A colleague recently wrote an article on risk management and shellfish. Not things you would obviously link, but the mention of food started me thinking about a connection to risk management: risk appetite.
We recently surveyed a group of non-executives on risk management and noted that a significant proportion sat on boards that had not established their risk appetite; some weren’t even sure what “risk appetite” is.
Yet another buzzword bandied around by consultants and risk management professionals to create nervousness amongst board members that they are just not doing enough when it comes to identifying, understanding and managing risk? I hope to convince you otherwise.
I personally agree with the notion that risk management is, in essence, good management, and that risk-taking is an essential part of doing business, without which business opportunities will be lost and equity returns will be reduced.
Business environments are increasingly complex. Risks, and opportunities, need to be identified and assessed quickly. Plans are executed across departmental, geographical and inter-company boundaries—and through partnerships and joint ventures, contractors and other means outside a business’s span of control. As such, there has to be some structure and process in the management of risk.
But structure and process are no good if you haven’t set the right risk culture, and have not communicated what kind of risk-taking is acceptable, or within the businesses risk appetite.
Broadly defined, risk appetite is the amount of risk a business is willing to take in pursuit of its strategic objectives.
If we put it in the context of good practice governance requirements, the UK Corporate Governance Code states that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives”.
Logically, then, setting the business’s risk appetite is part of this determination. I sat in a board meeting recently where a business initiative to move into a new, high-tech market had failed, with significant consequences for the company.
The share price had taken a nosedive by 8%, sales had been minimal and its share in its core market was being eroded.
Rather than discussing whether it had got the strategy wrong, perhaps misunderstood the market or not executed its plans well, the main focus of the conversation between executive and non-executive management was whether the initiative was something the board should have even signed up to in the first place.
The argument seemed to be that the board would never have signed up to it had they known it would be unsuccessful.
Whilst what the company was doing was entirely in line with their overall strategy, they failed to grasp the full consequences or risks of failure to deliver. They had not considered the aggregate risk to the core business, or determined whether the consequences were acceptable.
We can speculate on whether the business had the right strategy, where accountability for strategy sits, that better risk evaluation may have prevented them reaching this point—but what it did lead to was a meaningful discussion as to what the risk appetite of those sitting round the table was.
Ideally, the board has a shared view of risk appetite, and the executives and staff within the business have a mandate to take appropriate risks in line with that appetite.
On an individual basis it is easy to make decisions about risk appetite (although we perhaps overestimate our risk tolerance until something goes wrong). For organisations, it is a complex business and requires considered debate between senior executives.
So, some thoughts on how to get it right…
Spend time understanding the nature of risks you face as a business and take time to debate your appetite for risk-taking; without a shared view, how can you communicate it effectively? When I work with clients to help them identify and evaluate the risks they face, I am always struck by the level and intensity of the discussions about what the true risks are and how they should be dealt with.
I doubt many boards have time for regular discussions of this nature. It is difficult in a busy work environment to take a step back and take stock of the risks the business faces, and may face in future, particularly in today’s complex environment.
Spending time—usually at a strategy/away day or in an extended board meeting—talking about strategy and the risks linked to that strategy, is a good start.
Make it relevant to your business
I have seen a number of risk appetite statements that many boards would review and find acceptable to publish for their business.
For example, most businesses will declare that they have a low appetite for non-compliance with legislation or regulation, but a greater appetite for taking risks relating to growth opportunities.
Most would say they have a low tolerance for taking risks with the health and safety of their staff, customers and the general public, but would have a more open appetite to the risks that exposure to international expansion brings.
All well and good, but is such a statement any use to those within the business who are charged with taking risks on a daily basis? Does it reflect the complexity of risks the business is facing? Does it provide any clarity over the extent to which key company assets (eg. IP, brands) should be protected?
Going back to my example above, is the company willing to sacrifice its core market in pursuit of new markets? Should a business risk sub-contract core activities in pursuit of greater margins? What impact on reputation and licence to operate might arise if it all goes wrong?
These are the complex, often interrelated areas where risk-taking comes in all shades of grey, which makes it even more crucial for the board to be clear as to what risks are acceptable and to couch this in terms that management and staff understand.
A risk appetite statement needs to reflect what the business is really about, should be clearly linked to the business strategy, the environment the business operates in and therefore the risk decisions that are likely to be required.
It needs to draw a line (as far as possible) between what is within appetite and what is outside it, such that any risks that the business identifies, or opportunities being considered, are managed in line with the risk appetite the board has set. Decisions can then be escalated to the board where there is a lack of clarity as to whether the risk exposure is “within appetite”.
Test it out in the same way businesses test their financial modelling with scenario planning. Should the risk appetite be put to the test? Does it hold true with real-life scenarios? Can staff apply it when faced with a real issue or opportunity?
Communication is key
The setting of risk appetite is part of the risk culture of an organisation and therefore is part of what sets the tone for communication of information. Creating a culture that encourages and rewards transparency in decision-making, sharing outcomes (good and bad) and discussing where there is uncertainty will help ensure that risk is embraced in line with the appetite the board has set.
And finally…Re-visit it
The business risk appetite may change over time (and you are unlikely to get it completely right first time). It goes without saying that since the world is constantly changing, and the risks we face with it, businesses need to learn from risk-taking and adjust their risk appetite accordingly.
Ruth Ireland is a partner at BDO in risk and advisory.