Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk appetite as a mechanism for balancing risk and return - Coggle Diagram
Risk appetite as a mechanism for balancing risk and return
Exposure to risk can create the potential for positive as well as negative outcomes
Strategic level risks, such as developing a new product or service, increasing output, implementing a new IT system or merging with another organisation - come with the potential for profit and loss
Financial risks, such as market and credit risk also have the potential for upsides and downsides
Even where risks only have a downside as in the case of health and safety compliance or environmental risks, it is rarely possible to eliminate these risks completely. This may be because the cost would be too high or because, whatever the expenditure on control, a degree of residual risk will remain as long as a particular activity or process remains in operation
Because exposure to risk may have positive and negative outcomes and because it is rarely practical to eliminate risk, an organisation should decide what risks to take and the level of risk exposure that is optimal. By determining and communicating its appetite for risk, an organisation can ensure that risk and return is balanced in a logical and consistent way and ensure that downside risks are controlled in a cost effective way
Defining risk appetite
There are many definitions of risk appetite within standards, regulations, documents from professional associations and academic research. Most fall into two perspectives
Definitions that define risk appetite in terms of the level risk exposure that an organisation is prepared to
accept
Definitions that define risk appetite in terms of an organisations
willingness
to take a defined level of risk in the pursuit of its strategic objectives
Definitions that focus on the acceptability of risk tend to focus on downside risks that may only result in losses. As it is impossible to eliminate risk completely completely, a degree of risk exposure must be accepted and an organisation's appetite for risk denotes the level of risk exposure that it is prepared to accept
Definitions that talk about willingness to take risks recognise that exposure to risk can be good, as it can lead to positive outcomes. In this context, an organisation must determine the risks that yield the highest possible outcomes, while remembering that with the potential for large positive outcomes comes the potential for large negative ones
An organisation must decide the level of risk exposure that provides an optimal balance between the upsides and downsides of risk taking. Most organisations can only achieve their objectives if they take risks.
Without risk there would be no opportunities to exploit, no products and services and no returns to earn
The role of risk appetite
Support risk management decisions
Act as a benchmark for risk management decisions - this helps to determine whether a given level of risk is 'within appetite'
Risk appetite can be used to identify
The risk events that an organisation should reduce its exposure to, because the exposure to downside losses is too high
The risk events that need relatively little attention because exposure is 'on appetite'
The risk events that an organisation should increase its exposure to because opportunities may otherwise be missed
By determining its appetite, an organisation can allocate its limited risk management resources more efficiently - targeting resources where they are needed the most - to reduce the exposure to risks that are above appetite, or to increase exposure where the level of risk to too low
Determining risk appetite should help to improve buy in for risk management activities by highlighting the negative consequences of not maintaining appropriate levels of risk exposure
Managers and employees can perceive risk management as a tool that leads to excessive control and conservatism. The concept of risk appetite provides a clear benchmark for risk reducing and risk increasing activities preventing over control and excessive risk taking
Risk governance and internal control
The concept of risk appetite has an important role to play in maintaining appropriate corporate governance
By expressing, setting and monitoring its appetite for risk an organisation can constrain management decision making ensuring that they do not expose it to an excessive amount of risk or make overly conservative decisions that generate an insufficient return
This should help an organisation to achieve its objectives and satisfy the needs of stakeholders
Within a governance and internal control context, it is common to use risk appetite as a mechanism for limit setting, where limits are set for an organisation's total exposure to risk or for specific categories and types of risk event
Care should be taken when using the concept of risk appetite to set absolute limits for risk exposure. Logically it does not make sense to set absolute limits for risk exposure, since increased levels of risk may be associated with higher levels of return.
It is more logical to set relative limits in terms of the rate of return that may be required for a specific level of risk - this is sometimes known as the risk premium. This risk premium helps to further clarify the balance that an organisation needs to maintain between risk taking and generating a return or delivering a service
Strategic decision making
Determining an organisation's appetite for risk supports strategic decision making and the achievement of its objectives
An organisation without a clear appetite for risk might pass up value adding opportunities because they do not have a clear understanding of how to balance risk and return
In contrast, another organisation might make strategic decisions that expose it to high levels of risk in order to generate positive returns but the level of return that is generated may be relatively low
An organisation cannot make effective strategic decisions if it does not have a consistent benchmark to help it weigh up the positive and negative outcomes that might occur as a result of these decisions.
