Thinking about risk appetite and risk appetite statements
I have written a lot over the years about risk appetite and the value of risk appetite statements, both here on this blog and also in my books, especially World-Class Risk Management (2015) and Risk Management in Plain English: A Guide for Executives, Enabling Success through Intelligent and Informed Risk-Taking (2018).
I am going to write more today, excerpting my writing from a few years ago before summarizing, as best I can, my current thinking.
This is from Risk Management in Plain English (with my highlights), a concise discussion of effective risk management for the time-burdened executive (discussed further in Risk Management for Success (2020)):
The concept of “risk appetite” has been popularized by consultants, regulators, and others. It is defined as:
“The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value”.
This is not particularly useful.
It’s not about managing risk; it’s about managing the achievement of objectives.
While this is true, the regulators like and sometimes require that an organization define and disclose (to a degree) its risk appetite.
There are times when a risk appetite and reports of whether it is being exceeded are useful.…
…when making a decision that exposes you to a loss (such as when you are considering making a bet), it is essential to know if you can afford [should take the risk of] that loss.
Risk appetite statements are supposed to guide decision-makers, telling them how much the organization is willing to put ‘at risk’.
- Limits on risk-taking are set and approved by top management and the board. More than one limit is generally required as there are multiple sources of risk and it usually doesn’t make sense to try to aggregate them. For example, how do you aggregate safety and creditrisks?
- Decision-makers are to stay within those limits.
- Monitoring is in place to ensure the limits are not exceeded.
- On a periodic basis, compliancewith the limits is reported to top management and the board.
But the amount of loss you are willing to expose yourself to will vary depending on the potential for gain or value. So the COSO definition, which is used broadly by regulators, is not particularly useful.
The term doesn’t really make sense when you are talking about compliance or safety risk. No reputable organization will say anything other than they have no tolerance for any compliance violation or safety incident. But the only way to eliminate these risks is to exit the business.
In real life, there is a limit to the resources an organization is willing to commit to avoiding compliance or safety problems.
The concept is most useful when we are talking about a financial portfolio, such as those held by banks, insurance companies, and other financial institutions.
I then quoted the risk appetite statements from Deutsche Bank and the Reserve Bank of Australia. The latter disclosed (again with my highlights):
The Bank faces a broad range of risks reflecting its responsibilities as a central bank. These risks include those resulting from its responsibilities in the areas of monetary, financial stability and payments system policy, as well as its day-to-day operational activities.
The risks arising from the Bank’s policy responsibilities can be significant. These risks are managed through detailed processes that emphasise the importance of integrity, intelligent inquiry, maintaining high quality staff, and public accountability.
The Bank is also exposed to some significant financial risks, largely due to it holding Australia’s foreign exchange reserves. It accepts that the balance sheet risks are large, and manages these risks carefully, but not at the expense of its policy responsibilities.
In terms of operational issues, the Bank has a low appetite for risk. The Bank makes resources available to control operational risks to acceptable levels. The Bank recognises that it is not possible or necessarily desirable to eliminate some of the risks inherent in its activities. Acceptance of some risk is often necessary to foster innovation and efficiencies within business practices.
….
The Bank aspires to be among the world’s leading central banks, measured by the quality and effectiveness of its operations. This requires ongoing development and innovation in its operations through strategic initiatives which often carry significant risk. The Bank has a low appetite for threats to the effective and efficient delivery of these initiatives. It recognises that the actual or perceived inability to deliver strategic initiatives could have a significant impact on its ability to achieve its objectives as well as its reputation.
….
The Bank holds domestic and foreign currency-denominated financial instruments to support its operations in financial markets in pursuit of its policy objectives. These instruments account for the majority of the Bank’s assets and expose the balance sheet to a number of financial risks, of which the largest is exchange rate risk. The Bank does not aim to eliminate this risk as this would significantly impair its ability to achieve its policy objectives. Instead, the risks are managed to an acceptable level through a framework of controls. The Bank acknowledges that there will be circumstances where the risks carried on its balance sheet will have a material impact on its financial accounts. The Bank regards it as desirable to hold sufficient reserves to absorb potential losses.
The Bank has a very low appetite for credit risk. The Bank manages this risk carefully by applying a strict set of criteria to investments, confining its dealings to institutions of high creditworthiness and ensuring that exposures to counterparties are appropriately secured, wherever feasible.
….
