Organisations are facing greater pressures as they strive to improve results. In these challenging times, boards need to be alert to heightened risk taking and pushing of ethical boundaries both by executive teams and, perhaps, by boards too. With these pressures in mind, now is a good time to review the effectiveness of risk appetite statements (RAS) to guide decision-making and behaviour.
Introduction
Star Casino’s “willingness to take risks in pursuit of financial goals has been appalling.”
“Our major concern with regard to the Star remains its culture.”
Philip Crawford, NSW Independent Casino Commission chief
Star Casino maybe an extreme example but as rates of change and levels of uncertainty increase both globally and locally, all organisations are facing greater pressures as they strive to improve results. In these challenging times, boards need to be alert to heightened risk taking and pushing of ethical boundaries both by executive teams and, perhaps, by boards too. With these pressures in mind, now is a good time to review the effectiveness of risk appetite statements (RAS) to guide decision-making and behaviour. VUCA Trusted Advisors undertook a research project in 2021 engaging with a group of experienced directors to gain a greater insight into risk appetite statements (RAS). The directors who participated in our research project are experienced, with over 80% having 2 or more board positions (mean 2.64 positions) and 70% holding at least one paid position. Their responses provide useful insights on the use and utility of risk appetite statements.
ISO 31000 Risk Management – Guidelines suggests that organisations should establish the scope, context and criteria for their risk management processes. Specifically, organisations should specify the amount and type of risk that they may or may not take, relative to objectives. Usually, this is set out in a risk appetite statement, often linked to a risk tolerance statement.
There are several broadly similar definitions of risk appetite, including:
“The types and amount of risk, on a broad level, an organisation is willing to accept in pursuit of value”
“The amount of risk [an organisation] is willing to accept in pursuing its strategic objectives. This sets the parameters within which management is expected to operate.”
Risk appetite statements are followed by risk tolerance statements which often provide detailed descriptions of individual risk tolerances, usually with clear metrics for each specific risk, to provide ‘guard rails’ for management (and boards).
This paper assesses if directors believe risk appetite statements are effective for setting the level of risk which their organisations are willing to take and for defining risk boundaries. The paper also considers insights into effective practices being used by boards to manage risk.
Purpose
The purpose of a risk management statement is well captured by ASIC:
- “A sophisticated RAS enables the board to:
- communicate the desired risk tolerance for specific risks to the company
- monitor and measure how the company is operating against its stated appetite for a particular risk
- mobilise resources and strategies to return the company to within appetite where reporting indicates that it is operating outside appetite.”
70% of respondents to our research agreed that the purpose of a risk appetite statement is to define and communicate the Board’s view of acceptable risk taking for growth and decision making to executives and the organisation as a whole. There are naysayers or realists, depending on your view, who believe that RAS have no real purpose (8%) or are a ‘box-ticking exercise’ (7%).
“The theory behind the purpose is understandable, but in practice there is no utility in this exercise.”
Overall Findings
Respondents rated the quality and effectiveness of their primary organisations’ risk management framework statements and risk registers very positively, with 45% assessing them as very good to excellent. Perhaps not surprisingly, they also observed that there was considerable variation in the quality and effectiveness of risk management across the different entities where they were Board members. Boards were also keeping their risk appetite statements up to date and relevant with over 75% approving a risk appetite statement within the last two years. As boards are exposed to unprecedented change and uncertainty this is prudent.
Regulators and all mainstream corporate governance principles and standards require boards to have oversight of risk. 15% of respondents reported that their boards have never approved a risk appetite statement suggesting that they are not compliant or not up to date with their risk management practices.
Should Directors apply their personal risk appetite or the entities RAS to board decision making?
“I have greater tolerance for risk when good governance and a strong management team is in place. If the team are weak and the company has poor governance in general than I’m more risk averse”.
The principles that underpin corporate governance require directors to apply independent judgement and to act in the best interests of the organisation as whole. Quixotic as it maybe this requires directors to apply both the entity’s risk appetite, set out in the risk appetite statement, and their own risk appetite to decision making. 70% of respondents supported this practice. To this extent, for decisions of sufficient significance that they require Board approval, a risk appetite statement is a guide, not a rule book. Risk tolerance statements may provide more definitive risk boundaries, but they should still not unduly constrain a director applying their own views.
Given the requirement for directors to apply their own risk appetites to a decision, it is beneficial for a Board to be aware of individual directors’ differing risk appetite traits or preferences, and to ensure that there is a range of personal risk appetites round the Board table. In this study ~40% of respondents considered themselves to be more tolerant towards risk taking than their colleagues, and 10% to be less so. Good quality decision making and robust analysis would be aided by boards having a range of director risk appetite preferences. However, this is generally not reflected in skills matrices and very rarely in director selection processes.
What practices lead to effective implementation of risk appetite statements?
