The board of directors plays a crucial role in a company’s risk management, often having the final word on targets and thresholds.
However, many of the enterprise risk management (ERM) frameworks they rely upon provide little guidance on risk decision making.
Some frameworks, for example, do not contain a risk appetite statement that articulates the level of risk an organisation is willing to accept, including the maximum permissible departure from that objective. Other ERM frameworks use such broad, qualitative statements on risk management that they are not useful in informing a decision or strategy.
Following are four key steps a company can take to effectively develop a risk appetite framework.
Educating a board on risk management, particularly ERM, before work begins on drafting a risk appetite statement can lead to a higher level of engagement.
Experience shows that asking board members for their opinions regarding unfamiliar risk topics is often unproductive, so much so that the process is sometimes discontinued.
A lack of clarity on governance, purpose, and strategy can undermine an organisation’s ability to form a strong vision on risk appetite.
For example, if a company lacks a defined allocation of responsibilities between its holding and operational companies, risk management discussions may see neither entity willing to assume the risks they perceive as being the other’s remit.
It is important to set achievable risk management goals. There should be alignment between the theoretical implications of an organisation’s risk appetite and its actual applications. For example, it would be illogical for a company to decide it had zero appetite for operational disruptions if the maintenance of its production facilities had been neglected.
Companies also need to determine which elements of risk appetite may need to evolve. For instance, if an organisation does not have a policy on climate change, discussions on the associated physical and transitional risks can often amount to no more than informal exchanges of opinions.
The effective development of risk appetite has been achieved by running practical sessions for boards, in addition to theoretical introduction sessions. These include “what if” exercises, where directors must decide on a course of action in response to a hypothetical scenario.
Questions for such an exercise could include:
To what extent can the company accept key business leaders leaving?
Is total service quality a mantra to stick to, or can some degree of divergence from this view be accepted?
What is the implication of varying levels of acceptance of longer payback periods?
Writing a risk appetite framework can be frustrating, resulting in endless discussions in the absence of a structured approach. Increasing a board’s risk awareness, defining key risk goals, and establishing accountabilities can help a company successfully integrate a statement with its risk management strategy.
If you have questions on risk appetite, please contact your Marsh representative.