Information Technology (IT) risks cover both daily operations and ongoing enhancements to the Bank’s IT systems. These include:
- Technology Service Availability – Prolonged outage of a core RBA system: The Bank has a very low appetite for risks to the availability of systems which support its critical business functions, including those which relate to inter-bank settlements, banking operations and financial markets operations. Service availability requirements have been identified and agreed with each business area.
- Security – Cyber-attack on RBA systems or networks: The Bank has a very low appetite for damage to Bank assets from threats arising from malicious attacks. To address this risk, the Bank aims for strong internal processes and the development of robust technology controls.
- Technology Change Management: The implementation of new technologies creates new opportunities, but also new risks. The Bank has a low appetite for IT system-related incidents which are generated by poor change management practices.
I commented, saying that this risk appetite statement may check the box but has little if any value when it comes to guiding decision-making:
Describing your risk appetite as “low” sounds good but has no practical meaning.
What is “low” and how would you know whether your actual level of risk is “low”?
How would you know whether you are taking more risk than advisable?
In practice, organizations need to set and describe their risk appetite in meaningful terms.
The risk appetite statement has to guide decision-makers, helping them understand whether they are taking more risk than they can afford to take.
In practice, smart executives make investment decisions based on a careful weighing of the potential for both gains and losses, with a minimum expected return – but within limits.
- The board and top management should determine which areas of risk they want to monitor against limits.
- They should establish metrics that provide useful and actionable information about whether people are taking the desired level of the right risks.
- They should ensure, if at all possible, that decision-makers can be guided to stay within those limits.
In practice, the last of these three bullets is hard to achieve. The relevance of an enterprise objective and risk limit may be difficult for a middle manager to understand and apply in decision-making.
Only when you understand how your actions affect the achievement of enterprise objectives can you understand the consequences of those actions. Only then can you know, hopefully with guidance from the senior management team, how the risk to enterprise objectives you are taking is acceptable.
MY CURRENT THINKING
Let me see if I can say this simply and concisely.
- The board and management should be focused on achieving enterprise objectives, managing the business for success.
- That requires taking risks, sometimes taking more rather than less (downside) risk.
- Managing a list of risks out of the context of the potential reward and achievement of enterprise objectives may avoid losses in the short term but will almost certainly limit or even eliminate the potential for success over both the long and the short term.
- The key is to take the right levels of the right risks given current and anticipated circumstances (which change dynamically) and balancing risk and reward.
- Those risks are taken through decision-making, which must be informed (seeing the big picture and understanding what might happen) and intelligent.
- We live in a dynamic world (repeating part of #4), and a risk may be right to take today but not tomorrow or next week. Conditions are changing rapidly, and management must be agile in its decision-making. For example, conditions in Baltimore harbor change the level of supply chain risk for organizations planning to move goods by sea into or out of Maryland. The availability of liquid funds and cash flow can change significantly and dynamically from month to month, even day to day, affecting management’s ability to take risks such as granting longer payment terms to customers, making a large purchase of raw materials, or making an investment in a new system or acquisition.
- A risk appetite statement is static and not dynamic.
- There is no single amount of risk. It makes no sense to aggregate disparate sources of risk to enterprise objectives and come up with a single “amount of risk”.
- However, it does make sense to determine the likelihood of achieving each enterprise objective and determining whether those likelihoods are acceptable. This is my preferred and practical way of thinking about ‘appetite’.
- Decision-makers need guidance to ensure they are taking an acceptable or even desirable level of risk to enterprise objectives, commensurate with management and board direction.
- That guidance is NOT conveyed by a single ‘amount of risk’ (the risk appetite) or a single risk appetite statement. It is conveyed through more detailed:
- Policies and procedures in multiple business processes.
- Spending limits.
- Credit and other limits.
- Management and board supervision and review.
- Risk-taking limits where defined types or levels of risks must be escalated to more senior management.
- …and more.
“Do we have a risk appetite statement, and does it meet regulatory requirements?” may be a good question to ensure we check the box.
“Do we have practical and effective guidance for management and board decision-making so that we are assured that the right risks are being taken to achieve enterprise objectives” is a far better question.
Another is “How do we know people are making informed and intelligent decisions, understanding the big picture, and taking the right risks for success – achieving enterprise objectives?”
Finally, “Do we have an acceptable likelihood of achieving enterprise objectives? If not, what are we doing about it?”
