Management Risk Appetite Dialogue

Board Perspectives - Risk Oversight, Issue 108
Management Risk Appetite Dialogue

With unpredictable markets and myriad uncertainties, coupled with unprecedented market opportunities, how should the board of directors engage management with respect to the organization’s risk appetite?

Last year, the National Association of Corporate Directors (NACD) Advisory Council on Risk Oversight released a publication based on input obtained from a meeting with risk and audit committee chairs from Fortune 500 companies.[1] This publication offers both directors and senior executives useful insights that are consistent with the COSO Enterprise Risk Management Framework[2] (also released last year), which boards and executives can use to advance their risk appetite dialogue.

The practical advice offered by the NACD advisory council is framed around three major takeaways for getting the most out of the risk appetite dialogue:

  1. Align the risk appetite statement with company strategy.
  2. Use the risk appetite statement to inform critical processes and decisions.
  3. Continually re-evaluate the risk appetite statement.

Each takeaway is discussed below.

The risk appetite dialogue offers executive management and the board of directors an opportunity to get on the same page regarding the drivers of, and parameters around, opportunity-seeking behavior. Once they reach an agreement on the types and amount of risk the entity is willing to take in creating value, the risk appetite statement serves as a guidepost for subsequent boardroom discussions and the entire organization.

The NACD publication is stocked with sage observations from savvy directors who practice what they preach. There is no academic conjecture or suppositional expoundings of theory anywhere in its 12 pages — just a crisp discussion of how and why risk appetite is used in the boardroom.

Align the Risk Appetite Statement With Company Strategy

Risks are inherent in every strategy, whether the organization’s management chooses to express them explicitly or not. When determining the level of acceptable risk, directors should work with management to understand the most critical risks (whether expressed qualitatively or quantitatively) and evaluate management’s tolerance for each. The idea is to frame the risk appetite statement as a means to optimize the competitive advantage that is unique to each company.

The NACD advisory council suggests using metrics to set boundaries around the risks the entity is willing to accept. These metrics may be expressed as targets, ranges, floors, ceilings or prohibitions that set parameters within which the company is to operate. For example:

  • Strategic parameters consider matters such as new products to pursue or avoid, markets to target, markets that are on- or off-strategy, brand erosive actions to be avoided, and the investment pool for capital expenditures and mergers and acquisitions (M&A) activity.
  • Financial parameters consider matters such as the maximum acceptable variation in financial performance, risk-adjusted return on capital, target debt rating, target debt/equity ratio, earnings before interest and taxes (EBIT)/interest coverage ratio, and derivative counterparty criteria.
  • Operating parameters consider matters such as capacity management; sustainability; environmental, social and governance (ESG) requirements; research and development (R&D) investment pool; safety targets; quality targets; and customer concentrations.

The advisory council recommended benchmarking against peer groups (e.g., comparing the company’s cybersecurity risk rating to the rating of its competitor peer group). Taken together, these and other considerations help frame the entity’s risk appetite.

When aligned with the strategy and benchmarked against peer groups, the risk appetite statement can be a useful tool for executive management to use in communicating with the board, encouraging the enterprise’s personnel to take risks in executing the strategy and transforming a risk averse culture into one that takes measured risks. More importantly, it can aid in maintaining strategic focus and avoiding strategic drift.

Use the Risk Appetite Statement to Inform Critical Processes and Decisions

When articulated crisply with both forward- and backward-looking metrics, a robust risk appetite statement can be used to:

