This is Part 9 of my blog series: The Art & Science of Risk Management
Throughout my blog series, I’ve discussed the concept of risk appetite. To summarize, the risk appetite of an organization is a mutual understanding between the executive management and the board of directors (BoD) about what risk levels are acceptable, taking into consideration the organization’s strategy in maximizing value. The organization may set acceptable or tolerable risk levels for all facets of the organization (e.g. operations, finance, strategy, etc) and should therefore collate these into a single risk appetite statement to ensure:
- that all employees remain aware of, and will therefore abide by, the targets or limits that the organization has set.
- that any breach or missed targets or limits are immediately flagged for review and that actions may be taken bring them back to appropriate levels.
- that the organization’s risk appetite remains steady and risk-based decisions are consistent (i.e. a less ad hoc approach to taking or managing risks).
- that the organization finds the appropriate balance between uncontrolled innovation and excessive caution.
Developing and implementing a risk appetite statement are no easy tasks. In the developing phase, the risk manager must first consider all the aggregated risk activities of the organization (e.g. target debt rating, maximum debt/equity ratio, minimum acceptable profits, earnings-at-risk, capital-at-risk, target proportional revenue in each business line, cashflow-at-risk). Second, the risk manager must use historical information as well as suggestions by BoD and executives to set the appropriate levels. Third, the risk manager must ensure that the BoD and executives agree on these levels.
When developing the risk appetite, the risk manager must be able to answer, or acquire answers, to the following questions (courtesy of James Lam):
- What is the organization's overall strategy to maximize value, and the underlying business, financial, and operational objectives?
- What are the risk/return trade-offs that the board and management should evaluate in determining the appropriate risk limits and tolerances?
- Are there any business, regulatory, or risk events that should trigger a review (and possible revision) of the risk appetite statement between revision dates?
- What risks and risk exposure levels are acceptable to the board, corporate management, and the business units?
- With respect to risk methodologies and metrics, how would the risk tolerances be handled with respect to risk escalations and exception management?
- How would risk exposures that exceed the risk limits and tolerances be handled with respect to risk escalations and exception management?
- What are the risk reports that should be provided to the board, corporate management, and business and operating unit management to monitor performance against the risk appetite statement?
Implementation must be effective otherwise the risk appetite statement would be meaningless. However, it brings about further complications because, firstly, we need the buy-in of senior corporate stakeholders to make use of the risk appetite statement going forward about, for example, strategic decision-making. Second, once we have their buy-in, the corporate-level risk appetite must translate into the business- and operational-level risk appetite (e.g. key performance indicators, FX and interest rate limits, tolerable losses per department. The reason why the translation is necessary is so that all employees fully understand what is required of them; employees may not be able to comprehend corporate-level risk appetite and therefore cannot act on it. Third, implementation involves both preventative and corrective action if, for example, a breach occurs, or it is at least flagged for review (as an early warning indicator for example) by the BoD if no action can be taken. This last point is essential as the risk appetite statement is intended to provide better corporate oversight. A question by the BoD to executive management as simple as: “why was there a breach of tolerance levels?” can make a world of difference.
The company I work for is a holding company that controls several investments. At the corporate level, our risk appetite addresses things like target credit rating, the maximum allowable value of any investment in proportion to the total value of investment, what countries we will not invest in, what industries we will not invest in, etc. One aspect of risk appetite which is of interest to our BoD is the expected return relative to risk. Basically, the BoD want to know the return that an investor should expect from an investment. Then we can compare that with what’s happening to see if our investment is worthwhile. We used the CAPM model to achieve this because, firstly, it’s a simple model that the BoD can easily understand (some of them are not finance minded) and, secondly, it solves for the expected return using various elements of risk such as market risk, country risk and the risk of the company relative to the market (we call this Beta) i.e. the expected return derived from the CAPM model is commensurate with the level of risk the business takes and therefore signifies its risk appetite.
A measure of expected return is a great starting point for the risk appetite. It can be used as the long-run benchmark from which we may set tolerance levels year-on-year (through, for example, earnings-at-risk). The difficulty is deciding what “return” means to the company. Our company uses return on equity; other companies may use return on capital employed. Once the company decides on the return metric and decides on what the acceptable and tolerable levels are, then this information needs to filter through to the whole business. Put another way, the risk appetite of individual business units must aggregate to the return requirement. As an example, we may take the expected return and translate that to the number of sales required to meet that expected return (assuming all else equal). Then this could translate to the required KPI by each sales representative. We may equivalently take the expected return and translate that into budgeting. This is where integration may become important i.e. those that perform the budget need to communicate with those that perform the sales forecasts. More on this in the next post.
Next up – Line Management (2nd component)
Your Risk Connoisseur
J-MLN