It is not sufficient to assess returns and risk exposure: an organisation must decide whether the level of return is sufficient for the risk taken
Without an understanding of its appetite for risk, an organisation may make inconsistent decisions that expose it to too much or too little risk
By helping to articulate the degree of risk that it is willing to take for the returns that may be generated, risk appetite can be used to ensure that an organisation
Does not enter into investments or activities that expose it to an excessive amount of risk, where the potential for return is too low to compensate for the potential for downside losses
Is not overly conservative: stifling innovation, promoting excessive bureaucracy and passing up investments or activities that should add value
Risk tolerance and capacity
Risk tolerance
The term risk tolerance may be used instead of risk appetite, especially where the focus is on downside risk
More accurately, the concept complements risk appetite and can be used to set risk tolerance limits for specific categories of risk or for metrics such as risk, control or performance indicators
Tolerance limits are best understood in the context of downside risks. An organisation may set tolerance limits for health and safety incidents
Minor incidents may be tolerated but not major incidents
In terms of metrics, tolerance limits may be set for a risk, control or performance indicators including staff turnover rates, staff absence rates, customer complaints, system availiability, late audit items or cash flow volatility
Tolerance limits can be linked to the concept of RAG reporting. Any risk or metric that is in the red zone will generally be considered intolerable, with the boundary between amber and red denoting the limit of tolerance - the boundary between green and amber may be used to show the preferred limit of tolerance
Risk capacity
Risk capacity denotes the maximum enterprise wide level fo risk to which an organisation may be exposed
Decisions that increase an organisations exposure to risk can add up
An organisation may get into trouble if several of these result in unfavourable outcomes at the same time
An organisation may need to take risks to achieve its objectives but if it takes too much risk in aggregate it will risk serious financial distress and ultimately bankruptcy
Risk capacity is usually a function of an organisations financial stregnth. Organisations that have significant financial reserves or low levels of debt can normally take more risk
Expressing risk appetite
Metric based expressions of risk appetite
Probability and impact boundaries
Where probability and impact are assessed qualitatively or qualitatively, it is possible to establish risk appetite limits for probability or impact
The boundary between 'in and out' of appetite is set at a combined probability and impact (exposure) score of six or more. Risks with an exposure value that is size or more are out of appetite
Ideally, risks should be controlled when in the amber range to prevent the level of exposure moving to red
Targets, limits and thresholds
The targets, limits and thresholds set by an organisation are a reflection of its appetite for risk
A target is a value or a range of values that an organisation is aiming for- targets are most often set for strategic risks that may have a positive or negative outcome
Eg an organisation may set a profit, surplus, growth or market share target
A limit denotes the maximum or minimum value that an organisation is prepared to accept. Limits are most commonly applied to downside risks and there is a strong link here with the concept of risk tolerance. Limits may be applied to customer complaints - for example, unexpected losses or the frequency and severity of health and safety incidents
Thresholds are often linked to the concept of RAG reporting. For a given risk, or a risk control and performance indicator, an organisation may set a green-amber threshold and an amber red threshold that denotes when the risk or indicator is moving from green to amber and then red. Thresholds may be used in conjunction with targets and limits
Non metric expressions of risk appetite
Values
Many organisations have statements, which explain their values
Values explain what an organisation stands for and believes in
Values are at the core of an organisations being and underpin its policies and procedures as well as its culture
Examples of values include
To behave honestly, ethically or sustainably
To treat people with fairness, integrity and respect
To put safety first
To put the customer first
To continuously look for ways to improve
Many of an organisation's values will relate to how risks are taken and managed across the organisation - for example a value such as honest is relevant in terms of compliance and internal control.
Risk management principles
An organisation may include risk management principles in its risk management policy.
