Danny Wong, Founder and CEO of GOAT Risk Solutions, discusses why it is essential to understand risk appetite and how best to use it when managing risk.
The Financial Reporting Council (FRC) first issued requirements from Boards of listed companies to set their risk appetite in September 2014. As the requirement is for the Board to set and not necessarily to disclose risk appetite, there is wide variation on the approaches used to define risk appetite.
Risk Appetite: the amount and type of risk an organisation is willing to take to meet their business objectives.
Several years on, many organisations that have diligently discussed and defined this at Board level are questioning why, wondering “What was the point?”, “How does it help?” and “What difference has it made or should it have made?”
The FRC and their regulations are set in place to protect shareholders and set requirements that hold Board’s to account. Risk appetite helps to ensure the organisation makes decisions and operates in alignment with the attitudes and expectations of the Board who are required to set out acceptable guidelines along key risk types. This is operationalised through the normal monitoring and governance protocols which should identify when decisions, risks or performance breach or approach Board’s pre-defined thresholds and guidelines.
We know people are different, have personal egos and motivations and have different personal risk appetites. To prove this point while on a UK tour of 4 speaking events in London, Bristol, Birmingham and Glasgow on the topic of risk appetite, I asked over 200 delegates (mostly professional senior white males over 50 years) to watch a video of a person crossing one of the scariest rope bridges in the world and we asked:
As an illustrative example, the CEO of Volkswagen and a few senior executives involved in the emissions scandal of 2015 clearly prioritised profits, bonuses, jobs and performance over concerns of ethics, compliance, environment, and reputation. It was a poor decision that has now cost the company more than $33b.
But was this a bet that was in line with or against that of their Board? If the VW Board had discussed risk appetite would they agree with a suggestion that profits and growth was their number one priority, above all else? Jobs and bonuses before ethics and compliance?
Risks can be categorised or classified in many different ways, many companies tend to define risk appetite in line with their principal risks or similar key risk themes but one of the most fundamental distinguishing features of risk, something that causes a lot of confusion is appreciating the difference between “upside risks” that generate economic returns and “downside threats” causing losses.
KRIs: Key Risk Indicators. Any numbers, metrics and data points that help inform how the risk is performing (so very similar to KPIs).
Upside are the investments, opportunities, growth strategies and ‘bets’ we choose to make in search of returns. And risk appetite is a simple concept of how aggressive or hungry (i.e. bet the farm, let it ride, high risk and high reward) or conservative or cautious (i.e. dip your toe, slow and steady, low risk-low reward) we wish to be.
Conversely, no one wants, or chooses “downside threats”. These are the safety incidents, law suits, systems, operational or supply chain failures, that tend to happen upon us. For downside threats, the concept of risk appetite is different almost counter-intuitive.
It’s not just about our personal attitudes towards these threats, clearly no one wants a health and safety accident. Instead risk appetite is about how much are we prepared to invest in managing, controlling or preventing these risks from happening. Risk hungry organisations, with high risk appetite, are those that don’t take sufficient action, have a nonchalant attitude, and who do not invest in or support strong controls and governance. Having low risk appetite for downside threats means deploying best practice approaches and strong controls to managing the risk.
Companies that know their controls are weak are therefore demonstrating a high risk appetite for that area. Board’s that know this is the case and do not exercise their authority to rectify or improve are inadvertently suggesting this is acceptable or in line with their appetite.
My advice to Board members has always been to exercise your own judgement and experience. If you don’t understand or are not satisfied in the way something is managed, you must communicate this otherwise it will be interpreted by management as acceptable by the Board.
Most Boards can expect to be involved in setting strategy. They have strategy away days, are usually presented major investment decisions and must approve mergers and acquisitions and other major transactions in line with delegated authorities.
Regardless of whether the risk appetite is clearly defined or not, Boards tend to be close enough to upside risks so that there are few surprises and there is alignment with management on the desired size of transactions or level of aggressiveness towards growth strategies. Given the propensity to distribute dividends in recent years, most listed businesses have demonstrated fairly low risk appetites when it comes to upside risks.
Risk Tolerance: The amount of risk that an organisation can actually cope with.
