October 4, 2018
October 4, 2018
Does your board practice what it preaches on risk oversight? While many directors espouse the importance of regular dialogue between the board and management about the company’s risk appetite, a recent publication by the NACD Advisory Council on Risk Oversight indicates there is room for improvement on how organizations articulate and discuss risk appetite.
This report—based on a discussion with risk and audit committee chairs from Fortune 500 companies—provides insight into how and why risk appetite is used in the boardroom, as well as the importance of an effective risk appetite statement. Here are some key takeaways.
Align the Risk Appetite Statement with Company Strategy
Risks are inherent to every strategy, whether the organization’s management chooses to express them explicitly or not. When determining the level of acceptable risk, directors should work with management to understand the most critical risks (whether expressed qualitatively or quantitatively) and evaluate management’s tolerance for each.
A solid risk appetite statement articulates risks in terms of how they align with company strategy. To create an effective statement, the NACD advisory council suggests using metrics to set boundaries for risks the organization is willing to accept—targets, ranges, floors, ceilings, or prohibitions within which the company is to operate.
The boundaries can be strategic, financial, or operational in nature. For example, strategic parameters consider matters such as new products to pursue or avoid, new markets to target, markets that are on- or off-strategy, brand-eroding actions to avoid, and the investment pool for capital expenditures and mergers and acquisitions activity. The advisory council also recommended benchmarking against peer groups.
When aligned with strategy and benchmarked against peer groups, the risk appetite statement can be useful for communicating with the board, encouraging personnel to take risks in executing the strategy, transforming a risk-averse culture into one that takes measured risks, and maintaining strategic focus.
Use the Risk Appetite Statement to Inform Critical Processes and Decisions
When articulated with both forward- and backward-looking metrics, a robust risk appetite statement can be used to:
No one disputes that successful organizations must take risks to create value. The question is, how much risk should they take? A balanced approach to value creation means the enterprise only accepts reasonable risks given its capacity to bear risk and the level of risk it can reasonably expect to manage successfully.
Continually Re-Evaluate the Risk Appetite Statement
The risk appetite statement should be revisited periodically as the business environment and strategic priorities change—that is, it should be considered a “living document” and a benchmark for discussing the implications of opportunities as they arise versus a way to constrain management.
The four appendices to the NACD publication also provide useful insights, such as four core elements of an effective risk appetite framework:
From our experience, the most important part of formulating a risk appetite statement is the board’s dialogue with management. This dialogue often focuses on such questions as what risks we seek to take, what risks do we want to avoid and—the big one—why?
It leads to discussions on which risks the organization manages better than its competitors and if management knows why it handles them better. Finally, the dialogue forces the organization to acknowledge the risks and uncertainties inherent in the business model, as well as how these risks are being reduced to an acceptable level.