articulated risk appetite statement are in a position to set an expectation for strategy reviews by operating units and to conduct regular discussions about how to manage unexpected economic or market events in particular geographies or lines of business. In cases where the firm does not comply with the risk appetite statement, the chief executive officer (or that executive’s designee) should outline to the board the corrective action management is undertaking to address the variance.

For example, one bank incorporated into its risk appetite statement the principle that the board and senior management must understand and be able to identify and manage all of its risks. The firm therefore decided to exit a specific business with risks that were not well understood, even though the business was profitable at the time. That particular business unit eventually generated significant losses for other firms during the financial crisis.

Together, a risk appetite statement and the ongoing dialogue between management and the board that should follow the creation of that statement can provide a forward-looking process that establishes expectations about the firm’s overall risk profile as circumstances change and opportunities arise. These expectations can be based on stress tests and scenario analysis conducted on a consolidated basis to assist management in identifying where the organization is most vulnerable to dramatic market shifts and to support the risk appetite articulation. These points of vulnerability enable management and the board to establish a clearer road map for taking risk, mitigating loss exposures and employing contingency measures.

Questions for Directors

Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:

  • Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile, as determined through periodic risk assessments, is consistent with that risk appetite?
  • Do the board and management engage in a dialogue on a periodic basis covering such topics as:
    • The maximum acceptable level of performance variability in specific operating areas?
    • Policy prohibitions needed to establish behavioral boundaries as well as specific limits in volumes, activities, losses and concentrations in critical areas?
    • Targeted financial and operating parameters?
    • Periodic and timely upside/downside debates on significant matters?
    • The risks and assumptions inherent in the corporate strategy?
    • Management’s assessment of the “hard spots” and “soft spots” in the business plan?
    • The implications of changes in the operating environment on the core assumptions inherent in the strategy, including the desired risk appetite?
  • Is the board informed on a timely basis of exceptions and near misses to the company’s risk tolerance parameters or established limits in significant areas and the planned actions to address them?
1See Board Risk Oversight – A Progress Report, available at This 2010 study sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) indicated that only 14 percent of the participating 200 directors reported that their discussions with management regarding acceptable levels of risk are sufficient for the board’s purposes.

Board Perspectives: Risk Oversight (Issue 54)

Click here to access all series

Ready to work with us?