Topics:   Audit and Risk,Risk Management,Strategy

Topics:   Audit and Risk,Risk Management,Strategy

October 4, 2018

Get the Most from the Risk Appetite Dialogue

October 4, 2018

Does your board practice what it preaches on risk oversight? While many directors espouse the importance of regular dialogue between the board and management about the company’s risk appetite, a recent publication by the NACD Advisory Council on Risk Oversight indicates there is room for improvement on how organizations articulate and discuss risk appetite.

This report—based on a discussion with risk and audit committee chairs from Fortune 500 companies—provides insight into how and why risk appetite is used in the boardroom, as well as the importance of an effective risk appetite statement. Here are some key takeaways.

Align the Risk Appetite Statement with Company Strategy

Risks are inherent to every strategy, whether the organization’s management chooses to express them explicitly or not. When determining the level of acceptable risk, directors should work with management to understand the most critical risks (whether expressed qualitatively or quantitatively) and evaluate management’s tolerance for each.

A solid risk appetite statement articulates risks in terms of how they align with company strategy. To create an effective statement, the NACD advisory council suggests using metrics to set boundaries for risks the organization is willing to accept—targets, ranges, floors, ceilings, or prohibitions within which the company is to operate.

The boundaries can be strategic, financial, or operational in nature. For example, strategic parameters consider matters such as new products to pursue or avoid, new markets to target, markets that are on- or off-strategy, brand-eroding actions to avoid, and the investment pool for capital expenditures and mergers and acquisitions activity. The advisory council also recommended benchmarking against peer groups.

When aligned with strategy and benchmarked against peer groups, the risk appetite statement can be useful for communicating with the board, encouraging personnel to take risks in executing the strategy, transforming a risk-averse culture into one that takes measured risks, and maintaining strategic focus.

Use the Risk Appetite Statement to Inform Critical Processes and Decisions

When articulated with both forward- and backward-looking metrics, a robust risk appetite statement can be used to:

  • Establish performance targets. Risk appetite statements help organizations set more balanced performance targets that avoid incentivizing excessive risk-taking. Executive management and the board determine trade-offs between promoting superior performance and limiting Pushing these determinations down into the organization drives strategic alignment.
  • Shape corporate culture. An organization’s overall risk awareness improves significantly when the risk appetite statement is translated into actionable guidance with well-defined thresholds and tolerance levels, as well as when it is used across the organization to measure and monitor acceptable variation in performance.
  • Improve communication, including reporting to the board. An effective risk appetite statement is an important communication tool for driving alignment with and awareness of the strategy. A robust statement clarifies acceptable (or on-strategy) risks that management intends to take and forces dialogue on whether the strategy’s potential rewards outweigh the inherent risks. These risks are typically foundational elements of the business strategy (e.g., investing in developing countries to fuel market growth and innovating in specific areas to drive new revenue streams).
  • Make decisions about compensation. A formal risk appetite statement can inform a company’s overall compensation philosophy with the goal of preventing employees from taking unacceptable risks to achieve performance targets. The NACD publication provides important questions directors can ask when evaluating whether the design of incentive compensation plans may inadvertently encourage risk-taking that conflicts with the established risk appetite.

No one disputes that successful organizations must take risks to create value. The question is, how much risk should they take? A balanced approach to value creation means the enterprise only accepts reasonable risks given its capacity to bear risk and the level of risk it can reasonably expect to manage successfully.

Continually Re-Evaluate the Risk Appetite Statement

The risk appetite statement should be revisited periodically as the business environment and strategic priorities change—that is, it should be considered a “living document” and a benchmark for discussing the implications of opportunities as they arise versus a way to constrain management.

The four appendices to the NACD publication also provide useful insights, such as four core elements of an effective risk appetite framework:

  1. A collection of principles that articulates the company’s philosophy on risk-taking;
  2. A set of limits that identifies the thresholds of acceptability in key areas;
  3. An analytical tool that enables the development of those limits and facilitates reporting against them; and
  4. An implementation framework that describes how the risk appetite is deployed in corporate decision-making.

From our experience, the most important part of formulating a risk appetite statement is the board’s dialogue with management. This dialogue often focuses on such questions as what risks we seek to take, what risks do we want to avoid and—the big one—why?

It leads to discussions on which risks the organization manages better than its competitors and if management knows why it handles them better. Finally, the dialogue forces the organization to acknowledge the risks and uncertainties inherent in the business model, as well as how these risks are being reduced to an acceptable level.