Every other white paper on risk management seems to have something to say about this issue, but Google annual reports of the Fortune 500 and you'll find almost no evidence that companies think things like risk appetite are important enough to share with stockholders or other stakeholders.
This is not to say that there isn't a wealth of information on specific risks in those same reports; there is. But the greater strategic issues of defining appetite, capacity and tolerances are usually ignored. Should they matter? I think so.
So what's so important about this topic? Well it matters on several levels, but most significantly, evidence that companies understand the relationship between their appetite for risk and their capacity to absorb risk should be critical to stakeholders who look for assurances that management and governance understands the risks the firm is exposed to (voluntarily and involuntarily), the risks it is taking and equally important, the risks it is avoiding.
Only through the full articulation of the elements of risk management strategy can stakeholders feel confident that the firm is acting reasonably and with prudence relative to its competitive landscape. So let's understand what these elements mean and how they should be used, since this is often where management gets off track.
Think of the relationship between the concepts of capacity, appetite and tolerances as a hierarchy. At the top of this hierarchy is capacity. I view capacity as the largest bucket of risk-taking wherewithal, where losses could be absorbed to a degree that pushes the firm's key financial performance to minimum acceptable levels, just preceding the point of failure, but from which recovery is likely. Perhaps AIG would be an example; perhaps not, since the government intervention is considered by many to be beyond the norm. Absent that intervention, it is believed by many that AIG would have failed.
Risk appetite, on the other hand, can be thought of as that level of aggregate risk a company's management and governance have determined can be prudently taken (potential aggregate unexpected losses) and still meet key financial performance commitments and stakeholder expectations.
This goes beyond expected losses, theoretically built into the operating plan, to a level of aggregate loss that might be found at the actuarial tail (for example a 95 percent confidence level or a chance of 1 in 20 outcomes). This differential between expected and extreme loss levels is where many get off track on this measure of risk-taking, especially since "expected" losses are often not accounted for in operating plans.
The lowest level of this hierarchy is reflected in the many risk-specific tolerances which should be set to define how much loss can be absorbed in those categories by all risk owners in the firm that may have a portion of these exposures. A common example in a financial services environment would be the amount of fraud losses that are managed to, typically a point set above the expected level of losses which triggers a response.
That response could be further controls, improved controls, elimination of the risk or a decision to accept a higher level of loss, perhaps based on the enhanced profitability a new product brings to the firm. In any event, these tolerances are the focus of day to day operating management. Taken together and understanding how these concepts of risk taking relate to each other is critical to effective risk management.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
July 1, 2009
Copyright 2009© LRP Publications