Update on the current board issues: May 2014

May 2014
  • Print-friendly version
BoardroomDirect®<br><span>Update on the current board issues: May 2014</span>

At a glance

Risk appetite should have a starring role in a company’s overall strategy and investment decisions. But the concept can be confusing.

Issue in focus

Download a PDF version of this Issue in focus 

The meaning of risk appetite

Risk appetite should have a starring role in a company’s overall strategy and investment decisions. But the concept can be confusing.

So what is risk appetite, and why is it so important?

By definition, it is the amount of risk an organization is willing to accept in pursuit of strategic objectives. When done right it is a robust process that can help management and the board understand exposures and make appropriate risk-based strategic decisions. [Read more in a new PwC publication Board oversight of risk: Defining risk appetite in plain English.]

While management is responsible for developing and articulating of the company’s risk appetite, the board is responsible for understanding management’s approach to risk appetite and having substantive discussions about it as part of strategy and risk oversight.

The risk appetite process starts with an understanding of the company’s strategic goals and objectives, stakeholder perspectives, risk culture, and risk experience. With this as the foundation, management continues by developing the company’s risk profile, risk capacity, qualitative risk assessments, and quantitative risk analysis and limits.

“The board and management can’t have a discussion about risk appetite until they understand the key risks involved,” said Robert Hagemann, audit committee chair at Zimmer Holdings. In order to facilitate this discussion, Hagemann’s board likes to start with a dashboard or risk matrix.

“Typically, what I have seen is a series of risks articulated by management,” he said. “Then there is some assessment of those risks, a discussion about the likelihood of something happening as a result of those risks, and the measures put into place to mitigate them.”

An important part of the risk appetite assessment process is making sure all stakeholders involved understands their roles, Hagemann said. “For instance, internal audit can come in and own the risk management process,” he said. “But the ownership of the risks themselves has to be at the highest level of management.”

Each company needs to determine its risk appetite based on its specific circumstances and objectives and management’s judgment. In order to effectively address risk appetite, a company must first have standardized and embedded risk assessment and analysis processes in place.

Companies can formalize their approach to risk by spelling out a written risk appetite statement. But risk appetite should be much more than just a statement about how much risk the company is willing to take on. It should be derived from a robust, ongoing process. Risk appetite can help a company get greater clarity regarding the risks it wants to assume and better understand the relative tradeoffs between risks and returns. Risk appetite discussions can help drive a company’s appropriate capital allocation, investments, and acquisitions.

“Companies that take a pragmatic approach to risk ― one that takes into account the company’s risk appetite and risk tolerance ― generally make better strategic decisions with fewer surprises,” said Michael Chagares, Director, PwC US Performance Governance, Risk & Compliance.

Questions boards should consider asking

When his board discusses risk management and risk appetite, Hagemann has three questions in mind for management: Do the risks keep you up at night? Are you comfortable with the risk mitigations that are in place? If there were no budgetary constraints, is there more you would do to further mitigate a particular risk?

PwC lists the following questions in its new publication:

  • Does the company have a continuous risk assessment process in place that identifies, prioritizes, and analyzes the key risks? Are the key risks aligned with the company’s strategic goals and objectives?
  • Does the company have an ongoing process to update its risk profile to respond to major changes in strategic direction, business activities, and the business environment?
  • Does the company have the capabilities required to assess and manage the risks it is taking on today and the risks that it will be taking on as a result of its strategic imperatives?
  • Does the company have a structured process in place to continuously evaluate and adjust its risk appetite and tolerances, both positive and negative, as goals and objectives change?
  • Are changes in the corporate risk appetite and tolerances communicated effectively to internal and external stakeholders and integrated into the company’s risk based strategic initiatives?