Principles are an important expression of risk appetite, for example risk related principles might include
Only taking risks where the benefits from doing so outweigh the costs
Not taking risks that might result in criminal prosecution
Maintaining a specific credit rating
Ensuring that risk management activities maximise stakeholder value
The risk appetite statement
An organisation may draft a formal risk appetite statement. This statement will usually explain
The organisations values and risk management principles that relate to its risk appetite
Any risks that the organisation has zero appetite for
The stakeholders that the organisation has considered in determining its appetite for risk
How the organisation monitors its risk profile relative to its risk appetite
The measures that the organisation will take where risks exceed appetite
Determining risk appetite
Factors to consider
Legal and regulatory requirements
The risk preferences of key stakeholder groups such as shareholders, customers and employees
The specialist knowledge, skills and experience of the organisation's risk, compliance and governance specialists (highly skilled specialists may be able to help an organisation take risks that have a greater upside potential)
The strength of an organisation's balance sheet which will influence its ability to withstand unexpected losses - high levels of capital resources are especially significant as is the ratio of debt to equity
External factors such as technological change or economic growth
Organisations may decide to increase their appetite for risk in the face of technological change, risking large losses in the hope of exploiting opportunities that may generate big financial gains
Periods of high economic growth may also promote risk taking because of the increased opportunity for profit
The role of the board
An organisation's risk appetite should usually be set by the board of trustees
In some organisations, risk appetite is decided below board level and sent to them for approval - this is not good practice. The board should play an active role in determining an organisation's appetite for risk
When setting an organisation's appetite for risk, the board should consider the factors
The board is best placed to determine risk appetite because it has a broad organisation-wide view and exists to represent the interests of stakeholders
The boar is also often responsible for determining strategy and an orgnaisation's objectives.
The role of the CRO and risk function
Where an organisation has a CRO or risk function, they should help to facilitate the board's role in setting risk appetite
This might include organisations a workshop or providing information to help the board make a decision
The CRO or risk function plays a key role in helping an organisation to monitor its risk profile relative to its risk appetite
This can be achieved through the production of risk reports
The CRO or risk function can provide expert risk control advice where an organisation is taking too much or too little risk relative to its risk appetite
Good practice guidance on implementing risk appetite
CRO Forum
A group of insurance company CROs from across Europe
The Forum produces a range of high quality papers on important risk management topics such as risk appetite and risk culture
Some key messages are
There is no single best approach for risk appetite. An organisation needs to implement what is right for it, depending on the needs of its stakeholders and the nature, scale and complexity of its activities
The diverse interests and risk preferences of all stakeholders should be considered
Risk appetite levels should be realistic, meaning not too high or too low relative to the current risk profile. Large changes in risk appetite levels are hard to implement and can be risky if the organisation does not have appropriate controls in place to manage the change in risk exposure
The level of risk appetite should be reviewed at least annually by the board
An organisations risk appetite should be communicated to all of its decision makers to ensure that they make appropriate and consistent decisions
Quantiayive risk limits should be set where possible
Qualitative boundaries should be used where risks cannot be quantified
IRM
Risk appetite should be expressed quantitatively
Risk appetite is not a single fixed concept
Different appetite will be required for different types of risk
Risk appetite is a function of an organisation's financial strength and risk management maturity, meaning that effectiveness of its risk management framework
When setting risk appetite, an organisation must consider its strategic and operational objectives
Risk appetite should be integrated into an organisations governance and internal control arrangements
COSO risk appetite thought leadership paper
Risk appetite is an essential part of an effective ERM framework
Risk appetite and strategy decisions should be integrated. Organisations must consider their appetite for risk when deciding on their objectives
Decision makers across the organisation need to understand its appetite for risk so they are clear on the risks that are acceptable and those that are not
The board should set an organisations appetite for risk and monitor the risk profile to ensure that it remains within appetite
Organisations should review their appetite for risk on a regular basis
Culture and risk culture
Effective risk taking and risk management is about more than policies, procedures and processes
It is an organisation's employees - its people - that have to implement and comply with these policies, procedures and processes
If they do not do this effectively, significantly adverse risk events can occur
An organisations employees are also the ones who make risk taking and risk reduction decisions: poor quality decisions may lead to an organisation taking too much or too little risk
People's behaviours and the decisions that they make are influenced by a range of factors - such as their education, work and life experiences or family background but most of these can boiled down into one key influence: culture, meaning how they have learned to relate to other people when in a social setting
