Home > Risk > The search for effective risk appetite statements

The search for effective risk appetite statements

I have been writing about the tough topic of risk appetite for a long time! Here’s a partial list of my blog posts, which go back to 2010.

Yet, I am still searching for examples of organizations who have done this well – and by that I mean establishing desired levels of risk for the enterprise as a whole that lead to the best business decisions at all levels of the extended enterprise.

Last week, in Chicago, Richard Anderson and I debated this point. He thinks it is being done, but I have significant doubts.

In a few weeks, we will debate this again with a group of practitioners and thought leaders at RiskReimagined London. (Spaces are still available.)

Why am I still searching?

Let me see if I can explain the predicament.

Example 1: we manage a company that grants loans to small businesses across the globe. We set a risk appetite statement that says that we want to take risk that is ‘valued’ at between $100 million and $200 million. It’s a range because if we don’t take enough risk, our profits will suffer. $100 million is the lowest we can go if we are to break even. If we take too much, we may suffer losses that cannot be sustained comfortably and we have defined ‘too much’ risk as $200 million.

We have five offices that grant loans: in Sydney, London, San Francisco, Buenos Aires, and Singapore. In each, five managers approve new loans.

In any of these five, a single manager oversees all the loan approvals and can make sure that his office stays between $20 million and $40 million. We have cascaded our enterprise range and set an allocated range of risk to each office. Some call this ‘risk tolerance’, although that is not how COSO describes risk tolerance.

As a result, the company as a whole will stay between $100 million and $200 million.

But while we are ‘safe’, we have not optimized our results.

Our ideal level of risk will typically be nearer $200 million than $100 million.

How likely is it that we will obtain an enterprise level of risk of, say, $180 million?

Even if everybody is communicating often and openly, it is unlikely.

If Buenos Aires can only sell $30 million and London $25 million, then the other three will have to sell a total of $125 million. That is more than the allocated $40 million they each have.

OK, if one person approves all loans, then it may be possible to get to $180 million. But that level of bureaucracy would slow the company down and make it highly inefficient – damaging customer satisfaction. Remember, customers want quick decisions made locally.

In this example, the risk appetite statement may prevent the company from taking an unacceptably high level of risk, but will it drive optimal performance?

Rather than driving the right decisions and proactively taking the desired level of risk, management can only see total enterprise risk levels after the fact.

Note that I set risk appetite as a range. That is not common. If a low end is not set, will this company survive? Each location could consider it is safe to be much lower than their allocated risk level.

Example 2: this time, our business operates gas stations. We are considering purchasing three more stations. We have set a risk appetite for our total level of oil spill cleanup and remediation at $25 million and our current exposure (based on the stations we already own) is $15 million.

We perform a risk assessment for each of the three potential acquisitions. The level of risk at the first is $5 million, the second is $8 million, and the third is $12 million.

The risk manager decrees that acquiring the third would take us over our risk appetite and we should, instead, focus on the other two.

The problem is that, like most risk managers, he is only considering the downside.

If we look at the potential profit to be earned at each of the three, we find the numbers are: $5 million for the first, $10 million for the second, and $20 million for the third.

Which is the wise decision?

Although the first station is within our risk appetite, an acquisition seems to make little sense from a business point of view.

The second may make sense, but only if the total of all risks relating to the acquisition would not only be lower than potential profit but would deliver an acceptable rate of return on our investment. There are probably other factors that would go into the decision.

While the risk manager wants to eliminate the third based on the risk appetite statement, the potential for reward is huge! Perhaps the risk appetite statement should be increased so we can take advantage of the significant increase in profits. In fact, the increased level of profits might well increase our ability to sustain a loss.

Making decisions based only on the potential for harm is not good business decision-making.

Decisions should be made based on the full picture of all the things that might happen.

The upside possibilities should be identified and evaluated in the same way as the downside, otherwise how can management know they are making informed and intelligent decisions that will drive the organization to success?

These are just two examples. I am sure you can come up with more.

Or, can you share how risk appetite statements enable informed and intelligent decisions that enable success? I suspect that all they do is prevent harm rather than enable decisions that lead to taking the right level of the right risks.

I welcome your comments.


