The value of risk appetite

There has recently been an active discussion in many fora about the merit, objective, process and benefit of risk appetite. I have addressed a number of these topics in previous articles however, the recent discourse has prompted me to revisit the topic and the lessons learnt from advising corporates on the design and implementation of it.

Defining risk appetite in practical terms

I will address risk appetite from both a decision-making and oversight perspective. I will also seek to demonstrate whether, and indeed how, a well-articulated risk appetite statement can add value to planning and decision-making. The article will also make the case that a positive by-product can be to deliver regulatory compliance in line with the updated governance code in the UK.

This article is aimed at non-financial services corporates, not banks or other financial institutions where the business practices and imperatives, as well as regulatory requirements, have led to more developed risk appetite approaches.

What are some common misconceptions about risk appetite?

1. What is a risk appetite statement? A risk appetite statement is not set in stone for time immemorial. It is an articulation of the amount and types of risk an organisation is willing to take in pursuit of its objectives. This does not mean that we are only aggregating individual risks into an overarching expression of risk appetite for a range of different risks.
2. Risk appetite should be set for the key, material, or principal risks of the business on an individual risk basis rather than for a risk category or a strategic objective or aspiration. We will discuss later the balance or mix of qualitative vs. quantitative assessments as well as how risk appetite could be incorporated into planning and decision-making.
3. It is also beneficial to set an overarching risk appetite using for example a CashFlow@Risk measure to express the maximum cashflow volatility that a business is willing to accept subject to key constraints, e.g. not breaching key debt, leverage, or dividend covenants.
4. Not having a risk appetite statement does not equate to taking risks without any controls. The notion that management would not restrict or control its risk-taking unless imposed upon by the Board or regulations, is deeply questionable. Management will be looking to maximise performance by judiciously (be that explicitly or implicitly) balancing risk and return to achieve their objectives. Hence, a risk appetite statement becomes guard rails that management can operate within or challenge if they are no longer fit for purpose.
5. Risk appetite is not a straitjacket. There are situations (and risks) where the Board’s risk appetite might be higher than management’s – for example, this can be in the area of people and talent risk or in relation to transformation initiatives.

What does an effective risk appetite process look like?

Back in 2017, I set out key characteristics of a good risk appetite process in an article Building up an appetite for risk. When re-reading the article in the context of my experience since then, I observe that:

• The merit of expressing risk appetite for individual risks in risk-return terms has been proven as it facilitates a clear link between the objectives and the trade-offs in terms of achieving them.
• I have not seen the value of ‘old-style’ single loss and aggregate loss risk appetite expressions.
• Risk appetite needs to be considered explicitly in planning, decision-making, and prioritisation of strategic as well as operational choices.
• The discussion of risk appetite often prompts a debate about the meaning or definition of the underlying risk – in other words, has the risk been defined in such a way that appetite can be meaningfully set and understood.
• There is no one size fits all in terms of defining the scale for risk appetite – either in terms of levels or the labels used to describe these levels.
• Embedding risk appetite is the most challenging and also value adding part of the process; risk appetite is a decision-making and governance tool. From a decision-making perspective, the risk appetite therefore needs to be aligned with where key decisions are being made. From a governance perspective, oversight over the utilisation of risk appetite should be vested in the Group and subsidiary Boards.
• There has recently been much debate and polarisation on the relative merits of qualitative vs quantitative approaches to risk management

Balancing qualitative and quantitative approaches

Having applied both qualitative and quantitative approaches, my key takeaways are:

1. Few corporates have embedded a quantitative approach to risk management that supports modelling of the full range of risks they are facing. This is due to a combination of factors including skills, competency, resource availability as well as the diversity of risks that corporates face.
2. Quantitative approaches can be applied in a multitude of ways – there is a need to deploy them to fit with the culture, capability and resources of the business.
3. A quantitative risk appetite framework will not be effective if the remainder of the risk management approach is qualitative.
4. Put enhanced decision-making at the heart of all risk management and appetite activities irrespective of where the organisation sits on the continuum of qualitative vs. quantitative.

Structuring risk appetite to effectively support the Board and management

A risk appetite process should be value-adding to both the Board and management (typically ExCom) participants. There are therefore some additional points worth considering in structuring the risk appetite interaction:

• The sophistication of both the risk appetite approach and measures should align with how risks are being assessed and / or measured.
• There is a need to consider not only the risk appetite for individual risks but also the aggregate level of volatility that the organisation is willing to take to reach its objectives. In this context, it is important to also take into account the commitments made to the market (e.g. earnings, cashflow, leverage, dividend) and the strength of the balance sheet of the business.
• One of the key insights both for management and the Board is the understanding of current exposure relative to the agreed risk appetite. In my experience, the focus should be on the action plan for risks where the exposure is above appetite as well as the opportunities to take proactive steps where the current exposure is below appetite (i.e. we might have overcontrolled the risk or been more conservative than our appetite would indicate).
• It is undoubtedly management that is responsible for the action plans to address exposures above appetite and for proposing to the Board, in their governance and oversight capacity, a proposed set of actions and milestones.

In conclusion there is, in my experience, a clear case for risk appetite as a decision-making and governance tool. As a consequence, businesses should engage management and the Board in a constructive and value-adding risk appetite process to support planning and decision-making. In addition to the value to both management and the Board, there are also subsidiary benefits such as supporting businesses in meeting compliance expectations such as, for example, the revised UK Corporate Governance Code 2024 (provision 29).

This article first appeared on LinkedIn.