Home > Risk > Should we “tear up the risk appetite” statement?

Should we “tear up the risk appetite” statement?

That is advocated in a provocative post in StrategicRISK. The author, Lauren Gow, is the  StrategicRisk Asia Pacific editor, based in Australia. As far as I can tell, she has not been a risk practitioner (except in the sense that all of us are because we are constantly weighing and taking risk). But that doesn’t mean she doesn’t have (a) a point, and (b) a right to express it and challenge us all in the process.

Here are some key excerpts from the article:

  • Let’s talk about risk appetite. Or more specifically, let me ask you – what is the point behind you, as a risk manager, preparing a specific risk appetite document for the board? Have you ever stopped and really thought about why you do it? If you are doing it because you believe it adds value to the management of the business, it may be time for a rethink.
  • A risk appetite document is a vertical silo tool. And it is being used during a period when most businesses are pushing for more horizontal, integrated ways of working. One might argue that silos themselves do not cause problems within a business, but the closed mentality that comes as a result of the silo-style operation does.

Writing a specific risk appetite document for the board separates risk management from all other parts of the business. How do you effectively make a mark across the whole business when you are not integrated within it?

  • In the creation of a specific risk appetite document, risk managers are essentially handing the board further ammunition to shorten the leash of management. You are adding barriers to management from a board level and making it more difficult for management to take a calculated risk on new products or markets. This goes against what most risk managers say they want to be seen as within their business.

You want to be a business enabler, not innovation impediment; a driver of transformation, not the brakes of revolution. Creating more rules for management from board level will not achieve this goal.

  • Be bold. Tear up your risk appetite policy today. Tell the board you will no longer be doing a specific risk appetite document for them but instead you will be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working.

I have written about this topic for several years. Of note are:

Let me quote my own post from March:

  • These days, I talk about the need for people to make intelligent and informed decisions, because that is where risk is taken.
  • Top management and the board need a reasonable level of assurance that important decisions are both intelligent and informed – that they give due consideration to what might happen (i.e., risk).
  • In fact, I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.
  • The key is to make informed and intelligent decisions that take the right level of the right risk, where it is justified on business and other grounds. Decision-makers need guidance so that they know that what they are doing (taking risk) is consistent with the desires of top management and the board. You may call that risk appetite (I prefer not to) or risk criteria, but often it is covered by policies such as investment guidelines, hedging policies, delegations of authority, and stop-loss limits.

I quoted an October 2017 post:

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.

Then I suggested:

  1. Recognize that if you are required by law or regulation to have a risk appetite statement, or even by boards who (perhaps on the advice of consultants) believe this is necessary, you need to put one together.
  2. Any risk appetite statement should first satisfy the needs of the regulators. (Sadly, they seem to be happy with fluff such as “we have no tolerance for non-compliance with laws and regulations”.)
  3. If at all possible, develop risk appetite statements that actually mean and do something. (Or indicate that the guidance is in other standards and policies.) They should:
    1. Guide decision-makers, so that they know before they take a risk whether their decision would be acceptable and in the interests of the organization as a whole as it strives to achieve its objectives
    2. Allow for flexibility where there is a business justification for taking what might appear to be a lower or higher level of risk – because of the opportunity that is presented. For example, require such decisions to be escalated to more senior levels of management or the board
    3. Enable top management and the board to have assurance after-the-fact that risk to objectives (which I define as the likelihood of failing to achieve an objective) is within desired levels
    4. Distinguish between different sources of risk. Don’t attempt to have a single risk appetite that encompasses market risk, compliance risk, reputation risk, and so on. That is nonsense. Develop guidance that is suitable for decisions in each area
  4. If you decide on ‘fluff’ risk appetite statements, you still need guidance for decision-makers (see below)
  5. If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership
  6. Provide reports to the board and top management (as described in my books) that help them see whether enterprise objectives are likely to be achieved
  7. Have the CEO provide assurance to the board on the quality of decision-making, risk-taking, and the achievement of enterprise objectives
  8. Have the CRO (if there is one) do the same
  9. Have the CAE provide an opinion on the above
  10. Include the quality of decision-making in each individual’s performance assessment

Returning to Lauren’s provocative piece……

She suggests that instead of some high-level document (risk appetite statement), management should “be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working”.