  1. April 30, 2016 at 4:57 PM

    Excellent articles (s) on risk appetite. Agree about the conventional and misplaced focus on downside only. One of the problems is measuring the risk, perhaps more so with non-financial services though even here it’s not always that easy. Then there is the problem of arriving at consensus among decision makers on the optimal level of risk and accountability and ownership of that exposure.

  2. Glenn Daly
    April 30, 2016 at 5:24 PM

    1. You assume people are silly enough to not “change” the appetite when needed. In your book you make the point that even if you document appetite it aint fixed and may need to be altered.

    2. What sensible risk guy is going to share their real risk appetite with the entire world. I would be hung drawn and quartered by ny CEO if i did this. It has confidential data in it. Am not sure what statements you are basing your analysis on. The ones in annual reports are normally sanitised to be next to useless, and rightly so.

    3. At the end of the day appetite statements whether they exist formally or informally (eg they are embedded in strategy blueprints) are normally in practice flexing all the time to changed circumstances. I know in my company our updated strategy at the start of the year may have changed by the end of the year due to circumstances.

    4. The point you are making though is a good one to keep in mind. In that when considering whether an action could breach appetite (whether explicitly defined or not) one must also factor in the positive of the proposed action and what that may do to the apoetite. Normally when investment proposals are considered the strategy teams of a company highlight this as part of the business case and even may have done a what if scenario analysis. Those reviewing the proposal can then weigh up whether the proposal should go ahead cognisant of the groups current circumstances and desired appetite level. As far as I know this is what most reaspnably well run companies normally do, or at least try to do!. Of course the assumptions they base this analysis on may not necessarily turn out or indeed the final decision may well not be right but at least a process is in place. Rgs

    • Norman Marks
      April 30, 2016 at 6:33 PM

      Glenn, you are right. What I was driving at is the need to make decisions based on all the info, not on some enterprise-level statement that only talks about levels of downside risk.

  3. belogaku
    April 30, 2016 at 8:16 PM

    In the first case above as an example, i presume the risk guy have factored in the upside especially when he proposed the maximum loan growth.

    However, yes, i agree that there is a flaw in viewing the risk appetite from an aggregate perspective as regions may have to abandon new good opportunities that become available after the growth limit has been reached.

  4. Olayimikah
    May 1, 2016 at 8:09 AM

    Risk appetite statements (RAS) are set on a broad level linked to the Company’s overall strategy which has the objective of preserving and enhancing stakeholder value.

    The RAS are not formulated in “isolation” without a methodical consideration/analysis of expected “upsides” and “downsides” from the Company’s strategy and objectives for the period in consideration, and review of “dimension(s)” that is/are critical to the operations of the Company as a going-concern (this varies from one industry to another but an example of a constant for all industries will be the earnings – projected and stressed).

    Remember also that in considering the “upsides” and “downsides” of the Company’s strategy as part of the Business Risk Assessment, management action plans (from brainstorming) would be documented for the SWOT anlaysis i.e. i. Exploitation of Internal Strengths to take advantage of External Opportunities (S-O) ii. Amelioration of Internal Weaknesses to take advantage of External Opportunities (W-O) iii. Exploitation of Internal Strengths to reduce impact of External Threats (S-T); and iv. Reduction of Internal Weaknesses to avoid External Threats (W-T).

    The action plans should be dynamic and material new upsides/downsides should be reviewed periodically with attendant likely impact on the RAS. Proposed actions following this assessment should be reviewed at executive level and Board where the impact is considered high. This enables proactivity.

    If however the customer facing team are not aware of how risks can shift their performance dial – positively or negatively, it would surely be an uphill task (i’m a proponent that the Company’s risk managers are those transacting i.e. customer facing).

    Once the RAS is determined, its operationalisation will determine its optimal utilisation. What do I mean? Lets consider your first example.

    The overarching risk appetite statement should drive the expected behaviours when granting loans i.e. taking the right decisions within the desired level of risk, and should prevent the company from taking an unacceptably high level of risk.

    What may have been done differently was to have in place a methodical allocation of the risk appetite to the 5 regions (and not an equal 20% allocation per region as assumed from the example). This methodology will be premised on an earlier analysis of opportuninites and risk (market; risk culture; etc) per region (sophisticated software is not required – really).