  • Establish performance targets — Risk appetite statements help organizations set more balanced performance targets that avoid incentivizing excessive risk-taking behavior. In making risk appetite assertions, executive management and the board determine where the trade-offs are regarding promoting superior performance versus limiting exposure to unwanted risks. Pushing these determinations down into the organization drives strategic alignment of processes and people, preventing trade-off decisions from being made in isolation. An effective risk appetite statement offers decision-makers a “reasonableness test” to avoid entering into bad or risky deals or setting unrealistic performance goals that can lead to corner-cutting.
  • Shape corporate culture — The organization’s overall risk awareness and risk culture improve significantly when the risk appetite statement is translated into actionable guidance with well-defined thresholds and tolerance levels that are used across the organization to measure and monitor the level of acceptable variation in performance. For example, an organization with a lower risk appetite may prefer less performance variation compared to an entity with a greater risk appetite. When risk thresholds and tolerances are embedded into operating processes, employees are positioned to make thoughtful day-to-day, risk-adjusted decisions that are more in line with executive management’s and the board’s expectations — particularly in areas that are a high priority or where there is zero tolerance for risk.
  • Improve communication, including reporting to the board — An effective risk appetite statement is an important communication tool for driving alignment with and awareness of the strategy through more transparent risk policy and more focused risk reporting. A robust statement of risk appetite clarifies the acceptable (or on-strategy) risks that the organization intends to take and forces dialogue on whether the strategy’s potential upside rewards outweigh and warrant acceptance of its inherent downside risks. These risks are typically foundational elements of the business strategy (e.g., investing in developing countries to fuel market growth and innovating in specific areas to drive new revenue streams).

    The risk appetite statement also addresses the undesirable (or off-strategy) risks for which zero or minimal tolerances should be set with restrictive policy prohibitions (e.g., unacceptable risk concentrations, appropriate credit limits and adherence to core values). The various assertions included in the statement frame the specific issues that should be addressed in regular risk reports to the board and facilitate a risk escalation policy that establishes formal lines of communication from management to the board at the first sign of a problem or an emerging risk.

  • Make decisions about compensation — A formal risk appetite statement can inform a company’s overall compensation philosophy with the goal of preventing employees from taking unacceptable risks to achieve performance targets. To that end, the NACD publication provides important questions directors can ask when evaluating whether the design of incentive compensation plans may inadvertently encourage risk-taking that conflicts with the company’s established risk appetite. These questions pertain to such matters as incentive payout outliers, extreme outperformance versus peers, comparison of incentive targets with the industry and excessive upside payout opportunities, among other things.

No one disputes that successful organizations must take risks to create value. The question is how much risk should they take? A balanced approach to value creation means the enterprise only accepts those risks that are prudent to undertake, given its capacity to bear risk and the level of risk it can reasonably expect to manage successfully.

Continually Re-Evaluate the Risk Appetite Statement

The risk appetite statement should be revisited periodically as the business environment and strategic priorities change. It is a benchmark for discussing the implications of opportunistic value creation pursuits as they arise and is not intended to constrain management. Therefore, it is a “living document” that may change as the company adjusts its culture and perspective toward risk over time.

The NACD publication acknowledges that not all companies have a formal risk appetite statement. That said, the participating directors agreed that formulating a statement can help clarify strategic objectives, equip employees to make better decisions, and make clear when it is time to escalate problems up the chain of command. More importantly, it can be an effective tool for getting everyone in the boardroom on the same page with respect to risk.

The four appendices to the NACD publication also provide useful insights. One appendix points out that an effective risk appetite framework has four core elements:

  1. A collection of principles that articulates the company’s philosophy on risk-taking;
  2. A set of limits that identifies the thresholds of acceptability in key areas;
  3. An analytical tool that enables the development of those limits and facilitates reporting against them; and
  4. An implementation framework that describes how the risk appetite is deployed in corporate decision-making.

Of particular interest, the NACD advisory council used a risk appetite analytics example to illustrate how net available cash flow must cover risk during the enterprise’s planning period. This example begins with starting cash (and presumably other liquid assets) and expected cash flow for the planning period before committed and noncommitted cash outflows. It then totals committed cash outflows for interest, dividends and maintenance capital expenditures; and noncommitted cash outflows for such planned discretionary outlays as growth capital expenditures, M&A investments and share buybacks. By deducting total committed and noncommitted cash outflows from total cash available, one is able to calculate the total cash available to cover unexpected risk events during the planning horizon. Whatever that number is, it raises the question, “Is this liquidity sufficient based on the assessment of corporate risks?”

