Generating a formal corporate risk appetite and imbuing it throughout the company is critical for executives to make good business decisions. Nonetheless, a complete risk appetite must also include the potential rewards.
“In most commercial areas, if you are offered an opportunity and there’s some risk associated with it, is that risk acceptable or not? I have absolutely no idea unless you tell me what the potential reward is,” said a participant in a recent NeuGroup Corporate ERM Group meeting.
Developing a risk appetite. The comment arose in a session in which representatives of another NeuGroup member presented the company’s effort to develop a risk-appetite statement that can be applied across the company to aid decision-making. The effort was important, said one representative, because the executives didn’t have a tool to gauge which risks were more important than others, and consequently how to prioritize resources to address risk.
He noted that his company’s risk management framework is designed to support better decision-making while helping deliver its objectives, and he displayed a graphic illustrating the framework that other members praised as very comprehensive yet concise. As part of a risk governance structure, the graphic listed four main types of risk, then elements of risk hierarchy, appetite and policy architecture, and it also noted the toolset to deal with risk.
The presenter explained that his company views risk appetite as important because it:
- Helps maximize opportunities while keeping risks under control
- Establishes clear boundaries for taking and accepting risks
- Increases transparency and awareness, helping align board and management expectations
Risk decisions are incomplete without potential rewards. Soon after, the member, noting the importance of considering the potential rewards from executive decisions, said his “conceptual problem thinking about risk appetite in isolation,” adding, “We’ve found it important to step back and how think about risk in general, and we’ve concluded that reward and risk are inseparable.”
The presenter that that the current version of his company’s risk-appetite statement now in the works aims to consider reward—or “profit” in his company’s nomenclature—as part of institutionalizing risk appetite into decision making. His ERM-team colleague noted, however, that so far the statement has not captured decisions’ upside opportunities.
Risk radar drives discussions. Presenters then displayed a color-coded risk “radar” in the shape of a square, with the center being the optimal balance of risk vs. risk controls, the top right in red representing the acceptance of too much risk and the bottom left in green too little. A decision falling in the red area should prompt the decision makers to reduce risk and/or tighten controls. A decision in the green area should prompt taking on more risk and/or loosening controls, implicitly suggesting an exploration of the decision’s potential rewards.
“So the risk appetite is designed to let people take on more risk” if necessary, the presenter said, acknowledging that measuring the potential reward is difficult, and “finding that opportunity between opportunity and risk is tricky.”
His colleague added that developing a quantitative risk appetite remains a journey in progress for his company, requiring a culture change and a different level of awareness and understanding of risk among decision makers. Nevertheless, the risk appetite statement and tools such as the risk radar are driving discussions about when the company is accepting too much or too little risk in light of factors such as current resources as controls devoted to managing it, and potential rewards or upsides.
Another member agreed, noting blogs that question the necessity of developing a risk appetite statement. He argued that, in fact, such statements play an important role.
“For one, it gets the board involved so it can exercise risk oversight responsibilities; and two, the statement is less important than the conversation that goes on around it,” he said.