    Though the total enterprise risk levels is seen after the fact, there should be little or no surprises where allocated risk appetites are complied with (this assumes also that a methodology is in place for deviations and re-allocations of risk appetites).

    On your last point for this example, I believe setting a range should be a given and commonplace. This assists in taking right decisions.

    For the second example, the decision to purchase more stations is a strategic decision and this would be considered in formulating the RAS. Every company should have a methodology approved by the Board for making changes to RAS during the period before its slated review. This methodology should incorporate how different scenarios will be managed.

    In summary therefore, I guess it all starts with the “how” of formulating RAS and the different methodologies put in place i.e. allocations; deviations; re-allocations; monitoring; etc.

    • Norman Marks
      May 1, 2016 at 8:45 AM

      It seems to me that you are assuming all decisions are made centrally, whereas in most organizations they are made by mid-level or more junior levels of management.

      What about my argument that while the top level is not exceeded, the ‘right’ level is not achieved.

  5. May 1, 2016 at 9:08 AM

    Norman, I’m a former banker so I’ll focus my comments on your loan example.

    The question as to how much risk a bank accepts when it books a loan is complex. A number of factors will need to be considered including: the quality of the assessment of the borrower’s creditworthiness; whether the loan is secured or unsecured; if secured, the value retention properties of the underlying collateral and the time and effort required to liquidate it in the event of a default; the amount of operational risk triggered on booking the loan and the effectiveness of operating controls and management; whether the loan is bundled with other products such as insurance or swaps or if there are sales incentives linked to the product as these will trigger conduct risk; and the availability of funding (liquidity) and capital and the effectiveness of their management.

    When a bank is deciding whether to approve a loan and wants to test its return relative to risk appetite limits it really needs to know how much risk will be accepted after considering all of the above factors; after all, a bank can have excellent credit risk management but still suffer unexpected losses that can even exceed the amounts lent if there are failures in capital management and/or the management of operational, liquidity and conduct risks.

    Your April 16 blog commented on a survey which reported that only 4% of respondents believed their ERM was ‘fully mature’. Presumably, a similar maturity can be assigned to risk appetite setting and monitoring. It follows that the challenge for risk professionals is to get ERM maturity a lot closer to 100%.

    This is an area of ongoing academic research that promotes new thinking. A new additive risk metric – referred to as a ‘Risk Unit’ or ‘RU’ – is being proposed through which all forms of risk can be expressed. The RU provides simple, comparable and aggregatable measures of exposure to risk that can be used for ERM including the setting and monitoring of risk appetite while satisfying the requirements of BCBS 239. A research working paper available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2726638 describes the method of its calculation starting on page 28 and sample risk reports are provided from page 42. This paper is being published in two parts: part 1 is appearing in the current issue of the Journal of Risk Management in Financial Institutions; part 2 will be published in the next issue.

    • Norman Marks
      May 1, 2016 at 1:10 PM

      Peter, I read your comment as focusing on whether the loan, or aggregate of all loans, is sufficiently secure. It does not address my concern that while you stay safe, you fail to take advantage of opportunities. How do operating management’s and all those making decisions know when to take a risk; what is the right level of the right risk, given the need to take risk to succeed?

      • May 3, 2016 at 2:29 AM

        Norman… an important criterion for risk-based decisions is that the loan’s risk adjusted return on capital (RAROC) should be greater than the firm’s required rate of return on capital (hurdle rate). In a lending decision the RAROC numerator is typically the loan’s projected income after tax – less the cost of production (activity based costing) – less the cost of funding (funds transfer pricing) – less any allocated overhead – less the expected credit loss, i.e. the statistically derived loss that will be incurred in normal operating conditions. The denominator is the economic capital i.e. the statistically derived amount of capital required to buffer credit losses in order to stay solvent in extreme operating conditions, e.g. a severe recession.

        Our research hypothesis is that a RAROC calculation that uses RUs (the common risk metric referred to above) in place of the modeled outputs will be more precise as RUs represent explicit measurements of all the risks associated with the loan, not just credit risk. This reinforces the method’s potential as the foundation of a true ERM system given that the same RUs are used to support both strategic business decisions and to identify risk mitigation actions. Risk limits can also be set in RUs (risk appetite) and aligned with financial targets and budgets.