In our view, this conceptual illustration is important. A winning strategy exploits to a significant extent the areas in which the company excels relative to its competitors. The entity’s willingness to accept risk in its pursuit of value as well as its capacity to bear risk govern the execution of its strategy. From a strategy-setting standpoint, it is useful to have a notion as to when the capacity for bearing risk is encroached upon (i.e., when is the organization taking on too much risk?). That is the point of the illustration, as it raises interesting questions as to whether the organization should have a “margin for error” to cover unexpected extreme losses (so-called “tail risk”), investment opportunities and other contingencies.

For example, is the enterprise’s capacity to bear risk (e.g., regulatory capital, borrowing capacity, expected free cash flow and other funding sources net of expected outlays) adequate given the enterprise’s risk profile? What is the point at which the company’s appetite for accepting the risk of loss exposure defined; meaning, is it at, or short of, the point of:

  • Canceling projects and deferring maintenance?
  • A profit warning?
  • A ratings downgrade?
  • A dividend cut?
  • The need to raise additional capital?
  • A loan default?
  • Insolvency?

Does management stress test appropriate scenarios against the point at which the entity has defined its willingness to accept exposure to loss? Has the company’s history of performance variability and success in meeting market expectations been considered in developing its risk appetite? Are there aspects of the strategy that may be unrealistic and result in unacceptable risk if managers are pressured to achieve unrealistic stretch performance goals?

With the above questions, it should be evident that there is no such thing as a “standard” risk appetite. Every organization is different. Management and the board formulate a risk appetite statement with a full understanding of the trade-offs involved and in the context of the entity’s chosen mission, vision and business objectives. The risk appetite statement serves as a reminder of the core risk strategy arising from the strategy-setting process, taking into account the organization’s capacity to bear risk as well as a broader understanding of the level of risk that it can safely assume and successfully manage over the planning horizon in executing its strategy.

From our experience, the most important part of formulating a risk appetite statement is the board’s dialogue with management. This dialogue often focuses on such questions as what risks we seek to take, what risks we want to avoid, and the big one — why? It leads to discussions as to which risks the entity manages better than its competitors and how management knows they can manage them better. Finally, the dialogue forces the company to acknowledge the risks and uncertainties inherent in the business model as well as how these risks are being reduced to an acceptable level.

Questions for Boards

Following are some suggested questions that boards of directors may consider, based on the entity’s operations:

  • Is there a periodic substantive board-level dialogue regarding management’s appetite for risk and whether the company’s risk profile, as measured through periodic risk assessments and stress tests against multiple future scenarios, is consistent with that risk appetite? Does the board consider risk appetite when it approves management actions on significant matters (e.g., proposed M&A transactions, entering new markets, and significant R&D outlays)?
  • Do the board and management engage in a dialogue on a periodic basis about topics such as the maximum acceptable level of performance variability in specific operating areas? Is there any discussion of the implications of changes in the business environment on the core assumptions inherent in the strategy, including the desired risk appetite?
  • Does board risk reporting consider management’s key risk appetite assertions? Is the board informed on a timely basis of exceptions and near misses to the company’s risk tolerance parameters and the planned actions to address them? Is the risk appetite statement used to drive risk policy across the enterprise?

How Protiviti Can Help

Protiviti assists boards and executive management with assessing the enterprise’s risks, either across the entity or at various operating units, and the capabilities for managing those risks. We help organizations identify and prioritize risks that can impair their reputation and brand image. Through our risk assessment methodology, we facilitate the risk appetite discussion.

Is It Time for Your Board to Evaluate Its Risk Oversight Process?

The TBI Protiviti Board Risk Oversight Meter™ provides boards with an opportunity to refresh their risk oversight process to ensure it’s focused sharply on the opportunities and risks that truly matter. Protiviti’s commitment to facilitating continuous process improvement to enable companies to confidently face the future is why we collaborated with The Board Institute, Inc. (TBI) to offer the director community a flexible, cost-effective tool that assists boards in their periodic self-evaluation of the board’s risk oversight and mirrors the way many directors prefer to conduct self-evaluations. Boards interested in using this evaluation tool should visit the TBI website at

Learn more at


[1] Board-Management Dialogue on Risk Appetite, NACD Advisory Council on Risk Oversight, May 2017. 
[2] Enterprise Risk Management — Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, June 2017.

(Board Perspectives: Risk Oversight - Issue 108)

Click here to access all series

Ready to work with us?