If I had to develop and disclose a risk appetite statement, it would explain that we take risks to achieve our enterprise objectives, but do so prudently through relevant guidance, policies, and procedures; we balance risk and reward; and the board exercises oversight of decision-making and risk management in general, including obtaining formal assessments from top management on both. I would have a document for discussion by the board and executive management that lists at least the more significant sources of risk and controls. But my main focus is always on understanding whether there is an acceptable likelihood of achieving (or exceeding) enterprise objectives.
Check the box but run the organization for success.
I welcome your thoughts.
Do you have a risk appetite statement that changes daily tactical as well as strategic decision-making?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman: Great post. Thanks for sharing.
Well said Norman. I’ve always thought the concept of “risk appetite” and especially a “risk appetite statement” to be terribly flawed. Even if we could define a number–such as we shall not place more than 5-percent of our organization’s revenue in a position to be lost–the calculations that go into the “potential loss” number are highly subjective and influenced by multiple biases and other psychological aspects of risk perception. The best result I have seen from risk appetite exercises is the discussion that takes place, where risks are explicitly addressed and acknowledged. But this discussion should be taking place with any business decision or in any planning session. And acknowledge that what is today is likely to be different tomorrow, so risk appetite discussions are not “one and done”, but rather a living and ongoing part of running a business.
Good article on risk management and application to a Central Bank where there are some unique challenges because of linkages to many parts of the economy. Monetary policy stability may be the main objective with little tolerance of risk to achieving that. But its linked to inflation rates, interest rates, unemployment and fiscal policy not under the Central Bank’s control. The likelihood of achieving monetary policy stability is probably enhanced by not being too concerned with those linkages with the broader economy. Just focus on monetary stability.
You ask, ‘do you have a risk appetite statement that changes daily tactical as well as strategic decision-making?’
When working in the UK public sector, and after reading your posts on risk management for a number of years, I tried to include a number of your philosophies into a risk management strategy. This included a statement that risk applies equally to the opportunities for taking risks as it does to avoiding risks or reducing losses.
The RM strategy also included a risk appetite statement – ‘… the Board shall determine the Authority’s risk appetite … the risk appetite varies according to the activity undertaken. The Authority wish to minimise exposure to reputation, compliance and health and safety risk, whist accepting and encouraging increasing risk in other areas in pursuit of [its] objectives…’.
As you’ve put forward for many years, there was no single RA statement, but seven different statements, covering different business objectives of the time.
Whilst being far from perfect, the RA statements tried to provide guidance to service managers on the amount of risk that would be accepted. For example the Compliance & Regulation RA statement was as follows. ‘The Authority places great importance on compliance, regulation and public protection and has no appetite for any breaches in statute, regulation, professional standards, ethics or any act that facilitates bribery or fraud. It has a low risk appetite in these areas’.
The challenge wasn’t in writing the individual RA statements or getting the Board to approve them, rather getting Managers to understand the change in concept – accepting some risk was necessary and after being properly discussed and considered, would be accepted.
Sadly this approach was ditched recently. In pursuing objectives RA is now exceeded when the residual risk is greater than a number on the risk scoring matrix.
Thank you for sharing
very true Norman. When you pursue a particular strategy or objective attached to that is a level of uncertainty in the many ranges of outcomes that occur, so risk is built into the decision and actions. Flawed concept that you can separate the two and somehow define a risk appetite independent of the objectives is just thinking backwards. I have an audit committee that is obsessed with risk appetite tolerance and acceptance thinking out there. Tried my best to explain to them the flaws and impacts of pursuing such flawed approaches and it can be potentially dangerous to naively try act on these principles. Not very successfully unfortunately, leading to siloed and some poor decisions at times. Welcome any thoughts on how to correct their misguided thinking.
Thanks for this Norman. Would it therefore to be more appropriate to report on ‘likelihood of achieving objectives’ or ‘confidence level that the objectives will be achieved’? The Board could then assess whether the size of the bet associated with pursuit of objectives was appropriate. We would not then be reporting on individual risk exposures, but rather on the impact of the risk (and opportunity) population on achievement of objectives i.e. risk data would be an input rather than an end in itself.
I don’t think it is internal audit’s role to provide financial or operational status and outlook reports. That is a management role, and they include reports on the likelihood of achieving objectives.
However, internal audit should report issues and concerns in terms of how they are likely to affect the achievement of objectives.
Sometimes, the situation is so severe that the CAE can report that achievement of one or more objectives is very unlikely, and explain why.
But most of the time, quantifying in percentage terms the potential effect of just the control weaknesses identified in an audit is going too far. I would prefer the CAE to work with management on that.