I’m not going to agree that this is a matter of board policies. Neither do I believe that it’s about safety and avoiding harm.

It’s about taking the right level of the right risks as we make decisions and achieve our objectives.

How does the board obtain assurance that management is taking the right risks? How does it know that management is making informed and intelligent decisions?

Part of the answer lies in repudiating Lauren’s last words: “take a chance on a new way of working”.

Let’s think about the old way of working.

For example, many if not most organizations already have these in place:

  • Limits on the credit that can be granted to new customers
  • Requirements that credit limits are approved by appropriate management
  • Limits on the level of hedging and other use of derivative instruments
  • Requirements that expenditures over a certain value are approved by a more senior individual, even by the board if necessary
  • Policies that indicate the quality of investments that can be made
  • Requirements that all acquisitions are approved by top management and the board
  • Controls to ensure that all write-offs are approved by appropriate management
  • Controls to ensure that excessive discounts are not offered to customers
  • ….and so on

So I stand by the suggestions I made in March. But, I am going to emphasize step #5: “If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership”.

Figure out, for your organization, what you need to achieve the objectives of:

  1. Providing assurance that the right levels of the right risks are being taken through informed and intelligent decisions
  2. Ensure that information provided to the board and investors is reliable, complete, and accurate
  3. Satisfy the compliance requirements of the regulators and others

If you think that risk appetite statements work for you, guiding people to take the right level of the right risks, then fine.

If not, understand whether there is sufficient guidance already in place – and if that is sufficient rely on it; if not, fix it.

I welcome your comments.

Advertisements
  1. Alan Proctor
    May 26, 2018 at 12:08 PM

    I assume neither you nor the Lauren author are advocating the dismissal of a baseline of acceptable fiscal risk from which management and the board make calculated decisions.

    A.k.a., I sure as heck hope you’re not…

    • Norman Marks
      May 26, 2018 at 2:01 PM

      Hi Alan, what is this “baseline of acceptable fiscal risk”? Is it the aggregate level of risk an organization can afford to take? Is it the sum of all sources of risk to all objectives? If there was such a meaningful number, I would be all for it – but is there? See my previous post on consolidated risk exposure

  2. msfedorov
    May 26, 2018 at 12:55 PM

    totally true! I just do not think that regularly reviewing each board-level policy and making risk recommendations for each area” is a bad thing. This is another area where risk manager can add value, but, of course, doing it with decision quality aspect in mind.

    • Norman Marks
      May 26, 2018 at 2:03 PM

      I’m not sure that boards set policies where there should be risk recommendations. Perhaps we should be talking about the objectives established with board approval and the level of risk to those objectives (i.e., the likelihood and extent of failing to achieve them).

  3. May 28, 2018 at 2:49 AM

    I am not dead certain, I get Laurens points. True – if you really want to integrate risk management in management – you should not have a separate risk tolerance statement. However, if you (just) take all the elements of the former risk tolerance statement and cut/paste these into other policies – I fail to see the big difference.

    I do believe management knows the risk tolerance across organisational entities and initiatives … and hence that someone (the risk function) is able to Monte Carlo simulate the overall exposure. Otherwise, there is a severe risk (!) that the combination of individual policies leads to an essentially lower risk tolerance than what the boards would be willing to accept if consolidated.

    If you corporate tolerance is 1000, you cannot split this into 10 units of 1000 without having an overall exposure well below the overall level.

    • Norman Marks
      May 28, 2018 at 6:16 AM

      Hans, what is “corporate tolerance”? How can you combine all sources of risk to multiple objectives?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: