Risk profiles have changed significantly over the last two years. How does this brave new world affect a company’s risk appetite? What is risk appetite? How can management and the board discuss it?
Risk appetite is the mutual understanding between management and the board regarding the drivers of, and parameters around, opportunity-seeking behavior. It is a high-level view of how much performance variability the entity is willing to accept.
Risk oversight begins with understanding the risk appetite. Successful organizations must take risk to create value. The question is how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and it can reasonably expect to manage successfully. While risk appetite is not always articulated explicitly, it manifests itself through an organization’s behavior over time. Because every organization has a risk appetite whether it acknowledges it or not, it is important that management and the board see eye-to eye with respect to the entity’s risk-taking behavior.
An ongoing dialogue around risk appetite is as much about making the best bets in the pursuit of value creation opportunities as it is about avoiding and hedging bets. It opens up consideration to the full range of risk response options – avoid, accept, reduce, transfer and exploit. For example, the company may choose to exploit certain customer segments or geographical markets or enter into a completely different line of business, accepting the risks of doing so in view of its objectives for increasing sustainable enterprise value. Alternatively, the dialogue may determine that certain risks exceed acceptable limits and need to be avoided altogether or transferred to other parties through insurance or a joint venture.
While risk appetite is strategic and relates primarily to the business model, risk tolerance is tactical and relates primarily to the entity’s objectives. An organization’s risk appetite reflects both its capacity to bear risk as well as a broader understanding of the level of risk that it can safely assume and successfully manage over a given time horizon. It represents executive management’s “view of the world” inherent in the organization’s strategy and in the execution of that strategy, in the form of both risks taken and avoided.
Business complexity and financial risk often warrant quantitative articulations and explicit policies, providing a “guidepost” for strategy-setting. If articulated explicitly, risk appetite provides overall direction for risk management and is grounded during the objective-setting process. For example, an enterprise may set the maximum acceptable level of loss or may establish policy prohibitions. Risk appetite is a tool for aligning the entity’s risk taking with what it does best, its core competencies.
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is there a periodic substantive board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite? Does the board consider risk appetite when it approves management actions on significant matters?
- Do the board and management engage in a dialogue on a periodic basis covering such topics as:
- Maximum acceptable level of performance variability in specific operating areas?
- Policy prohibitions needed to establish behavioral boundaries?
- Targeted operating parameters?
- Periodic and timely upside/downside debates on significant matters?
- Risks and assumptions inherent in the corporate strategy?
- “Hard spots” and “soft spots” in the business plan?
- Exceptions and near misses to the company’s risk tolerance parameters and planned remediation?
- Implications of changes in the operating environment on the core assumptions inherent in the strategy, including the desired risk appetite?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and the capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image. Through our risk assessment methodology, we facilitate the risk appetite discussion.
Board Perspectives: Risk Oversight (Issue 4)