Enterprise Risk Management—ERM: What's your appetite? 02/08

Enterprise Risk Management

ERM: What's your appetite?

Corporate boards must assess risk appetite and capacity to assume risk

By Michael J. Moody, MBA, ARM

Serving on a corporate board is no longer the “plum” position it used to be. The past eight to 10 years have seen major changes in the collective and individual responsibility of board members. And a plethora of lawsuits has confirmed just how responsible a board is for the overall success of a corporation. The days of jetting off to some exotic location and just “showing up” for the board meeting have come and gone. Membership on today’s corporate boards is serious business.

A recent issue of Corporate Board Member provided some insight into just how serious the issues facing today’s board are and noted that the key subjects on the board’s agenda for 2008 include the following:

• Long-term strategic planning
• Mergers and acquisitions
• Succession planning
• Stock option accounting issues
• Board education
• Risk management

When it comes right down to it, it’s the board’s ability to execute and innovate that results in a successful venture. And the magazine concluded by stating, “The way you did it last year is probably not good enough next year.”

ERM is a key strategy

For more and more corporations, enterprise risk management (ERM) is a key element of their long-term strategic plan. And one of the first issues that must be addressed in any ERM program is determining an entity’s risk appetite. The Enterprise Risk Management - Integrated Framework, which was published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk appetite as:

The amount of risk, on a board level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and, in turn, influences the entity’s culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, moderate, low; while others take a quantitative approach, reflecting and balancing goals for growth, return and risks.

From this, one can see that the concept of risk appetite is a critical element in the ERM process, and it is directly related to an entity’s overall strategy. From that standpoint, the organization must consider risk appetite in strategy setting since different strategies expose the firm to different risks. ERM helps management select a strategy that aligns anticipated value creation with their risk appetite.

Many experts consider risk appetite as the broad-based, holistic amount and type of risk that an organization is willing to accept as part of its overall strategic business plan. Typically an organization’s risk appetite relates directly to the entity’s culture and strategy, but it also relates to its capacity to assume risk. For example, many organizations may be willing to maintain significant amounts of risks; however, they lack sufficient capacity to assume that level of risk. This is what makes determining an organization’s risk appetite so difficult.

Another view of risk appetite

Ernst & Young (E&Y) provides another definition of risk appetite in Discovering Risk Appetite. E&Y states that risk appetite is, “A measure of the amount of total risk that a company is willing to accept in pursuit of its business objectives and goals.” Additionally the report notes that risk appetite “is directly related to a company’s capacity to accept risk, as well as its culture and strategy, its competencies and its risk management capabilities.” E&Y points out that the experience over the past 10 years is that corporations that have destroyed significant shareholder value failed to understand the risk they were taking. Further they note that those organizations “did not measure their level of risks properly and, as a result, did not manage their businesses to operate within the risk appetite of their stakeholders.”

The importance of selecting the proper risk appetite cannot be overstated. “At the strategic level,” says E&Y, “the crucial aspects of ERM are the holistic assessment of risks and the explicit definition of risk appetite.” As a result, risk appetite is a foundation element to an effective ERM program. And just as important, according to E&Y, is that risk appetite serves as a critical link between strategy and risk management.

To illustrate just how important risk appetite has become, E&Y points out how third parties are determining that companies need a more well-defined and consistent approach to risk appetite. They note that most of the rating agencies such as Standard & Poor’s and Moody’s both have issued new guidelines for assessing ERM for insurance companies. And they indicate that one of the key elements of the ERM rating is the “formal articulation of a risk appetite.” This, of course, has further heightened the need to develop a formal approach to risk appetite capabilities.

Risk tolerance

Closely related to risk appetite is risk tolerance, which COSO indicates is “the acceptable variation relative to the achievement of an objective.” Thus in setting an organization’s risk tolerance, its management must consider the relative importance of all the related objectives and then align those tolerances with its overall risk appetite. Operating within the established risk tolerances helps ensure that a corporation will remain within its risk appetite and, in turn, that they will still achieve their objectives.

Thus risk tolerance is frequently described as a specific maximum applicable to each class of risk with regard to the magnitude and types of risks an organization is willing to take in order to achieve its business strategies and objectives. Further, risk tolerance provides this guidance while the organization is operating within its risk appetite. From an enterprise level, the risk tolerances should be set such that the aggregation of all risk tolerances ensures that the organization ultimately operates within its ultimate risk appetite.

Conclusion

Risk appetite has become an extremely important and central issue with regard to ERM. Risk appetite typically provides an objective measure which can act as a cornerstone for making both long-term strategic decisions as well as day-to-day tactical decisions. If done properly, the firm’s risk appetite will provide the operating units with a clear mandate as to the type of risk and amount of risk that is acceptable to the board. And it will also provide a method for stakeholders to assess management’s willingness to assume risk and serve as a critical link between risk-taking and decision-making. In essence, an effective risk appetite can help an organization create and sustain the value expected by its primary stakeholders.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.