Risk Appetite Frameworks for Corporates – Do You Know What Is on Your Plate?

 

by Lex Kriel, Associate Director, Monique de Waal, Senior Manager and Gerber Schnetler, Manager, Deloitte

Brexit. A looming sovereign credit downgrade. Nene-gate. Weak commodity prices. These are only a few examples of recent events that have rocked the local market to such an extent that risk management has to be a key priority for corporates. With continued uncertainty in key markets such as the USA, EU and China showing no signs of abating, the days of dressing up sporadic hedges as a risk management approach are over. Volatility is here to stay. 

Are risk appetite frameworks really relevant to corporates? 

In this environment, as in any other, the board and senior management are expected to manage their companies in the best interest of all stakeholders by maximising shareholder value and honouring commitments. This is a tough assignment at the best of times but even more demanding during the volatile environment of today. A strong risk framework will assist the board and management to weather the storms that could otherwise sink the company. 

In their risk management frameworks, most corporates tend to focus on operational risk, as it relates closely to their primary business operations. More often than not, financial risks arising from exposure to foreign exchange rates, interest rates or commodity prices are either tolerated or mitigated on an ad hoc basis. However, the prevailing volatility of local and global markets and the impact on the financial results, as well as the budgeting and forecasting process, can no longer be brushed aside as a temporary state of affairs, exogenous to the core business. The board and senior management need to have a clear view on how much risk the business is exposed to and, importantly, how much risk it is willing to accept, or in other words, have appetite for.

Businesses are built by taking on risk in one form or another - the old adage “no risk, no reward” rings true for all companies. The key to creating a sustainable and successful business is to fully understand the set of risks to which the business is exposed (i.e. defining the risk profile) and to decide what the maximum level of risk is that the business is willing or able to accept in pursuit of its objectives (i.e. defining a risk appetite). By understanding and managing risk, the board can capitalise on opportunities, avoid pitfalls and create a competitive advantage during difficult market conditions. As noted by the esteemed risk management author James Lam, “the only alternative to risk management is crisis management – and crisis management is much more expensive, time consuming and embarrassing”. 

For most corporates, ‘risk appetite‘ is a somewhat foreign concept. On the other hand, banks and insurers have been developing risk appetite frameworks extensively over the last decade (although the maturity and embeddedness can be debated). These developments have been accelerated by the 2007/8 financial crisis and subsequent increased regulatory focus on early detection and pro-active recognition and mitigation of risk. Corporates, however, are largely left to their own devices when it comes to risk management, which all too often results in most companies having inadequate risk management functions. These are typically exposed only after adverse financial impacts have already realised (i.e. crisis management). As Warren Buffet famously said, “only when the tide goes out do you discover who's been swimming naked”.

Components of a risk appetite framework

This article gives insight into the establishment of a risk framework in corporates with emphasis on risk appetite. To enable boards and executives to make decisions that will benefit stakeholders, they need to have an understanding of what the risk implications of those decisions are. At the same time, executives need to have risk parameters within which they should manage the organisation to ensure the longer-term strategic objectives are met. These parameters are set by the board in terms of the risk appetite.

[[[PAGE]]]

Figure 1 provides a useful visualisation of the key concepts of risk appetite setting. 

Fig 1 – Risk appetite concepts at a glance   Source: Deloitte UK

 

• Firstly, a company must define and quantify its risk capacity, (Figure 1) i.e. the maximum level of loss or reduced earnings that can be absorbed without compromising shareholders’ key objectives, e.g. a certain level of dividend yield, return on investment or share price growth without excessive volatility. This sets the upper bound for losses that cannot be breached under any circumstances.
  
  
• The next step is to determine the risk appetite (Figure 1). This is the quantum of risk that the board believes will provide an adequate margin of safety within the company’s risk capacity whilst still enabling the achievement of the strategic objectives. Should this limit be breached, immediate corrective action must be taken to decrease the level of risk to within the appetite. 
  
  
• The upper trigger (Figure 1) serves as an early warning to management that the company is taking on more risk than planned and starting to approach the risk appetite. A breach must be escalated to the board to initiate discussions to establish whether the increased levels of risk are warranted given a set of opportunities that exist in the market, or whether the ‘taps’ should be closed on certain business lines to bring the risk profile back to an acceptable level.
  
  
• Depending on the nature of the business and the primary objectives of the company, lower limits and triggers (Figure 1) could also be defined. For certain types of risks, however, this might not be relevant, especially if actively taking on such risks require specialised skillsets or systems that are not feasible from a cost-benefit perspective (e.g. hedging foreign exchange risk with complex derivateive hedging strategies). In these cases the company will set its risk appetite at a relatively low level with no lower trigger or limit. For other types of risk, however, the ‘no risk no return’ principle applies, and it may thus be to the company’s detriment accepting too little risk (e.g. operational risks relating to production levels).
  
  

Companies in the financial services industry, such as banks, asset managers and insurers, use a myriad of risk metrics tailored to the nature of each risk type, with complex methodologies. How does a corporate decide which metrics are relevant, have interpretative value, and are quantifiable using existing systems?

Measuring risk

Risk quantification should be performed for all risk types that the company is exposed to. This would include financial risks, such as interest rate, foreign exchange, commodity, equity, credit or liquidity risk, but also non-financial or operational risks, which might be trickier to quantify and may require a qualitative instead of quantitative approach. To really provide insight into the risk profile, risks should be quantified for each business unit within the organisation. A useful way to report risks would be on a matrix basis, showing the probability and impact of each risk type, as depicted in Figure 2. Once management has such a bottom-up view, risk appetite is implemeted by translating it into limits that are cascaded on a top-down basis per risk type to the different business units. 

