Published: May 01, 2010
Risk appetite… this notion is something of a paradox in times of crisis. Generally speaking, no one likes risk; we all strive to limit it as much as possible. However, behind this notion is hidden the idea of determining a company’s profile. Without a precise definition of its profile, how can one adopt the appropriate strategy that would be approved by the company’s shareholders? Defining this profile is a prerequisite for ERM (Enterprise Risk Management). In this article, we will demystify this somewhat confusing concept.
The touchy subject of ‘risk appetite’ always sparks heated debates. The term itself originated in the English-speaking world, and the approach is not universally embraced. Many CFOs prefer the idea of a ‘risk profile’, which is less harsh and more ‘sellable’ internally. Having an appetite for risk is a strange concept, isn’t it? Generally speaking, no one is hungry for risk. Yet this notion, which everyone agrees is complex and even a bit mysterious, is nevertheless the cornerstone of an actual ERM (Enterprise-wide Risk Management) process. The ERM policy must or should contain the foundations of ‘risk appetite’ in its set of defined rules. Within this concept, there is the idea of measuring the types of risk that the company is willing to keep and those that it is prepared to sell, to eliminate or to mitigate by various means, and to incorporate this into the group’s risk management strategy (see British Standard Institute’s Code of Practice on Risk Management BS 31100 published in October 2008 – www.bsigroup.com).
The companies risk appetite cannot go against its fundamental, founding values. It all must be consistent.
This concept varies from company to company, depending on their own risk culture and on the industry, the degree of centralisation and the maturity of the ERM process. Just as there is no single ERM solution applicable to every company, neither is there a miracle ‘risk appetite’ solution that applies to every organisation. Although the criteria are often quantifiable (e.g., credit rating minimum, leverage maximum, cash flow at risk with set limits, maximum risk concentration level per client, and others), the same is not always true of risk appetite. As a result, it is not based solely on numbers, but is also influenced by principles and measurements related to social or environmental considerations and reputation. This notion will therefore also be defined by more qualitative criteria, such as maximum tolerance to operational risk, minimum compliance with current regulations, and others.
This risk appetite charter must specify what is acceptable and what is not. The degree of risk ‘acceptability’ must be determined based on the strategy adopted by the senior management and must meet the expectations of the company’s stakeholders. The next step is to determine what has to be covered and what does not, what can remain exposed and what cannot. One golden rule would be always to ask whether a shareholder or employee would be surprised by the announcement of a loss due to the particular risk in question. Unacceptable risk is a risk that would not contribute to attaining the company’s strategic vision or would not provide a strategic or competitive advantage for the company. In order to establish precisely what the appropriate level of risk appetite is, it is first necessary to test the likelihood of a worst-case event and its consequences in financial terms. From there, one could say that all ERM measures should then fall into place. We might compare this concept to a car, when we say that the better the brakes, the faster it can go. Simply put, in order to learn how to drive faster, one must be aware of the car’s potential, its technical limitations and its breaking ability. This is the approach that will generate added value for a commercial company. The British BS 31100 document may become a benchmark for defining risk profile. [[[PAGE]]]
When reviewing the ERM process of a company to determine its rating, a rating agency hopes to find a chapter on risk appetite, since this is essential for ascertaining the company’s complete operational approach (see www.standardandpoors.com). The agency’s objective is to identify the risk profile and how it relates to the operational limitation structures established to cover these risks and limit them. S&P, for example, tries to determine whether the strategy pursued and the methods used are consistent with this predefined profile.
To establish a risk profile successfully, it is crucial for the executive management to guide the process directly, with support from the CFO. It is important to keep in mind the company’s own risk culture and to use its past risk-related decision-making as a basis. Non-financial parameters must also be included. By testing the company’s capacity to absorb and tolerate risk, these limits can be calculated precisely. Reports to the management and board of directors should reflect the risk appetite and risk tolerance. The company’s risk appetite cannot go against its fundamental, founding values. It all must be consistent. Finally, the basic advice is to start out simply and then increase the complexity gradually. The risk profile will then take the form of limitations, percentages, ratios to be maintained, key indicators and other quantifiable, identifiable measurements. In this respect, EVA (Economic Added Value, a point of reference for many companies) is an important starting point and reference measurement.
In order to establish this set of limits and criteria, the management will have to answer a few essential questions surrounding the notions of cash flow volatility, EBIT(DA), return on investment objectives and others. What rating level do we want to maintain? What is the maximum loss over one year, three years, or ten years that we are willing to accept? What is the confidence level on the payment of dividends? How much volatility are we willing to accept in terms of results? In terms of return on capital?
Based on its consensus regarding strategic objectives, the company will be able to define its risk profile. The company must be able to manage its business activities without exceeding its maximum risk absorption capacity. In theory, a formally established risk appetite should be comprehensive enough to take into account the specific concerns of the stakeholders and to give the company a basis for keeping its risk within the tolerance limits. Many people talk about it, but few do this effectively. What should such a risk profile document contain?
The concept of risk profile is not addressed by companies in their annual reports or websites. This is regrettable.
The document defining the company’s ‘risk appetite’ is often simple. It is necessary to start out with a basis that will be enhanced along the way and become gradually more complex. It will also evolve with the life of the company, as the organisation develops. At first it will be incomplete, non-exhaustive, and will address only a few key points for the stakeholders. It generally covers the financial aspects of liquidity, solvency, creditworthiness, revenue and financial ratios (like in the example in the table). Traditional points of reference are found, such as ratings, financial agreements (occasionally modelled after those required by the credit facilities), VaR and sensitivity analyses or other stress scenarios. This serves as a basis for setting operational limits and boundaries. Often, it is aligned with the annual budgeting process and capital allocations. The long-term view (three to five years) is usually missing from this document. Just as often, we notice a lack of consistency in the overall definition of this risk appetite. The qualitative and operational aspects should not be concealed either. The document must mature and improve with time, and history will help to refine the levels set and to specify them in greater detail. Generally what is lacking is the communication aspect. The company does not communicate its levels with all of its stakeholders, even when they are commendable and advantageous for them. The concept of risk profile is not addressed enough by companies in their annual reports or websites. This is regrettable.[[[PAGE]]]
The difficulty lies in talking about risk appetite. It is a sort of paradox, as who can claim to be hungry for risk? Generally speaking, no one can. Setting a framework and limits is often perceived as a constraint that will oblige the CFO or the CEO to set his own limits and force him to follow them. On the contrary, as the treasurer likes to have a clear policy of what he can and cannot do, the CFO must establish a framework for himself, if it is not established for him, within which he must work, without diverging from it. Although this framework might seem limiting, it actually frees the CFO and gives him tools he can use to reason with employees in order to contain and prevent excesses and sources of unacceptable or intolerable risk.
A manager needs limits within which he must work. Without these limits, we run the risk of going astray or getting off track entirely. The greatest challenge is being able to align this risk profile with the company’s strategy. Then it is necessary to communicate it to the world outside, and particularly ratings agencies and the financial community. Like an athlete, the CFO must know the limits of his body, his abilities and his extreme tolerance threshold in order to determine how to train and how far to take it, and whether he can survive if he exceeds the limits. This profile is never set in stone. It will evolve with the company.
How Thought Leadership Can Reduce the Cost of Sales by Patrik Havander, Havander & Partners A focused attention on the costs incurred by the global sales and marketing processes is becoming increasingly important for corporate banks and their transaction banking departments. While the client/bank relationship remains vital, research has shown that in fact relationship selling […]
