BDO Senior Manager Francisco Basdekis underscores the importance of understanding potential threats in organisations, for management to create and protect enterprise value.
CORPORATE GOVERNANCE is an ongoing process between management and the board to simultaneously create and protect enterprise value.
In order to strike the appropriate balance between creating and protecting value, management and the board consider an overall risk profile in order to develop expectations that are established by the “risk appetite” of the organisation.
Risk appetite is simply the formalisation of basic business principles such as making risk-taking explicit, making decisions based on risk-reward tradeoffs, understanding potential outcomes of different decisions, and deciding whether the organisation is comfortable with the risk associated with different decisions.
It can be defined as the acceptable parameters for risk taking opportunities that is consistent throughout the organisation, and reflect a mutual understanding between management’s and the board’s willingness to allow risk exposure in pursuit of core strategic objectives.
Conversely, managers see risk appetite as an impractical, one-time assessment that limits them when making decisions. We can conclude that even companies that adopt a theoretical notion of risk appetite are still able to articulate the risk appetite of their company based on actions made by management and the board of directors.
Initiating the Dialogue through a Risk Appetite Statement
As management and the board interact and make decisions, they are reflecting (whether knowingly or inadvertently) the overall risk appetite of the company. However, are they consistent in the actions that they take?
The author suggests that to start a conversation of having a clear policy of acceptable risk-taking, the company must align management’s execution of influencing the risk tone of the organisation with the board’s strategic risk decisions. This is best accomplished by developing a risk appetite statement.
The risk appetite statement is an aggregate summary of “assertions” that provides a basis for clarifying both risks the company is actively taking and risks that are purposely avoided. These assertions are observations that initiate a continuous, strategic conversation between management and the board to align risk-taking with core competencies. The risk appetite statement contains three key elements:
Risks that are on-strategy (acceptable or within the risk appetite).
Risks that are off-strategy (undesirable risks that are outside of risk appetite).
Defined parameters (strategic, financial, and operating) to provide a framework within which risks are agreeably undertaken.
These three elements are used to develop a risk appetite statement that should be framed around the organisation’s business model. The authors proffer suggestions in framing the risk appetite statement in this context.
The Relationship between Risk Appetite and Risk Tolerance
Often, risk appetite is used interchangeably with risk tolerance. Although related and similar, risk tolerance differs from appetite in one fundamental way. Risk tolerances are a more specific subset of the risk appetite and dissect the assertions that make up the risk appetite statement.
Whereas risk appetite is considered in the context of strategic planning and objectives, risk tolerance is considered in developing tactical objectives. That is, it addresses how much deviance from a specific objective the company is willing to allow.
The Effect of Risk Appetite on Governance
Risks are focused on more when a company is struggling to meet targets or performance objectives, but are potentially looked over when experiencing periods of accelerated profits. Conceptually, this is proof that risk appetite is strategically long-term and dynamic rather than a single determination that rarely is assessed.
After implementing a risk appetite statement into the corporate culture, and management and the board of directors have developed a relationship of continuous conversation about existing and potential risks, the company then has the discipline to address high-level risks even when exceeding investor expectations. The volatility in the current competitive environment demands such discipline.
As circumstances and opportunities change in the business environment, the company’s board and management should consider adapting the risk appetite to reflect those changes. However, they should be mutually agreed upon and substantial enough to warrant altering the risk appetite statement.
A company that continuously changes parameters within their risk appetite conveys instability, lack of consistency, and short-term focus to the board and investors.
Effectively Communicating Risk Appetite Using the Risk Appetite Statement
The importance between constant communication between the board of directors and management has already been discussed. This top-down approach of communication should continue throughout the organisation. Here we present challenges with continuous, effective communication on an entity-wide basis.
Management influences the tone of risk-taking through their actions but how often do they explicitly communicate the company’s risk philosophy and to what degree?
How quickly are lower level managers and employees informed of changes in the risk appetite statement and overall risk profile?
These are critical questions for top-level executives to consider. Communication channels should be opened and easily implemented so that all levels of the company are up to date on risk management issues. Lower level employees tend to focus on specific limits defined in risk tolerance as opposed to the high-level strategic objectives and how they are aligned with risk-taking.
Maintaining the Risk Appetite Statement to Monitor Risk Profile Expectations
We further proceed to discuss the governance process. It is a process that creates value through strategy setting and protects value through a risk assessment process. Developing a risk appetite falls within the scope of the risk assessment process. The risk appetite statement is a mechanism for enhancing corporate governance by stimulating a conversation between management and the board and should be continuously reassessed. We outline this iterative process in three steps:
Determine the historical, inherent risk appetite of the company.
Review and revise the risk appetite statement.
Finalise risk appetite statement and review/modify tolerances to assure they are consistent with risk appetite.
Getting Risk Appetite Right
While many companies viewed their risk appetite framework as a safeguard against the type of crisis we are currently in, a lot of these frameworks failed due to design and application problems.
However, the concept of risk appetite is still very sound. To improve risk appetite frameworks, organisations can learn from three key failings highlighted by the crisis.
1. Complete Risk Identification Is Needed
Risk management and measurement frameworks often look at risk types in separate silos, but connections between the risk types need to be visible within the organisation. Operational silos between risk types and across business lines need to be broken down.
Steps to break down silos may include risk and business line managers thinking more holistically about issues that could impact their value and redesigning reporting structures to increase information flow throughout the organisation. The scope of the appetite-setting exercise should be expanded to consider how reliant the organisation wants to be on different funding sources.
Also, there should be an acceptance that risks will not always be measured perfectly but that stress tests and scenario analysis can help gauge an organisation’s ability to cope with surprises and new, emerging risks.
2. Risk Information and Management Action Must Be Linked
Risk appetite must shape the risk-taking behaviour for an organisation to be useful. Risk information should be gathered and reported regularly so performance relative to targets can be monitored.
The risk appetite framework should include an early warning system alerting changes to the underlying risk profile and mechanisms to force the risk profile back within desired parameters.
Management needs to understand the sensitivities and monitor the drivers so they have time to react to changes and can encourage more or less risk-taking when needed. Results of sensitivity analyses and scenario analyses need to be taken seriously and contingency plans for these potential situations should be discussed.
Most importantly, linkages between risk appetite and risk-taking behavior need to be operational so that when the board or management changes risk limits, different risk-taking behaviour occurs throughout the organisation.
3. Boards Should Challenge Management
To effectively fill their oversight role, boards need to receive timely and relevant information and they need the relevant expertise to challenge management. Board and risk committee members should have a thorough understanding of the organisation’s businesses and underlying risks in order to have sufficient knowledge to know when to ask questions of the information received.
To effectively challenge management, the mechanisms for questioning need to be revised and upgraded so that scrutiny is more consistent. Another tool the board has for setting risk-taking is compensation because the compensation structure can encourage or discourage excessive risk-taking and help keep risk levels within the organisation’s appetite.
Regardless of whether a company has a risk appetite statement, risk appetite itself is evident in any organisation by observing Management’s and the Board’s decision to act upon, or not, an opportunity that arises.
An environment that encourages constant communication of risk-taking at all levels and between Management and the Board assures stakeholders that a consistent and clear enterprise risk management approach is being maintained. Additionally, it provides a framework for the organisation to select between strategic alternatives that better align with the risk appetite of the company.
Francisco Basdekis is Senior Manager, Advisory Services, BDO Qatar