Pursuit of business goals involves, in many of your decisions, exposure of company capital to various risks. With the passing of time, your capital position gets either strengthened or eroded by virtue of the decisions you take or your inaction when you would rather make some decisions. In worst cases, the erosion of capital builds up to ultimate closure of business enterprises. Most of the collapse of entities seen in the financial services sector usually relates to carrying excessive risk; whether the risk relates to normal business decisions taken recklessly or consists of acceptance of totally illegitimate risk elements such as financial malpractices.
The level of risk that your business carries must therefore be defined and your decisions must be made within the set definitions. These definitions may not be cast in stone and an entity’s management will know when exceptional choices should be made for the good of the overall business strategy.
The Risk Management Society, a global not-for-profit organization dedicated to advancing risk management for organizational success defines risk appetite as the total exposed amount (of capital) that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes. This will also involve accepting a level of uncertainty by an organization whether this acceptance is in totality or narrowly within business units, particular risk categories or for specific initiatives. How much risk an organization accepts will impact its future status and will either improve its standing or worsen its position. An organization’s risk acceptance intentions are communicated in the organization’s risk appetite statement.
Generally, companies that are more focused on the potential for a significant increase in value and earnings will have higher risk appetite whereas those that prefer stable growth and earnings will be risk averse and run with a conservative risk appetite. The balance between these two modes of operation will be informed by stakeholder preferences as well as the nature of the organization and the industry they play in. For regulated sectors, regulators will often spell out some of the relevant requirements.
Risk appetite statements are in both quantitative as well as qualitative form. Quantitative risk statements spell numeric thresholds on items such as the maximum tolerance for credit risk, the maximum permissible concentration of revenues in any one client sector, maximum volatility in earnings, minimum excess liquidity available to the organization and similar others. Qualitative risk statements on the other hand address aspects such as regulatory compliance targets, the organization’s stance on fraud, reputation risks, business accept-reject decisions, the required characteristics of business partners with whom relationships will be created and business mandate.
These statements have to be within the broader strategy context of an organization. Like all risk management decisions, there must be cost considerations before action is taken in compliance with what your risk appetite statement says. It is also important to understand the risk attitudes of the organizations internal and external stakeholders and logically balance the statements with expectations of stakeholders. It is for example self-defeating to put in place statements for an insurer that are opposed to the known and acceptable reinsurance arrangements that your business partners want, unless you can influence those partners to your desired position without harm to your relationships. Neither is it useful to have statements that are contrary to emerging regulatory trends such as the need for continually improving money laundering control.
For these statements to add worth to your business there have to be appropriate risk-reward considerations, a good understanding of potential changes in enterprise value that will arise from risk taking decisions and your risk appetite levels have to be driving the entity towards strategic objectives. This creates a business environment where risk decisions are taken with forethought as opposed to having a random approach that often results in “fire-fighting” the negative impact of business choices made by your management team.