The whole concept of risk-appetite is total nonsense

The concept of risk-appetite has been around for years, yet so many risk practicioners still find themselves confused and unsure how to quantify, formalise and document it. Well, the short answer is YOU DON’T NEED TO. There is a better way.

First, disclaimers. The following article only applies to non-financial companies, just like everything else I publish. In banks risk appetite may still work fine. I wouldn’t know 🙂 Whenever I say something is broken I offer an alternative that works much better. You just have to be patient and finish reading the article.

Most organisations have already documented their appetites for different common decisions or business activities. Segregation of duties, financing and deal limits, vendor selection criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organisations set risk appetite. Appetites for different kinds of risks has been around for decades. Not all risks, but most of them.

So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern day consultants tell us, I believe that any attempt to aggregate risks into a single risk appetite statement in non-financial companies is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.

After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions. Or is it something else? Share your view in comments.

Instead of creating separate new risk appetite statements, risk managers should start by reviewing existing Board level policies and procedures to identify:

  • significant business decisions that already have a certain risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organisations that utilise child labour or fall under economic sanctions. Or it may have a documented requirement not to invest in high risk projects above a certain limit (my old company for example would not finance high risk ventures through debt, only through equity with some oversight control). Or the company may have a finance policy not to keep more than 20% of cash in a single bank. Or the company may have a policy not to give additional trade credit to bad debtors. And many many more examples. In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. Let me make this very clear, 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
  • for the risks where no appetite has been previously set by any of the existing policies or procedures, the risk manager should work with the business owners to develop risk limits and incorporate them into existing policies and procedures. Risk limits can be divided into three groups: “zero tolerance”, acceptable within quantitative limits or acceptable within qualitative limits. This is the other 20%. Risk managers should use Monte-Carlo simulation, scenario analysis or decision trees to document risk appetites. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable.

 

I strongly believe that risk appetites should and can be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements. Join me in Kuala Lumpur in May to talk about formalising risk appetites for key business decisions and activities without the theoretical nonsense: https://fleming.events/en/events/finance/practical-risk-appetite-masterclass

Advertisements

5 thoughts on “The whole concept of risk-appetite is total nonsense

  1. Alex, shouldn’t a risk appetite statement be a quantification of acceptable risk for a class of risks versus a Loss Exceedance Curve which is generated for the individual risk, itself?

    Like

    1. If we assume that we are talking about non-financial company, then there shouldn’t be a risk appetite statement at all. Risk appetite is the decision making criteria/boundaries and should be documented in the existing Board level documents that outlines that type of decision, like for example investment guidelines would have appetites across various investment decisions or financial policy will have appetite for bank counter-parties, concentration, cash management and risk profile.

      Like

  2. I agree that generally speaking Policies should articulate the risk appetite. However, policies often imply lower risk acceptance than actually the management and BoD can live with, and focus on preventative measures rather than specifically determined residual risk. Take IT security for example; IT security policy typically fails to recognice a threshold of security incidents as performance measure, which, if exceeded, should warrant additional procedures and cost. A pre-determined threshold (appetite) also serves as operational tool to communicate performance levels.I see mor epotential in incorporating appetite descriptions (quantitative and qualitative) in to coprporate policies, especially when set policy targets do not reflect acceptable minimum levels.

    Like

    1. I don’t understand your point. Surely, if that is indeed the case, it makes more sense to fix existing Board level policies instead of creating additional new risk appetite documents. Risk management is not about adding new, it’s about changing existing to be more risk-based. That goes for everything.

      Like

  3. Agreed. Disclaimer: I work for a financial institute… but the following should be true for non financial companies as well. And yes, I can appreciate authors trying to be controversial 🙂

    In my experience it makes sense to define the risk appetite framework itself in a dedicated risk appetite policy, not scattered around in other policies. But this policy stipulates just the principles & governance – not concrete limits! That policy should contain the high-level risk appetite targets based on strategic objectives, and a principle like: “for all risk types major to our company, a measurable risk tolerance limits should be in place and monitored” . It should also contain an uniform way to respond to risk appetite breaches, because executive management needs to be reported about any risk tolerance breach, no matter what the topic is and the related policy. The reason for having this in one “umbrella” policy is to have the same governance for all breaches, no matter who the risk owner is.

    But I fully agree with Alex that when that is in place, concrete limits should be part of the 1st line policies themselves to ensure proper ownership (for instance travel policy for allowed number of senior staff in one vehicle, IT security policy for system availability or number of hacking attempts, BCM policy for recovery times objectives etc).

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s