eBusiness Weekly
Elgin Chetsanga
Risk Appetite is a powerful concept that sits at the centre of good risk management. Poorly implemented risk appetite frameworks were partially to blame for the 2008 financial crisis and this led to renewed focus on this concept.
Risk appetite entered mainstream in the early 2000s and was adopted by both the finance and non-finance sectors.
Nowadays, risk appetite is often a key interest area for regulators, boards, management consultants among other numerous stakeholders, though some confusion, frustration and sometimes reluctance still surrounds its adoption.
While the concept of risk appetite appears simple, it needs to be properly developed and embedded for organisations to reap its benefits.
Like corporate culture, every organisation also has an overarching risk appetite which it functions under. This risk appetite should be at minimum well defined and documented. Worryingly, this is often not the case in many organisations.
The true dangers of an undefined risk appetite may not be apparent until it’s too late and the consequences are now dire.
Management actions and decisions, if unguided by a documented risk appetite framework, might prove to be inconsistent with the organisations vision, mission and strategy.
An undocumented risk appetite is usually unintentionally shaped by past decisions, attitudes of leaders and other factors which signalled to the rest of the staff the organisations attitude towards risk taking.
This is because an undocumented risk appetite leaves a vacuum, leading to management taking unnecessary risks.
Management may also avoid risks which the organisation has appetite for and unknowingly leave value on the table. A well-documented risk appetite becomes an imperative.
To document an organisation’s risk appetite, it is important to start at the core, that is at its definition. COSO, a leading authority in risk management defines risk appetite as ‘the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value’.
COSO adds that each organisation pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so. Simply put, the risk appetite is answering the question How much risk is acceptable in pursuing these objectives?
The COSO definition of risk appetite is a strong and well-respected starting point. However, from this definition alone it is easy to surmise that risk appetite is all about setting hard boundaries, which should never be crossed.
Setting risk appetite is more than just that. We do not know what opportunities will present themselves in the future and where our appetite or boundaries lie relatively. It is thus important to understand the concept of risk appetite beyond its definition only.
The concept of risk appetite is not meant to be a handicap for the business. Risk appetite should be utilised as a common view on where the current boundaries are, and what needs to be done when it becomes necessary to cross those boundaries.
Risk appetite thus provides a tool for management and boards to interrogate opportunities when they arise and weigh possible alternatives before deciding.
For example, a company that has identified an opportunity outside its current appetite will need to pause and assess both the opportunity and appetite to see if and how it can pursue it.
Getting risk appetite right can be delicate, especially in today’s fast-paced and ever-changing business atmosphere. Risk appetite should not be remote from strategy setting. In fact, the mission and vision set out the initial views on how the organisation will create value.
Mission and vision guide broadly the decisions on where the organisation may, and may not, venture. Risk appetite needs to be informed by vision and mission. Risk appetite helps an organisation know when decisions are diverting efforts away from the mission and vision.
Ideally, risk appetite and strategy are formulated at the same time, they enhance each other to find the optimal risk/return trade off.
Management should never set strategy without evaluating risk. Managers are usually drawn to the opportunities with the highest return, regardless of the risk. Relating risk appetite and strategy makes is clear the level of risk associated with a particular strategy.
It also enables discussions of whether alternative strategies would present more upside, given the organisation’s risk appetite.
Linking risk appetite and strategy has the potential to minimise conflicts and contradictions which may invalidate the risk appetite itself.
An equally important part of the embedding the risk appetite successfully is communicating it effectively. This can be done through expressing overall risk appetite using broad statements or expressing risk appetite for each major class of organisational objectives, or expressing risk appetite for different categories of risk, which is one of the most common approaches.
Risk appetite should not be set once and then left alone. Monitoring the risk appetite is the last and probably most important step. Most risk appetite frameworks die at this monitoring stage.
The board and management needs to revisit and reinforce the risk appetite in relation to how the organisation operates, especially if the entity’s business model changes.
It becomes clear that setting and reviewing risk appetite is not a one-time or static exercise. Risk appetite frameworks require ongoing dialogue, monitoring and adjustment to reflect the changing internal and external environment.
In summary, developing and effectively implementing a risk appetite framework leads to improved decision-making by triggering an appraisal of the risk-return scale and better alignment with objectives through aligning risk-taking with strategy.
When risk appetite is undefined, there is threat to the operations in the form of unconsidered risk-taking behaviour. An organisation without a centrally defined risk appetite is essentially relegating the task to everyone down the chain.
Elgin Chetsanga is a head of risk and compliance at local Insurance company. He writes in his personal capacity. Elgin can be reached on [email protected]
