sky diver, mid-air

Do Risk Appetite Statements Add Value?

4 minute read
Norman Marks avatar
I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.

Do risk appetite statements help business leaders make informed decisions? 

Enterprise Risk, the official magazine of the Institute of Risk Management, captured the most interesting takeaways from a Baringa Partners study in its Summer 2019 issue:

  • Only about 15% of respondents strongly agreed that “Statements provide a clear link with the firm’s strategy.” About 30% disagreed.
  • About the same number strongly agreed that “Statements provide a forward-looking view of risk,” while nearly 40% disagreed.
  • Only about 10% strongly agreed that “Statements are embedded into business decision-making.” Again, nearly 40% disagreed.

As the report states: 

"Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk."

Regulators want to make sure that firms do not put the continued existence of the organization and the investment stakeholders have made in jeopardy as it pursues profit.

General or Specific, Do Risk Appetite Statements Drive Action?

Risk appetite statements can be general in their language or specific, with metrics against which actual levels might be compared.

When they are general, talking about intent, such as “The Group has zero appetite for regulatory risk and a moderate appetite for the risk of litigation,” it is difficult to see how this affects decisions made either by the board or operating management.

When more specific metrics are established, such as “the Loans to Asset Ratio will be no more than 70%,” actual performance can be compared to the limits to confirm that it is in line with board-approved guidance.

But does such a comparison do enough to drive behavior in a dynamic environment? It's difficult to see how it is more than an after-the-fact check rather than a driver of management actions.

This is especially true when activity across the organization needs to be aggregated to compare to enterprise-level limits. For example, if I set an enterprise level target of “the Loans to Asset Ratio will be no more than 70%” but I have to aggregate Loans and Assets numbers across multiple business units and countries, how do I guide a Loan Officer in Guyana whether to approve a loan?

Related Article: How to Assess the Effectiveness of Risk Management

Do We Really Need Risk Appetite Statements?

Let’s step back and think about what we are trying to achieve: While regulators focus on preventing failure through reckless risk-taking, stakeholders should be concerned whether management and the board are taking the right risks for success (i.e., not just avoiding failure).

Success is achieved, and failure avoided, when management and the board make informed and intelligent decisions. Do risk appetite statements lead people to make informed and intelligent decisions?

Learning Opportunities

If they are not:

  • Linked to the firm’s objectives and strategies for achieving them, and
  • Forward-looking, and
  • Embedded into every important business process, and
  • Measurable and actionable …

… they will have little effect on decision-making or success. Arguably, they have little effect on avoiding failure as well.

I am not persuaded that ISO’s risk criteria are necessarily the answer either.

Rather than providing guidance and limits on risk, I prefer to consider:

  • What decisions have to be made for success?
  • What could go wrong and what needs to go right?
  • What information do decision-makers need?
  • Who needs to make the decisions and who needs to be involved?
  • How I can guide decision-makers to take the right level of the right risks?
  • How do I monitor performance to know when poor decisions are made?

Maybe the answer includes risk appetite statements. Maybe there are some aspects you cannot really quantify. Maybe you will have to rely on after-the-fact detection in some cases. You certainly have to satisfy the regulators. But you should also customize what you do to the needs and practices of the organization. 

I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.

What do you think?

Related Article: The Positive Side of Risk

About the author

Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.