A broad range of approaches are used by Boards to ensure RAS are implemented. The most commonly cited was regular reporting by the executive to the board with this ranging from being ‘openly discussed between the board and executive to more structured reporting such as ‘Quarterly reporting against RAS tolerances and limits’. 50% of directors reported that their RAS is articulated or referenced in as many delegations and policies as practical. The common practice appears to be requiring business cases to analyse risks on a case by case basis:
“It is expected that proposals/business cases presented to Board are done so with risks articulated. However they don’t necessarily specifically reference our risk appetite statement.”
Only 8% of directors are on boards where it is a requirement for business cases to reference the RAS. This is surprisingly low. Mandating reference to the RAS would be a simply way to increase awareness of the RAS and the Board’s expectations.
The approaches used by Boards to ensure RAS are implemented fell into 5 broad categories:
Governance
- Quality of cover sheets / documentation to Board regarding decisions and reference Risk as part of this process.
- A systematic approach to review of policy and performance, training of all levels including the board.
- Clear risk tolerance escalation across all operations areas of matters for reporting to Board so Management are clear on what matters need to be escalated or not based on risk tolerance/appetite of Board.
- The risk appetite needs to flow through to the enterprise risk management framework and all levels of leaders.
- Regular discussion on strategic risks to Board (eg: couple at each meeting rather than the once a year approach).
- Risk appetite statement should be reviewed on a regular basis – annually for example (unless there are some significant changes in external/internal environment that would warrant a review sooner).
Reporting
- We have clear metrics and bands where we fall outside out of our risk appetite. This is tracked and reported quarterly.
- Dashboard reporting of KPI’s of risk presented to the risk committee.
- Risk appetite is linked to organisational KPIs and is reported regularly.
- Reporting against RAS tolerances and limits
Business cases
- Major investments are always viewed through the spectrum of risk. Ours is a high-risk environment so reference to the company risk appetite is essential.
- Business case incorporation.
- Explicit discussion of each risk category when contemplating a new investment or initiative.
HR
- It is written into their role descriptions and systems are in place to monitor actions.
- Risk appetite is linked to and reflected in the organisational KPIs. In turn, the organisational KPIs are also reflected in the Executives’ personal KPIs which are reviewed by the Board.
- Hurdles for payment of bonuses helps focus management.
Other
- Appoint a Risk Manager at senior management level to review, assess implementation and operation of risk management policies & report to the Board of Directors.
- Strong Chief Risk Officer who implements policy procedurally.
- Detailed quantification of risk and scenario planning.
- Reinforced in practices BAU and cultural overlay this is how we do business.
Culture and Risk
“Attitude and approach to taking and assessing and managing risk is an important part of the culture of an organisation, it doesn’t ‘trump’ culture.”
“If there isn’t a strong risk management culture, the policies are irrelevant”
“Risk must be imbued into culture and that starts from the Board and Executive”
Directors were asked “If culture trumps strategy, does culture trump risk management?” This was, perhaps, a simplistic question to pose to experienced directors. 60% agreed that culture trumps risk management, but of this number approximately one third had not formally assessed their entity’s culture towards risk taking and compliance. This is a short coming. If boards are looking for assurance that risk is be recognised and managed effectively, they need to understand an organisation’s culture and internal attitudes towards risk and compliance, particularly towards internal policies and procedures, and external laws and regulations. Board’s need to gain insight into areas where ethical boundaries are being stretched and where attitudes towards risk taking are not aligned with the Board’s RAS.
As noted early 58% of directors don’t have visibility of how risk is embedded in culture and performance management below the Executive level implying a degree of over confidence in implementation of risk management. The practices used by Board’s to have visibility into middle management uptake of risk management includes:
- Through internal audit assessments.
- Performance plans and reviews, training reports.
- A risk modifier within the remuneration framework that allows us to review compliance and risk behaviours of a number of levels below.
- Individuals are named in risk assessment and mitigation reports
- Required to regularly Report Risk considerations to the Board by Chief Risk Officer.
- through management direction and adoption of policy and procedures.
Conclusion
As external pressures mount and organisations strive to achieve results assessing approaches to implementation of the risk appetite statement and the culture towards risk and compliance should be on your board’s radar. Boards need to lead risk management by not treating RAS as a ‘tick box’ compliance activity and actively support management in the change efforts required to implement and integrate RAS into a broad range of governance and management processes. Boards also need to hold management to account when they operate outside of its RAS and risk tolerance statements.
This paper has identified a broad range of approaches currently being used by boards to ensure implementation and highlighted the importance of integrating risk appetite statement into the organisations risk management framework, board reporting, internal polices, business case assessment and culture. Lastly, understanding individual director’s appetite towards risks and seeking a diversity of views would aid decision making and avoid ‘group think’.
If you would like to discuss this article or would like more information on Risk Appetite Statements, please contact Paul Geyer: paul.geyer@vuca.com.au