You’ve set your risk appetite. Now what?

Danny Wong, Founder and CEO of GOAT Risk Solutions, discusses why it is essential to understand risk appetite and how best to use it when managing risk.

 

The Financial Reporting Council (FRC) first issued requirements from Boards of listed companies to set their risk appetite in September 2014.  As the requirement is for the Board to set and not necessarily to disclose risk appetite, there is wide variation on the approaches used to define risk appetite.

 

Risk Appetite: the amount and type of risk an organisation is willing to take to  meet their business objectives.

 

Several years on, many organisations that have diligently discussed and defined this at Board level are questioning why, wondering “What was the point?”, “How does it help?” and “What difference has it made or should it have made?” 

 

The benefits of setting risk appetite

 

 

The Board’s normal involvement

 

Most Boards can expect to be involved in setting strategy.  They have strategy away days, are usually presented major investment decisions and must approve mergers and acquisitions and other major transactions in line with delegated authorities. 

 

Regardless of whether the risk appetite is clearly defined or not, Boards tend to be close enough to upside risks so that there are few surprises and there is alignment with management on the desired size of transactions or level of aggressiveness towards growth strategies.  Given the propensity to distribute dividends in recent years, most listed businesses have demonstrated fairly low risk appetites when it comes to upside risks.

 

Risk Tolerance: The amount of risk that an organisation can actually cope with.

 

However, the Board’s involvement and attitude towards downside threats is less clear.  They don’t tend to have risk away days, and are seldom presented decisions to make in regards to handling of downside threats.  Investment in controls and risk mitigation is difficult as often the financial returns and business cases are not clear. 

 

Specialists in risk and control areas tend to work within the limited and ever-reducing resources they are given.  Those raising the flag or requesting additional resources to improve controls put their personal roles at risk or are seen as trouble makers.  Would you recognise or penalise the safety expert advising us to invest more in safety?  How much is enough or proportionate?  Who makes the judgement call?  Who wants to rock the boat?

 

What does risk appetite look like in practice?

 

We see risk appetite as embedded in the risk management process and ideally aligned to the Principal risks or main risk themes.  This way the principal risks can be regular reviewed in the context of the risk appetite statements setting out the Board’s attitude or minimum requirements for this risk.  We encourage bringing metrics and key risk indicators into the risk discussion, so if the risk appetite statements refer to minimum acceptable limits on specific metrics, then these can be explicitly measured and managed, with clearly defined points where appetite is acceptable or breached, and intervention and escalation is required. 

 

In practice, I recommend a bottom up approach, with the risk owner or the team managing the risk initially attempting to draft the risk appetite statements of what they believe the Board expects and then the Board to discuss and agree.

 

Why do we need risk appetite

 

 

How did a fun night out turn into such a nightmare?  A simple example, but might management caught up in the desire or pressure to win at all cost, start taking excessive risks and fall down a slippery slope?  Risk appetite with clear intervention and escalation points would ensure this would never happen.

 

How risk appetite applies to Covid-19?  

 

Covid-19 is the biggest crisis the world has faced causing untold disruption and loss and has created numerous decision points for business leaders.  How does risk appetite apply?  Risk appetite is not a static framework.  Covid-19 has had significant business impacts which may have caused a breach of the Board’s risk appetite and changes to its priorities and attitudes.

 

Cashflows, financial obligations and covenants. For most organisations financial cashflows would be a risk type to define risk appetite, and the Board will normally not want to operate anywhere near the brink of collapse.  The breaking point is a related topic referred to as risk tolerance. If your business is at or near this point this means you have likely already breached your risk appetite. 

 

In this case all bets are off and we must get the business back in line with sustainable levels as a matter of priority - financial survival above all else. This might mean emergency funding and certainly all investments put on hold, employees made to furlough or redundancies which can impact any other risk or part of the business.  This is a lesson to note, if you are in breach of risk appetite, then getting back into an acceptable position becomes the number one priority above all else. 

 

Operational risks and safety. Whilst financial survival is of utmost importance, and therefore opening for business is essential, this doesn’t mean being reckless with other risks.  We still want to do so safely so we must be putting in place risk assessments and appropriate controls such as social distancing, cleanliness and masks to protect employees, customers and the public.

 

Reputation. Many large and high profile organisations did not apply for government funding if they could afford not to because whilst liquidity and additional funds in times of crisis is always helpful, they recognised this came with potential for reputation impacts.  This decision shows which organisations value their reputations more than financial risks (provided there was no implication of insolvency).

 

Strategic pivot. Some businesses were able to pivot during the lockdown.  These change in directions should ideally align with the core purpose and enhance the long term reputation of the business, rather than pivot to do something completely different.  The decision could be one that Board’s get involved in, as they would in normal strategy setting context.    

---

 

Danny Wong is the CEO and founder of GOAT Risk Solutions Limited.  While leading risk consulting in a mid-size actuarial consultancy he conducted a 3 year benchmark study of risk maturity.  This research led to the idea that the market needs a simple, low cost risk software solution designed to raise risk maturity and GOAT was formed in 2018.  The Covid19 lockdown reminded Danny that all businesses need to better manage risk. It triggered GOAT to pivot to become a fully digital software provider by reducing the price, increasing transparency of the product so that GOAT is able to deliver its vision to support risk management in a far greater number of businesses. 

Find out more and start a free trial at www.goatrisksolutions.com.

Main image courtesy of iStockPhoto.com