For this to have any interpretive value, however, the potential impact (Figure 2) must be quantified using an appropriate metric. For example, financial risks could be quanitified using stress tests (or simulation techniques for those more advanced systems); whereas operational risk quantification should speak closely to the business targets of the company. One of the most important aspects to bear in mind is that the purpose of risk management is not only to ensure all is well during normal market conditions, but more importantly, that the company continues to achieve its objectives during adverse periods. We therefore need to use intuitive risk metrics that speak to the company’s long-term strategic objectives and are suitable for stress situations. Most companies know they will survive under business as usual circumstances – but what if the unthinkable happens? To provide the board with peace of mind, the risk appetite and limits should be tested under stress scenarios. There are also numerous benefits to stress testing – the concept is easily understandable, it provides a great degree of flexibility, and is not necessarily too computationally intensive. Specific concerns that management might have can be translated into a ‘what if’ scenario fairly easily, e.g. what is the impact on earnings if USDZAR goes above 20 after a sovereign downgrade? It is, however, critical to not fall into the trap of defining mundane stress scenarios that provide a false sense of comfort, or not defining a wide enough range of scenarios, which leaves decision makers blind to potentially adverse events. There must be executive buy-in to the plausibility of the scenarios.

[[[PAGE]]]

Fig 2 – Illustrative risk matrix   Source: International Actuarial Association: Practice note on enterprise risk management for capital and solvency purposes in the insurance industry, 2008

 

Regardless of the level of sophistication of the risk metrics and their underlying methodologies, the following aspects are critical to ensure that risk appetite monitoring doesn’t become a black box, or another tick-box exercise without any real value to the business:

• Management and the board must have a solid understanding of what the risk metrics represent, and what the inherent assumptions and weaknesses of these metrics are. This cannot be over-emphasised as without this understanding, it is impossible to challenge the risk profile and ask probing questions. Many a spectacular corporate failure had its roots in poor understanding of risks taken or hedging strategies not being stress tested for severe adverse scenarios – Metallgesellschaft AG and China Aviation Oil, to name but two.
  
  
• Adherence to risk appetite limits should not only be monitored on a backward looking basis but should also be taken into account during strategic planning and the budgeting process. This will not only provide management with the capability to foresee and mitigate risks before they become problematic, but also to ensure that future pricing takes account of the risk that the business will be assuming.
  
  
• Independent validation of the chosen risk measurement methodology should be performed on a regular basis. 
  
  
• A useful approach is to perform reverse stress testing. In the most basic terms, this involves designing a stress that would result in a breach of appetite or capacity. This may provide insight into what event could sink the company.

Support structures

Up to this point, we have addressed the purpose and components of a risk appetite framework, and why it is an important management tool. We have also addressed robust risk measurement and monitoring fit-for-purpose risk metrics against limits on a business unit and risk-type level. But what else is required to build a sound risk appetite framework?

• A strong risk monitoring function, which independently identifies, quantifies, monitors, reports and challenges the level of risk. To ensure good governance and proper segregation of duties, it is critical that this function reports to a risk or finance head to ensure independence from the business units including treasury who essentially take on and manage risk from the front lines.
  
  
• A healthy risk culture, which starts at the top with buy-in from the CEO, executive management and subsequently business heads, and is championed by the risk or finance head. An efficient mechanism for implementing risk culture swiftly, is to link remuneration to performance against risk-based objectives, such as risk appetite utilisation or risk adjusted performance metrics.
  
  
• Healthy risk governance using established forums at appropriate levels that review and challenge the levels of risk taken within the company. It is important that such interrogation is not limited to the quantity of risk taken, but also the types of risks assumed. Governance includes well-defined roles and responsibilities, policy statements and monitoring adherence to all aspects of such policies.
  
  
• Regular review of the risk appetite framework to ensure that new risks are identified, including those that might be difficult to quantify. Revision could also be backward looking to assess whether the risk appetite framework in its current form has been effective in terms of supporting strategic business and risk objectives.
  
  

 [[[PAGE]]]

Conclusion

The benefits of risk appetite frameworks should be clear at this point – insight into the risks a company assumes and commitment to manage these proactively will translate into fewer surprises in the financial statements, and less vulnerability in the business and support areas. A robust risk appetite framework can also:

• Increase stakeholder confidence.
  
  
• Create a competitive advantage, as there is better insight into pricing for risk.
  
  
• Balance earnings and risk objectives by enabling budgeting and forecasting on a more insightful basis.
  
  

With markets in their current state, it is critical for management to make the required mind shift from passively accepting certain risks or only managing them to a limited extent, to taking responsibility for the risks assumed and therefore actively manage it by allocating risk appetite and limits to where risks can be taken more strategically. A robust risk appetite framework will give the board peace of mind that risks will be managed within the parameters they have defined.

 

Lex Kriel Associate Director, Deloitte  Lex specialises in asset and liability management, integrated profitability measurement, risk management and general banking practices. He has over 20 years of experience in financial markets, corporate treasuries and banking, in both management and consulting roles. Key clients include major banks and corporates in South Africa, the Middle East and Africa.

 

Monique de Waal Senior Manager, Deloitte Monique focuses on financial risk management in banks and corporates. She has more than 10 years of professional experience in financial risk management. The scope of her experience stretches across 14 African countries, and across the banking, mining, oil & gas, communications and manufacturing industry.

 

Gerber Schnetler Manager, Deloitte  Gerber is a qualified actuary who specialises in enterprise risk management across the financial services sector. He has five years of professional experience across the South African and African insurance and banking industries where he has been involved in development, design and review of risk appetite and stress testing frameworks.