        Whereas we’ve focused on lending and banking here, we believe the RU method can be applied to any product in any industry.

        • Norman Marks
          May 3, 2016 at 6:31 AM

          Peter, I can see how this can apply to risks that are financial in nature. How do you apply it for compliance, reputation, cyber, and other risks?

          Further, certain actions or decisions have multiple effects, some of which may be positive while others are negative, some may be cash and others compliance, some may be now and others in the future.

          I didn’t include the latter in my discussion of problems with risk appetite as I have mentioned them in earlier posts.

          How do you address these factors in decision-making?

          • May 4, 2016 at 1:42 AM

            If you take a look at the research working paper at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2726638 , figure 18 on page 48 shows that the largest exposure (inherent risk) is to what we refer to as processing risk (5,748 RUs). This would appear to make sense given that financial firms have evolved into globally interconnected electronic data factories. By applying RUs in ERM systems and RAROC calculations we are considering all the risks associated with the product… not just financial risk. The same method and thinking would apply to products with no financial risk, i.e. it works for both financial and non-financial products.

            You ask about compliance and cyber risks (we should perhaps leave reputation risk for another discussion). If you look at figure 17 on page 43 we have shown all the best practice scoring templates (BPSTs) we apply to banks (two sample BPSTs are shown in figure 11 on page 37). These are used to calculate the Risk Mitigation Index (RMI) and are constructed on industry consensus best practices whereby a primary source are the standards and principles papers issued by regulators. So the RMI can be viewed as a compliance measure.

            Arguably, all the generic BPSTs and some of the technical BPSTs in figure 17 relate to cyber risk; for example, logical access management and business continuity are highly relevant. The respective BPSTs should evolve as the risks evolve. For example, 10 years ago password control was considered best practice logical access management but today it would be biometric login. If a firm hasn’t upgraded its security in 10 years it would have a low RMI for that category and high residual RUs. In any event, we would have cyber risk subject matter experts periodically review and update the BPSTs.

            Actions are summarized in a risk reduction plan; a sample is shown in figure 14 on page 40. The method calculates the risk reduction impact of each action in RUs.

            You’ve asked excellent questions and I’ve answered them as well as I can given where we are with the method’s development. The research working paper referred to above includes test data and represents our best understanding of how risks are currently managed. However, we are looking to initiate a research project in the near future where we intend to develop, test and validate the model including live simulations at banks with greater access to subject matter experts. The research will involve universities we’re associated with (I’m on the research advisory board of one university and a visiting research fellow at another) and possibly others.

  6. Olayimikah
    May 1, 2016 at 9:13 AM

    You are right about my assumption. However, if methodologies with required sign-off levels (materiality requiring higher level(s) of management) are properly documented and the governance is working, the results should be the same irrespective of the level of management “manning” the process. Delegated authorities with limits should be explicitly defined irrespective of the organization model for decision making.

    Can the “right level” be achieved? Yes where there are “no surprises” – which cannot be guaranteed…lol.

    Seriously, achieving the “right level” requires some “homework” before the global risk appetite allocation. To start with, what is the “right” level? 60/70/80% of allocated risk appetite? (here is an example where your range becomes very useful); What is expected (with %probability) in the different markets based on certain pre-defined metrics for the SME industry for example? How often should this performance be reviewed? What are the documented management action plans that should be taken for different scenarios? etc. Risk Governance is key…….

    Risk appetite allocation should not be done in isolation. We shoot ourselves in the foot if we ignore the required scenarios rigour.

    • Norman Marks
      May 1, 2016 at 1:12 PM

      I like the idea of delegating the authority to make risk decisions then following up with periodic reporting to see if it works. That is my impression of the approach at SAP, but there they provide integrated performance and risk reporting on every initiative and strategy to management.

  7. May 1, 2016 at 1:09 PM

    At its root, risk appetite is a matter of personality and this can me measured reliably using the Risk Type Compass. The total personality domain is riddled with themes relating to risk so risk appetite was never going to be the simple linear ‘more or less’ scale that it has been assumed to be. Risk Type reflects this; it captures eight distinctive risk dispositions. Like any other aspects of personality, each of these has its own distinctive advantages and disadvantages. Within a financial advising context, this makes for a rich and informative discussion that is appreciated by the client who actually benefits from that process. It also puts them in a much stronger position to make decisions about potential investments.