Cultural onion
Macro culture
The country ore region where a person grew up
Religious or family influences
Where they were educated and the level of that education
Their professional training and experiences
Organisational culture
Relates to how its employees collectively think, feel, perceive, act and behave
Provides an implicit but powerful co-ordination mechanism for how its employees live and work together
People that resist the culture norms of an organisation will typically be brought into line very quickly through their interactions with other employees, including line managers and peers
An organisation's culture is a shared phenomenon but it is also a process that is open to influence
All of the people that make up an organisation can influence its culture, especially those in positions of power and influence
In addition, an organisations past experiences including the decisions made and the outcomes of those decisions, can have a major influence
Organisations that have been successful on their decision making may be bold, confident and entrepreneurial
Organisations that have experienced some very successful decisions may be much more reflective and cautious
Organisational cultures are often multi-layered. Three key layers exist
The visible products of the culture - eg how people dress, the design and layout of the organisation's premises (individual offices or open plan), the jargon in use, and the design of its policies and procedures (detailed and prescriptive or more flexible and principles based)
The beliefs and values that are spoken about - a major influence here is the tone that comes from top management; what they say is important to them and the organisation (such as financial success, social values, taking a short or a long term view)
The deeper underlying assumptions - behaviours that are so ingrained that people do not realise that they are exhibiting them
Risk Culture
Risk culture can relate to many different types of behaviour and attitude in relation to risk taking and risk management including
The level of risk taking that is considered to be desirable (high or low)
How different types of risk are perceived and whether they are considered to be high or low or good or bad
The level of risk control that is considered to be desirable (high or low)
Why risk management is perceived to be necessary, such as whether it is seen as value enhancing or simply a box ticking compliance exericse
Whether or not risk compliance and risk governance are viewed as important activities
The general importance attached to risk management and risk management goals
The level of awareness that an organisation's employees have about the risks to which it is exposed
How employees respond to policies and procedures (whether they are seen as helpful or unnecessary red tape)
Whether risk events are perceived as learning opportunities or an opportunity to blame others
Whether employees are prepared to report risk events and control weaknesses
Risk sub cultures
Most organisations have risk sub cultures that fit under the overall organisational risk culture
These sub cultures may emerge in different countries of operation, business lines, functions, departments, teams or workplaces
Risk sub-cultures are influenced by the broader organisational risk culture but significant deviations can exist.
Consequences of failures
There is no such thing as an ideal or optimal risk culture, however the consequences of having an inappropriate risk culture can be disastrous
Significant problems can arise when a risk culture works against an organisation's risk management framework, associated governance and compliance arrangements
Eg LIBOR scandal at Barclays, VW emissions scandal, BP Deepwater Horizon case
Assessing, monitoring and controlling risk culture
Difficult because of its subjective nature
Risk culture surveys
Specialist staff surveys designed to assess an organisation's risk culture
Surveys may be built in house by the HR and risk specialists of an organisation or the may be facilitated by an external consultant
Many consulting organisations offer risk culture assessment tools to their clients
Can help to make more visible the beliefs, values and underlying assumptions that characterise an organisation's risk culture
Organisations can then highlight the positive elements that they may want to strengthen, such as risk awareness or a concern for compliance, along with the elements that may be deemed inappropriate such as unsafe working practices
Time consuming to design and to administer, taking up valuable employee time.
There is no guarantee that a survey will provide an accurate picture of an organisation's risk culture
If incorrect or insufficient questions are asked, or if respondents do not understand the questions, then a false picture of the risk culture may be created
Metrics
Risk culture metrics might include data on policy breaches, the number of overdue internal audit actions or losses and near misses causes by inappropriate employee behaviour
There is no formal list of risk culture metrics
Organisations that make use of risk-culture metrics should decide for themselves the metrics are appropriate
The monitoring of risk culture metrics is common in the financial services sector but less common in other sectors
Controllin risk culture
Simons levers of controls
Belief systems: used to inspire employees and direct the search for new opportunities
Tone and action from the top
Organisational values
Codes of conduct
Boundary systems: used to set limits on risk taking behaviours
Risk appetite
Policies and proceudres
Mandates and limits of authority
Diagnostic systems: used to motivate, monitor and reward behaviours and the achievement of organisational outcomes
Employee performance evaluations
Remuneration arrangements
Displiniary and grievance processes
Interactive systems: used to stimulate organisational learning and the emergence of new ideas and strategies
Training and development
Risk communication and escalation process
Lessons learned - evaluations of successes and failures