Risk appetite box, where do we stand?

The key question considered across the globe every day is “what is our risk appetite box, where do we stand?”.

A few months ago a member of Australia’s regulatory body for Financial services (APRA), Ian Laughlin, presented on risk appetite.  He opened his speech with the following statements.

“Ask yourself these questions:

  • Would you ever take up hang gliding?
  • Would you drive a car if the seat belt was broken?
  • Would you post a potentially compromising picture of yourself on Facebook?
  • If you were down to your last $1,000, would you bet $10 on a horse after a hot tip? 
  • $100? $1,000?
  • At age 65, would you invest 25 per cent of your super fund in the share market? 50
  • per cent? 100 per cent? Or none at all?
  • Would you jaywalk at a busy intersection to save a minute?
  • Would you have a one night fling? (e.g. at a reinsurance rendezvous!)

Now the answers to these sorts of questions start to give a picture of your personal risk appetite.”

An absolutely brilliant way to begin a discussion on probably the most important aspect of risk management.  Yet, for something so important, it seems that less time is focused on getting risk appetite right than establishing frameworks and processes for risk assessments and reporting!

Mr Laughlin details in his speech that “Risk appetite needs to be factored into strategic plans. It makes no sense for it to be developed in isolation from strategy or vice versa. So for example, targeted return on capital must be entirely consistent with risk appetite.”

We would also highlight that for risk appetite to be successful it should be articulated in such a way that it clearly guides all employees on where the organisation stands on delivering to its stakeholders, including its customers, it shareholders and its external parties such as regulators.

Consider risk appetite as representing the box in which you wish every employee to operate.  Any initiative, change or decision that occurs, or has the potential to occur, and takes the organisation outside the risk appetite box needs to be appropriately approved as being outside appetite.  And of course should be done with caution as the setting of appetite has been based on many internal and external factors.

Providing the risk appetite box enables an organisation and its employees to operate effectively and efficiently.  If all employees understand the elements of risk and therefore the edges of the box (being the risk categories), then decisions can be made with confidence.  Of course, operating within the box still does not guarantee that issues will not arise, as many organisations have suffered negative impacts from “inside the box” activity.  However, the key aspect here is that those events that take you outside the box are now well understood, and appropriate focus can happen from all parties inside the organisation to monitor and control the decisions within the box.  Many organisations can find that the distraction of activities outside the box, deflect their focus to the true issues inside the box!

In his speech, Mr Laughlin goes on to detail that “In practice, risk appetite can be and is expressed in a variety of ways. There is no established best practice here and APRA doesn’t prescribe a particular style.  However, in very broad terms, there are two approaches being used.  With the first, the RAS is a fairly succinct document, with clear bounds for the major risk areas for the business. This will be partly quantitative and partly qualitative. To be effective, this sort of RAS must have clear links to risk tolerances captured in other documents. These could be standalone documents for various parts of the business, or they might be captured in broader documents such as business plans. With the second approach, the RAS is a much longer and more comprehensive document, which provides both the high level perspective and the details of tolerances for operational purposes. So, it can be high level, and very qualitative; it can be detailed, and include quantitative measures; or it can be a mix of both.”

These two approaches to defining the risk appetite box are excellent examples of what to consider when developing your risk appetite statement.  Running a business is a balancing act between detailing every possible metric that your business manages to providing employees with the principles of how to operate.  In particular, start-ups and entrepreneurial organisations will not have a history of events and data to utilise to document their metrics.  This takes time.  Also, these types of organisations are most likely moving into new or unfamiliar territories and perhaps even changing the game, in this case the risk appetite box needs to be clear on the qualitative measures that employees need to understand.

Interestingly, for established organisations, they will find themselves having many sub business units, some of which will have much more historical data whilst others may be advancing a new idea or product.  In this case, a risk appetite box will need to consider both the qualitative and quantitative aspects to ensure it covers all aspects of the broad and diverse organisation.

Consider for a moment social media.  The majority of organisations did not even know what social media was in 2006, yet over the last 5 years almost every organisation has moved into this area.  So, how do you articulate risk appetite for something that did not even exist before 2004 and for which you have no experience or corporate knowledge?  In these circumstances, organisations need to consider the qualitative nature of social media risks and define what their appetite is for this area.  Is you appetite to engage customers and 3rd parties in conversation on social media?  What is you appetite for negative comments?  How will you handle inappropriate or misleading comments?  When will you make the decision to stop updating people on social media?  None of these questions provide a quantitative measure, maybe over time that will come, but in week 1 you do not really know even how many people will follow you and how many comments you will receive!  Imagine if you said, if we get 100 negative comments then we will stop using social media?  What happens if you have 10 comments, of which 9 are negative, do you stop?  This is an extreme example, but this is why defining your risk appetite up front is critical to business success.  But ensuring it makes sense for your business, your maturity and your strategy, is even more important.

Mr. Laughlin closed his speech with this comment, ” Finally, when you are next thinking about posting a compromising picture of yourself on Facebook, you might want to first consult your personal risk appetite statement!”.

This comment could just as easily have been about your organisation, and without your risk appetite statement, either personal or business, you may find yourself with issues that cause your business to suffer extreme consequences.  His speech, located here, is well worth reading.

Scott North
Scott North
Scott North has extensive executive and board experience in risk management, internal audit, operational risk and compliance, governance, risk strategy, scenario planning, technology risk, technology architecture, systems design, financial accounting, and management accounting. With Chief Risk Officers roles across financial services in Australia, Scott is an accomplished and experienced senior risk executive with extraordinary results in leading risk management teams. An innovative and process-focused leader, with an entrepreneurial style. Scott has a passion for innovation and digital. Scott is an experienced project leader across multiple disciplines including risk, finance and enterprise systems.

Read More

Related Articles

How to Ensure Your Sustainability Strategy Stays Clean

As we embrace the shift towards a greener economy, sustainability products are on the rise. However, with this growth, we've also seen an increase...

The Future of Australia’s Financial Services Industry: Embracing the Financial Accountability Regime

APRA and ASIC Spearhead a Revolutionary Change in the Financial Sector Introduction Today marks a significant milestone for the Australian financial services industry as the Australian...

Effective Risk Committees

Every Risk Moment Matters