    The assessment of risk can never be absolute or truly objective because it is rarely static and because there is no single metric that applies to all risks – measures are, of necessity, either ad hoc or arbitrary. They cannot ‘factor in’ future developments or other unknowns and they always involve personal judgement – even in the efforts of underwriters or actuaries.

    Within risk management in any context, the one thing that you can get realistically and usefully establish is the risk disposition of the individual, the team, the board or the organisation as a whole. The regulators, finally, are increasingly coming round to addressing the ‘Human Factor’ and the decision making biases identified by Behavioural Economics and other ‘behavioural risk management’ approaches. Think of Risk Type (or risk appetite) as a deeply rooted bias that influences the perception of risk, the emotional reaction to risk and the willingness to take risks. Other factors will obviously impact on behaviour and, as sentient beings, we also have free will, but nothing is more persistent and pervasive than the influence of Risk Type.

    Geoff Trickey, UK

    • Norman Marks
      May 1, 2016 at 1:14 PM

      Geoff, I hope you and others in Europe will be able to join in the discussion on May 10th.

  8. JenS
    May 1, 2016 at 3:46 PM

    I haven’t read the comments and am only commenting on your article above. I’d love some feedback on our framework if possible?
    I have designed our risk appetite framework for the government department (health) that I work for. The concepts are similar however I have adapted it to suit our requirements. Being health, we have a number of key performance indicators and constraints that we work to, however we also have the appetite for research and innovation.
    Our framework works in two directions:
    1. Top down: We have designed some overarching risk appetite statements to reflect the executive’s appetite for risk – setting tone for the day-to-day decision makers. The real value for us comes from our tolerances (risk appetite measurements). We are setting our tolerance levels around our target KPI’s so that we can (for the first time) oversee and manage our emerging risks at the enterprise level (what I mean by that is that in health, clinicians and staff are by nature very good risk managers however usually if something is going to go wrong, we don’t find out about it until it has already gone wrong). We have over 30 different measurements – if our performance in any measurement starts to veer in the “wrong” direction, an emerging risk is highlighted to management giving us advanced warning of a potential issue and providing us with the ability to focus resources that way if required. If a tolerance is breached then a risk event is triggered and the risk is escalated to the executive level.
    2. Bottom Up: Operational Managers must ask whether or not the decision they are about to make is in line with the board’s risk appetite. It reduces bureaucracy (but does not remove it as being government we are still required to have evidence of the decision being made) and adds confidence to all levels of decision making. It does not restrict decisions to only be made within the risk appetite as this would conflict with our appetite for innovation. So if a decision is made outside the risk appetite and tolerance levels, it simply and immediately triggers a risk event which is escalated to management. This means that appropriate resources can be deployed to manage the opportunity giving it the best chance of success.
    I feel that this framework links together our (fairly basic) enterprise risk management systems and processes with the more complex and valuable risk appetite concepts.

    • Olayimikah, France
      May 2, 2016 at 10:26 AM

      Hello Jen,

      Well done for the work done so far on the risk appetite framework. Noticed however from your write-up that escalations to the executive level are only made “after” a breach has occured. As risk managers it is prefered that appetite, tolerances are not breached in the first instance.

      Going back to Norman’s comment on “ranges”, this is quite helpful when setting tolerances. A suggestion I usually adopt is this: With the goal at the back of our minds that risk appetite must not be breached, a range is set from the “acceptable” to the “unacceptable”. Using the traffic light rating system your range is then segmented into good (green), acceptable (amber), and breach/unacceptable (red).

      In reporting, the green is where you want to be and no escalation is needed. When a metric falls into the amber, management action plans should be obtained on what needs to (and will) be done to get it back to green. This should then be reported to the executive level or executive designated level (for government) as it may become a breach in the near future if the management action plans are not adhered to (or insufficient). Actions to be taken in the event of a breach should also be noted at this point and the ambers are moved to the front burner. This helps us to stay proactive, like has been done for likely emerging risks mentioned above.