However, the Board’s involvement and attitude towards downside threats is less clear. They don’t tend to have risk away days, and are seldom presented decisions to make in regards to handling of downside threats. Investment in controls and risk mitigation is difficult as often the financial returns and business cases are not clear.
Specialists in risk and control areas tend to work within the limited and ever-reducing resources they are given. Those raising the flag or requesting additional resources to improve controls put their personal roles at risk or are seen as trouble makers. Would you recognise or penalise the safety expert advising us to invest more in safety? How much is enough or proportionate? Who makes the judgement call? Who wants to rock the boat?
We see risk appetite as embedded in the risk management process and ideally aligned to the Principal risks or main risk themes. This way the principal risks can be regular reviewed in the context of the risk appetite statements setting out the Board’s attitude or minimum requirements for this risk. We encourage bringing metrics and key risk indicators into the risk discussion, so if the risk appetite statements refer to minimum acceptable limits on specific metrics, then these can be explicitly measured and managed, with clearly defined points where appetite is acceptable or breached, and intervention and escalation is required.
In practice, I recommend a bottom up approach, with the risk owner or the team managing the risk initially attempting to draft the risk appetite statements of what they believe the Board expects and then the Board to discuss and agree.
Imagine a fun night out at the casino and starting the night out with £200 in your pocket. It doesn’t start well and you’re quickly down to zero. Instead of calling it a night, you use the ATM and take the daily limit of £300. Very quickly, that is gone too, upset but confident you can win it back, you take your credit cards out, one after the other, you max out on your credit limit until you eventually lose more than you can afford risking repossession of the house.
How did a fun night out turn into such a nightmare? A simple example, but might management caught up in the desire or pressure to win at all cost, start taking excessive risks and fall down a slippery slope? Risk appetite with clear intervention and escalation points would ensure this would never happen.
Covid-19 is the biggest crisis the world has faced causing untold disruption and loss and has created numerous decision points for business leaders. How does risk appetite apply? Risk appetite is not a static framework. Covid-19 has had significant business impacts which may have caused a breach of the Board’s risk appetite and changes to its priorities and attitudes.
Cashflows, financial obligations and covenants. For most organisations financial cashflows would be a risk type to define risk appetite, and the Board will normally not want to operate anywhere near the brink of collapse. The breaking point is a related topic referred to as risk tolerance. If your business is at or near this point this means you have likely already breached your risk appetite.
In this case all bets are off and we must get the business back in line with sustainable levels as a matter of priority – financial survival above all else. This might mean emergency funding and certainly all investments put on hold, employees made to furlough or redundancies which can impact any other risk or part of the business. This is a lesson to note, if you are in breach of risk appetite, then getting back into an acceptable position becomes the number one priority above all else.
Operational risks and safety. Whilst financial survival is of utmost importance, and therefore opening for business is essential, this doesn’t mean being reckless with other risks. We still want to do so safely so we must be putting in place risk assessments and appropriate controls such as social distancing, cleanliness and masks to protect employees, customers and the public.
Reputation. Many large and high profile organisations did not apply for government funding if they could afford not to because whilst liquidity and additional funds in times of crisis is always helpful, they recognised this came with potential for reputation impacts. This decision shows which organisations value their reputations more than financial risks (provided there was no implication of insolvency).
Strategic pivot. Some businesses were able to pivot during the lockdown. These change in directions should ideally align with the core purpose and enhance the long term reputation of the business, rather than pivot to do something completely different. The decision could be one that Board’s get involved in, as they would in normal strategy setting context.
Danny Wong is the CEO and founder of GOAT Risk Solutions Limited. While leading risk consulting in a mid-size actuarial consultancy he conducted a 3 year benchmark study of risk maturity. This research led to the idea that the market needs a simple, low cost risk software solution designed to raise risk maturity and GOAT was formed in 2018. The Covid19 lockdown reminded Danny that all businesses need to better manage risk. It triggered GOAT to pivot to become a fully digital software provider by reducing the price, increasing transparency of the product so that GOAT is able to deliver its vision to support risk management in a far greater number of businesses.