Enterprise Compliance Today

Why is it so hard to integrate risk appetite in an organisation?

Posted by Greg Carroll on Thu, Mar 19, 2015 @ 12:23 PM

Risk Appetite is such a simple concept that everyone thinks they know but invariably misunderstand. COSO and other regulatory requirements for boards to issue a Risk Appetite Statement has led to a belief a business has an overarching level of risk tolerance. Personally I don’t believe these Risk Appetite Statements add any value but regulators are regulators.

 

ThinIce1

Any form of business improvement or development strategy will involve doing something different from your competitors, and therefore taking a risk.

paperbackfront

FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

This week I thought I'd share the contents of a talk I prepared earlier this year on this subject.  Although a well overdone topic, I believe it still to be a major issue.

First things first – some definitions:

  • Risk culture:       behaviour of individuals within an organization in which they identify, understand, discuss and act on the risk the organization confronts and takes.
  • Risk appetite:    the total exposed amount that an organization is prepared to undertake on the basis of risk-return trade-offs for expected outcomes.
  • Risk tolerance:  the amount of uncertainty an organization is prepared to accept within any particular circumstance.

Such definitions are in terms of default probability or capital coverage to extreme events, whereas other nonfinancial industries may have more simplified definitions in terms of loss of market share, earnings or share price.

Indexes such as Enterprise Shock Resistance (ESR) to report on aggregated risk may look good in historical reporting but are not helpful in day to day decision making.   So let me quickly look at some of my key principles relating to Risk Appetite.

 

Why is it so hard to integrate risk appetite throughout the organisation?

  •          Fact 1 - You don’t have one Risk Appetite
  •          Fact 2 - Has to match Operational Culture
  •          Fact 3 - Risk Appetite NOT Risk Anorexia
  •          Fact 4 - Appetite depends on awareness
  •          Fact 5 - Risk Appetite = Opportunity

 

Fact 1 - You don’t have one Risk Appetite

I have covered this previously (/blog/bid/398561/Axe-archaic-attitudes-on-Risk-Appetite) so I won’t rehash again other than to reiterate that Risk Appetite:

  •          Varies by Dept
  •          Varies by Risk Type
  •          Varies by Market
  •          Varies by Time
  •          Varies by Seniority

This is the first reason for the difficulty in integrating the concept within the organisation.  Tackling from this premise supports the next principle below.

 

Fact 2 - Has to match Operational Culture

  •          Not enough staff will ignore the system or leave
  •          Too much a “rogue trader” culture will develop
  •          Need to understand and match
  •          Needs to match Market perception

Risk Appetite must be supported by the organisational capability, in simple terms it must be able to provide what it sells.  Setting targets that you don’t have the capacity to achieve is obviously bad management.  But so it is with Risk Appetite.  If your Risk Culture doesn’t have the capacity to achieve your Risk Appetite you need to invest in upgrading that capacity. Over Production tends to result in loss of quality and care, which in turn will bite you in the butt.  As with production, the desired risk appetite must match the risk culture's capability to implement it.  And as with production, if it doesn’t, it’s yours to change.

Risk Appetite is a reputational resource.  Too much and financiers & investor with desert you, too little and you will lose market influence.  In fact leaning toward the higher side gives you market leadership, with all its rewards.

 

Fact 3 - Risk Appetite NOT Risk Anorexia

  •          Beware Risk Adverse Manager
  •          Elite sportsmen have body masses greater than average
  •          Avoidance of acceptable risks and underperformance

This is the worst misconception on Risk Appetite and can cause of irreparable damage to some organisations.  Risk Appetite is NOT about avoiding risk, it’s about having a healthy attitude towards it.  Beware Risk Adverse Manager, naysayers can always point to why things can’t work and how it is someone else’s fault it didn’t.  Risk like diet needs to be balanced to be healthy.  For sports people to be successful at an elite level they need to consume more than the average person.  So it is with business.  Avoidance of acceptable risks and underperformance is as dangerous as the “rogue trader”. In these volatile times both will kill your business.

 

Fact 4 - Appetite depends on awareness

  •          Ignorance = fear
  •          risk-return trade-offs
  •          We accept flying
  •          The secret is EDUCATION

If the overall framework cannot be disaggregated in a way that individual business units can readily assess whether decisions are in line with the framework, then this can also pose implementation issues. The secret is EDUCATION.  People do not have an innate sense of what is acceptable in a complex and fluid environment.

 

Fact 5 - Risk Appetite = Opportunity

  •          Perceived Risk Appetite trails Actual
  •          Business development requires taking risks

In a KPMG research report on operational management, they found regularly that parties assessed their own risk appetite to be more risk averse than they have been in practice, once compared to historical events. This means that the risk appetite they profess is far more conservative than the risk profile that the organisation runs by, often successfully.

Any form of business improvement or development strategy will involve doing something different from your competitors, and therefore taking a risk. Doing it better, faster or cheaper exposes risks of cost overruns, incorrect market targeting, and reduction in quality. Not taking those risks, in today’s agile business environment, is a sure path to business failure.

 

Take away - Increase your Risk Appetite

  •          Appetite = Risk
  •          Risk = Objectives
  •          Appetite = Objectives
  •          Increase Appetite = Increase Objectives

So if you don’t accept your current Risk Appetites to be correct how do you ascertain what they should be?  As with most management systems your need a Framework and it has to start with Context.  As we are talking Risk your context has to be centred around your Strategic and Corporate Objectives.  These you should already have quantified from your ERM.

To establishing the Risk Appetite Context:

  •          Establish a Risk Appetite Framework (RAF)
  •          Categorise by Strategic & Corporate Objectives
  •          Quantify Risk (use Scenarios)
  •          Understand Intent
  •          Risk Appetite = commitment

 

The obvious first step is to place Risk Limits around your objectives but before you do you really have to come to grips with their intent.  This is where most implementations of Risk Appetite fall down.  The true purpose of Risk Appetite is to gain the commitment needed to ACHIEVE those goals. Remember, people who don’t make mistakes don’t make anything.

Also see previous articles:

The “Risk Culture” Myth

Risk Culture vs Organizational Culture – Hitler Diaries Case Study

Resources

paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Tags: corporate governance, risk management, risk culture, decision making, risk tolerance