      Your second comment reminds me of Norman’s second example. Breaching risk appetite should ideally not be the “norm”……or maybe there is something i’m missing…

      • JenS
        May 2, 2016 at 3:53 PM

        Hi Olayimikah,
        Sorry I must not have made the above clear enough in my haste to get the summary down – we have set our tolerances around (ie outside) our KPIs so the trigger does occur well before a breach is expected so that we can spot emerging risks and reduce the likelihood of a breach at all.

        • Olayimikah, France
          May 2, 2016 at 3:57 PM

          …phew…..knew i was missing something…lol.

          Well done Jen.

  9. May 2, 2016 at 3:24 AM

    You ask, ‘can you share how risk appetite statements enable informed and intelligent decisions that enable success?’ There is one area, present in many companies, which have risk appetite levels: credit control departments. Credit control limits aren’t only designed to prevent harm but take the right level of risks.
    Let me take an example when I was responsible for a credit control department, we had a customer who provided a substantial amount of business but traded in such a way that we believed they would eventually go bankrupt. So we set a credit control limit at their monthly order level and also managed the risk by requiring them to pay for the previous order before accepting a new one. This approach was approved by management. Thus, when they went bust, after sufficient time for us to cover the risk by business gained, we only lost the equivalent of a month’s sales, at cost. There were no recriminations about the bad debt as management had agreed the controls and risk.
    Credit control departments should have guidelines as to the credit limits to be set (i.e. risk appetite statements). However, these have always to be reviewed to balance risk with the business to be gained/lost by accepting/rejecting orders.

  10. Robert Moorehead-Lane
    May 5, 2016 at 6:00 AM

    My one comment would be that it appears that the Risk Appetite is being seen as a holy grail.
    As with an internal model or any other type of tool. it is exactly that; a single tool.
    You don’t build a house with just a hammer, it takes an entire toolbox to ensure you have the right foundations and the right materials and are constructing it in the best way possible for the best results.
    Looking at risk appetites in isolation it is always going to be easy to pick them apart. So to say that there is no mature risk appetite process out there right now is to miss the point.
    The right way to look at it is through a multi variate lens.
    What is the risk culture? what is the required vision for the company? What is the maturity of the company? Are they in start up mode or growth stage? are they a potential acquirer of businesses or the acquired?
    What is the Capital level of the business you are trying to monitor? what is the correlation of the risk you are monitoring against the other risks in the portfolio? how do these move in tandem or isolation?
    What is the potential upside and how is that correlated to the potential downside? (it is not always a linear relationship)
    Where is this opportunity coming within the economic cycle?
    What other factors are necessary to be taken into account? is this a defensive play to protect market share or to block a competitor? Is the decision based upon a regulatory need or other deterministic factor outside of the appetite scope?

    Without a good view on all of the above it is senseless to be able to determine whether a risk appetite is or can ever be appropriate in the circumstances.
    Finally I would make the point that you are asking the company to make decisions based on risk appetite data? for a start a company would not make a decision based just upon a risk appetite statement. In my industry (Insurance we have the ORSA which allows us to look at a much broader spectrum of factors to make business decisions and it works very well when run properly and effectively. In other industries similar versions of business decision making report processes are available.
    The risk appetite is an input for consideration not a final decision making tool.

    So to summarise, yes there is a long way to go. But there is a long way to go to get mature risk management frameworks. Risk appetite maturity will only come as part of the entire framework maturity
    But the companies that embrace this and use it as a tool in their toolkit along with other tools they have will start to pull away from the pack and make better decisions and more returns for their shareholders.

  11. John Fraser
    May 9, 2016 at 7:56 AM

    The concept of ‘risk appetite’ as defined by COSO (i.e. that an organization can or does have a single risk appetite) has long been demonstrated as unhelpful (other than to consulting firms) and unworkable. ISO 31000 recognized this and does not use the term at all. I have yet to see a meaningful risk appetite statement (RAS) as they are all so general (or secretive) as to provide little real guidance (e.g. “We will undertake no risks that will impair our reputation”). ERM requires risk criteria, as defined by ISO 31000 section 5.3.1, not nebulous impractical feel good statements. The concept for RAS seems to have been invented by the Financial Stability Board to demonstrate regulatory action after the credit crisis. The sole benefit of a RAS would be if the board and management do use this as a vehicle to actually have conversations about risks and risk taking.

