The search for effective risk appetite statements
I have been writing about the tough topic of risk appetite for a long time! Here’s a partial list of my blog posts, which go back to 2010.
- Compliance and risk appetite – July, 2015
- A huge problem with risk appetite and risk levels – May, 2015
- Auditing risk appetite – September, 2014
- My tolerance for risk appetite is fading – June, 2014
- Just what is risk appetite and how does it differ from risk tolerance? – April, 2014
- The continuing failure of the risk appetite debate to focus on desired levels of risk – March, 2014
- What is your risk appetite? – September, 2013
- The tricky business of risk appetite: a check-the box chimera or an effective guide to risk-taking – August, 2012
- COSO contributes to thought leadership on risk appetite – January, 2012
- New guidance on risk appetite and tolerance. I like some parts, disagree with others – September, 2011
- An effective risk tolerance, appetite, criteria etc. statement – May, 2011
- A discussion of risk appetite by thought leaders – November, 2010
- Food for thought on risk appetite – February, 2010
Yet, I am still searching for examples of organizations who have done this well – and by that I mean establishing desired levels of risk for the enterprise as a whole that lead to the best business decisions at all levels of the extended enterprise.
Last week, in Chicago, Richard Anderson and I debated this point. He thinks it is being done, but I have significant doubts.
In a few weeks, we will debate this again with a group of practitioners and thought leaders at RiskReimagined London. (Spaces are still available.)
Why am I still searching?
Let me see if I can explain the predicament.
Example 1: we manage a company that grants loans to small businesses across the globe. We set a risk appetite statement that says that we want to take risk that is ‘valued’ at between $100 million and $200 million. It’s a range because if we don’t take enough risk, our profits will suffer. $100 million is the lowest we can go if we are to break even. If we take too much, we may suffer losses that cannot be sustained comfortably and we have defined ‘too much’ risk as $200 million.
We have five offices that grant loans: in Sydney, London, San Francisco, Buenos Aires, and Singapore. In each, five managers approve new loans.
In any of these five, a single manager oversees all the loan approvals and can make sure that his office stays between $20 million and $40 million. We have cascaded our enterprise range and set an allocated range of risk to each office. Some call this ‘risk tolerance’, although that is not how COSO describes risk tolerance.
As a result, the company as a whole will stay between $100 million and $200 million.
But while we are ‘safe’, we have not optimized our results.
Our ideal level of risk will typically be nearer $200 million than $100 million.
How likely is it that we will obtain an enterprise level of risk of, say, $180 million?
Even if everybody is communicating often and openly, it is unlikely.
If Buenos Aires can only sell $30 million and London $25 million, then the other three will have to sell a total of $125 million. That is more than the allocated $40 million they each have.
OK, if one person approves all loans, then it may be possible to get to $180 million. But that level of bureaucracy would slow the company down and make it highly inefficient – damaging customer satisfaction. Remember, customers want quick decisions made locally.
In this example, the risk appetite statement may prevent the company from taking an unacceptably high level of risk, but will it drive optimal performance?
Rather than driving the right decisions and proactively taking the desired level of risk, management can only see total enterprise risk levels after the fact.
Note that I set risk appetite as a range. That is not common. If a low end is not set, will this company survive? Each location could consider it is safe to be much lower than their allocated risk level.
Example 2: this time, our business operates gas stations. We are considering purchasing three more stations. We have set a risk appetite for our total level of oil spill cleanup and remediation at $25 million and our current exposure (based on the stations we already own) is $15 million.
We perform a risk assessment for each of the three potential acquisitions. The level of risk at the first is $5 million, the second is $8 million, and the third is $12 million.
The risk manager decrees that acquiring the third would take us over our risk appetite and we should, instead, focus on the other two.
The problem is that, like most risk managers, he is only considering the downside.
If we look at the potential profit to be earned at each of the three, we find the numbers are: $5 million for the first, $10 million for the second, and $20 million for the third.
Which is the wise decision?
Although the first station is within our risk appetite, an acquisition seems to make little sense from a business point of view.
The second may make sense, but only if the total of all risks relating to the acquisition would not only be lower than potential profit but would deliver an acceptable rate of return on our investment. There are probably other factors that would go into the decision.
While the risk manager wants to eliminate the third based on the risk appetite statement, the potential for reward is huge! Perhaps the risk appetite statement should be increased so we can take advantage of the significant increase in profits. In fact, the increased level of profits might well increase our ability to sustain a loss.
Making decisions based only on the potential for harm is not good business decision-making.
Decisions should be made based on the full picture of all the things that might happen.
The upside possibilities should be identified and evaluated in the same way as the downside, otherwise how can management know they are making informed and intelligent decisions that will drive the organization to success?
These are just two examples. I am sure you can come up with more.
Or, can you share how risk appetite statements enable informed and intelligent decisions that enable success? I suspect that all they do is prevent harm rather than enable decisions that lead to taking the right level of the right risks.
I welcome your comments.