Good risk management does not imply avoiding all risks at all cost. It means making informed choices regarding the risks the company wants to take in pursuit of its objectives and the measures to mitigate those risks.
Designing risk management without defining your risk appetite is like designing a bridge without knowing which river it needs to span. Your bridge will be too long or too short, too high or too low, and certainly not the best solution to cross the river in question.
Best-of-class companies do not discuss and design their risk management as an isolated add-on process, but as an integral part of their strategy design and execution. New strategic initiatives may open enticing opportunities, but the expected rewards have to be balanced against the related risks.
To integrate the risk dimension fully in its strategy design, a company needs to know how much risk it is willing to take and how it wants to balance risks and opportunities. Defining this risk appetite is an essential element of a company's enterprise risk management (ERM).
Understanding an organization's capacity for risk
When deciding on its risk appetite for each category of risk, the board of directors should consider the risk capacity of the company. This includes the amount and type of risk an organization is able to support in pursuit of its business objectives, taking into account its capital structure and access to financial markets, as well as its “non-financial equity,” (e.g., the flexibility and loyalty of its work force).
If a company decides on a strategy and related risk appetite that sits uncomfortably with its financial risk capacity, it can decide to increase that risk. In this way, the risk appetite of an organization establishes a direct link between its strategy and performance management, its risk management and its capital structure.
A well-defined risk appetite forces a company to include the risk factor in any major strategic or tactical decision: is this course of action compatible with our risk appetite?
Defining the risk appetite
Defining risk appetite is a task for the board and top management, as it is intimately linked to defining the overall strategy of a company. The board's composition should include members who are familiar with risk management and with concepts such as risk appetite.
Discussions on risk appetite will usually include a variety of topics such as:
- Solvability, liquidity, earnings and earnings volatility
- Credit rating
- Reputation and brand
- Expansion into new products, customer groups or countries
- Supply chain management
- Environmental impact
- Corporate governance and compliance
- Human resources
In this balancing act, the board should take into account the expectations of shareholders, regulators and other stakeholders. The risk appetite should also be consistent with the culture of the company and with the capacity of the organization to manage risks inherent in its business activities.
It can be useful to look at reactions inside and outside the company to recent risk events to determine the true appetite. It may also be appropriate to test the risk appetite among the board and executive management through scenario games of possible risk events.
Qualitative and quantitative risk elements
A good description of a company's risk appetite will have qualitative as well as quantitative elements. On various issues, it may include definitions of what is acceptable and what is not.
Once the organization's overall risk appetite has been clearly defined, the board and executive management should communicate it broadly throughout the organization to ensure all actions of the company are in line with the risk appetite. At the same time, executive management should operationalize the risk appetite in various steps and for all relevant risks and business units.
The risk pyramid
Again, this top-down process is similar to the one normally followed in performance management. Risk appetite regarding the company's strategic goals should be divided into the following elements:
- Risk tolerance for specific categories of risk, including strategic, operational, financial and compliance risks. More operational than risk appetite, risk tolerance expresses the specific maximum risk that an organization is willing to take regarding each relevant risk (sub-) category, often in quantitative terms.
- A risk target is the optimal level of risk that an organization wants to take in pursuit of a specific business goal. Setting the risk target should be based on the desired return, on the risks implicit in trying to achieve those returns and on a company's capability of managing those risks.
- Risk limit determines thresholds to monitor that actual risk exposure does not deviate too much from the desired optimum. Breaching risk limits will typically act as a trigger for corrective action at the process level.
Breaching a risk tolerance level should serve as a red alert for management – the risk position must be reduced. Breaching a risk limit, however, acts more like a yellow warning light. Action is required unless there are good reasons to maintain the current risk level.
This flexibility in reacting to the breach of a risk limit is the consequence of a simple fact: risks change continuously. As such, a definition of risk appetite cannot be a one-off exercise. Risk appetite, tolerance, targets and limits are not static. They must be updated with changes in a company's environment (economy, markets, regulations, technology etc.), strategy and performance.