    • Olayimikah, France
      May 9, 2016 at 8:28 AM

      Hello John,

      You are right about the sole benefit of a RAS and frankly any organisation that defines its RAS vaguely or as ambiguous as highlighted in your comment, is not serious about risk management and only going through the “motions”. A RAS must make sense and be both monitorable and measureable (this is also supported by COSO).

      Any organisation that is serious about risk does not need COSO to tell it how to define its RAS. They know exactly where and how deep it will hurt and should know what to do; limits to set; etc in protecting their stakeholder value and ultimately their existence.

  12. John Fraser
    May 9, 2016 at 8:48 AM

    Can anyone provide a link to an effective risk appetite statement?

    • Olayimikah, France
      May 9, 2016 at 9:41 AM

      I work with the Standard Bank Group and you can see a broad definition of how the RAS is defined in terms of Risk Appetitie Dimensions (Level 1) on page 22 of the following link. http://reporting.standardbank.com/downloads/SBG_FY15_Risk%20and%20capital%20management%20report%20and%20AFS.pdf

      Level 1 defines the overarching dimensions that are expounded upon in the RAS document that is presented to the Board. Each dimensions is defined with a measurable RAG range.

      Level 1 is further made granular for monitoring by defining Level 2 (Risk Appetite Dimensions by Risk Type) and Level 3 (Portfolio Limits by Risk Type).

      Though this is for a financial institution, the principle is applicable across industries. The knowledge needed is to know where, how deep it will hurt and what to do….

      • Norman Marks
        May 12, 2016 at 2:39 AM

        Thank you for sharing this document.

        Can you help me understand:

        1. How does management know whether its corporate objectives are on a path to success? How does it know what actions to take if the aggregate level of risk to any objective is outside desired levels?

        2. How does management know whether people are taking the desired level of the desired risks? Are they taking enough as well as are they taking too much?

        3. How do individual decision-makers know whether to take a risk, and how each decision they make creates of modifies risk – including effects felt by others?

        4. Where is the potential for losing key employees? Where is the opportunity presented to hire specialists that will enhance the ability to create value?

        5. Is every form of risk to corporate objectives truly covered?

        The document is highly financial in nature, appearing to assume all forms of risk can be quantified. Is that true in the real world?

        Does this enable people to take the right level of the right risk, or only to determine after-the-fact that risks levels are or are not what is desired?


        • Olayimikah, France
          May 12, 2016 at 8:06 AM

          Dear Norman,

          the following responses are made from my perspective and experience as a risk professional.

          1. In formulating corporate objectives there is an element of granularity that is required in addition to ensuring “SMART” objectives are set (Specific/ Measurable/Attainable/Relevant/Time-Bound). When this is in place and captures what “success” for the firm looks like, set milestones should be monitored on a periodic basis or out-of-period when certain risk events affecting the firm or industry as a whole occur.

          Of course if in the review it is found that there is a deviation from the defined “path of success”, the extent of deviation with likely or crystallized impact must be assessed and management actions set (where material).
          Ideally, aggregate levels of risk falling outside desired levels that happen “unexpectedly” should only occur as a result of external risk(s). This should itself not be an entire surprise as a firm (financial or otherwise) should form a habit of “stress testing” by assuming certain scenarios that could impact negatively its operations.
          In the event of the “conscious”, what comes to mind is the event where a firm wants to take an “opportunity”, and for which there should be clear guidelines already in place for actions to take e.g. risk/reward analysis; upsides & downsides analysis; level of approval(s) needed; etc.

          There is an assumption here that the firm’s aggregate risks ARE being monitored.

          2. The easiest answer should be the assumption that knowledgeable (risk & business) and rational individuals are manning positions….but this will be a fallacy…lol.

          Even where there exists a system of autonomy bound by delegated authorities, a firm should have instituted periodic performance reviews based on set criteria specific to the firm and of course including pre-defined materiality criteria.
          I confess that I am making an assumption here that the leadership of the firm is/are able to wear two separate objectives hats – one of business (make money) and the other of risk (going concern)…..

          3. Decision makers need to know what can impact the firm positively or negatively and have a general knowledge of risks faced and emerging (both for established institutions and smaller SMEs).
          Of course, we don’t want decision makers “bugged down” with risk analysis as the “deal has to be closed” (literally).
          It is therefore expected that the risk team who should be able to assess the overall effect of actions on various areas of the firm “partners” with the business (or customer facing team), without compromising its independence and breaching of set risk limits.
          The key here for required assistance to be provided is the “partnering” and constant communication between the customer facing and risk teams. This is important even for SMEs (before you ask), who though do not have a large team should have at least a risk & compliance person or have the function outsourced.

          4. Potential for losing key employees that I’ve experienced is when there is differing objectives between the firm and the decision maker(s) resulting in a feeling of frustration on the part of the decision maker(s) who desire more autonomy (rightly or wrongly) or who have aggressive risk appetites higher than that of the firm.
          This also has been a personal experience when years earlier I was on the business side. However, I found when in a relatively “less” structured environment, that I had to put in place similar processes and monioring structures, which enabled better sleep at night!

          5. This I really wish…lol, but no, every form of risk to corporate objectives is not covered immediately as risks themselves have a dynamic nature.
          There should be in place a periodic (quarterly in my opinion) strategic business risk assessment exercise that identifies and assesses various risks that may affect the attainment of strategic objectives.
          When carrying out this exercise, besides the SWOT analysis as described in an earlier comment, I support the use of the Known-Unknown Risk Quadrant at a brainstorming session. This, in addition to other positives, brings to the fore emerging risk(s) that need to be considered going forward.

          You are right the document is highly financial – it is for a financial institution..lol (apologies – my sense of humour gets the best of me at times).

          Seriously though, setting a risk appetite is a combination of science, intuition and experience. Using the same principles as found in the document, a similar definition can be put in place for any firm, operating in any other industry, provided the knowledge of where it can hurt, how deep it can hurt and what should be done to prevent this hurt (if material) can be articulated.
          I am also a proponent that most forms of risk can be quantified (somewhat) with assumptions. The risk then will be the relevance and applicability of the selected assumptions. However, one risk even with assumptions that may not be “accurately” quantified is reputational risk, the likelihood of which has heightened for large firms with the “tsunami growth” of social media…..
          The degree of sophistication in defining risk appetite depends on the scale and complexity of the firm and in my opinion, where the industry falls on the risk continuum.
          Lets take an example of a simplistic 3X3 Risk Matrix for an SME, during a risk to business brainstorm session, the management team will be asked to assume in monetary terms (for example) what low, medium, or high risk means for the firm in terms of financial loss(es) to the firm as an example. This paints a picture in the minds’ eye of the management team and becomes easier to understand without VAR and monte carlo simulations.

          In my opinion a risk appetite statement can be defined simply but still SMART.

          I do believe that the RAS enables people to take the right level of risks. Remember that there always is some element of flexibility either in the ranges set or where required senior management / board approval must be obtained to breach the set limits for a specified period together with a detailed action plan to bring back within prior approved limits, or in rare cases to adopt new level going forward (yet to see this in my experience though).

          I do like the Standard Bank internal RAG limit setting of G – within risk appetite (desired), A – within risk tolerance (what can be tolerated above desired risk appetite) and R – risk capacity (the no-no area that has the risk of affecting the firm’s abiity to operate as a going concern).

          Unfortunately since as risk managers we try to replicate a “crystal ball” without having one, we can only “believe” we have the right desired levels as the process adopted (be it complex or simplistic) was methodical. Permit me to note though that we all assume that with sophisticated tools we are closer to actual – though this can be debated especially where we have “black boxes”…..

          The desired place for “after the fact” in my opinion should be when a “back test” is carried out after a full period (typically one year).
          Here the set risk appetite should be analysed looking at lost opportunities (if any), reward obtained, overall “health” of the portfolio (non performing loans; delinquent receiveables; etc), etc.
          By doing this, we reduce somewhat the risk of “flying blindly” by using the past in “fine-tuning” our navigation for the future. Of course other internal and external changes – regulatory, global, industry specific, country(ies), etc should be considered.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: