Businesses are built by taking on risk in one form or another. The old adage “no risk, no reward” rings true for all companies.
The key to creating a sustainable and successful business is to fully understand the set of risks to which the business is exposed (i.e. defining the risk profile) and to decide what the maximum level of risk is that the business is willing or able to accept in pursuit of its objectives (i.e. defining a risk appetite).
By understanding and managing risk, the Board can capitalise on opportunities, avoid pitfalls and create a competitive advantage during difficult market conditions. Risk management frameworks are a valuable tool in this regard.
Companies that do have a risk management framework often focus on operational risks – and understandably so, as it represents the most significant risk for a typical corporate – but more often than not, financial risks arising from exposure to foreign exchange rates, interest rates or commodity prices are either tolerated or mitigated on an ad hoc basis.
We however find ourselves in the situation where the prevailing volatility of local and global markets and the impact on the financial results, as well as the budgeting and forecasting process, can no longer be brushed aside as a temporary state of affairs, external to the core business.
The Board and senior management need to have a clear view on how much risk the business is exposed to and, importantly, how much risk it is willing to accept, or in other words, have appetite for.
As noted by the esteemed risk management author James Lam, “the only alternative to risk management is crisis management – and crisis management is much more expensive, time consuming and embarrassing”.
To enable Boards and executives to make decisions that will benefit stakeholders, they need to have an understanding of what the risk implications of those decisions are.
At the same time, executives need to have risk parameters within which they should manage the organisation to ensure the longer term strategic objectives are met. These parameters are set by the Board in terms of the risk appetite, which is derived as follows:
- Firstly, a company must define and quantify its risk capacity, that is the maximum level of loss or reduced earnings that can be absorbed without compromising shareholders’ key objectives. For example, a certain level of dividend yield, return on investment or share price growth without excessive volatility. This sets the upper bound for losses that cannot be breached under any circumstances.
- The next step is to determine the risk appetite. This is the quantum of risk that the Board believes will provide an adequate margin of safety within the company’s risk capacity whilst still enabling the achievement of the strategic objectives. Should this limit be breached, immediate corrective action must be taken to decrease the level of risk to within the appetite.
Risk quantification should be performed on a regular basis for all risk types that the company is exposed to and tracked against the set risk appetite levels.
This can be done using qualitative metrics for operational risks, and quantitative metrics, such as stress testing, for financial risks.
To really provide insight into the risk profile, risks should be quantified for each business unit within the organisation.
What else is required to build a sound risk appetite framework?
- A strong risk monitoring function, which independently identifies, quantifies, monitors, reports and challenges the level of risk. It is critical that this function reports to a Risk or Finance head to ensure independence from the business units including treasury who essentially take on and manage risk from the front lines.
- A healthy risk culture, which starts at the top with buy-in from the CEO, executive management and subsequently business heads, and is championed by the Risk or Finance head. An efficient mechanism for implementing risk culture swiftly, is to link remuneration to performance against risk-based objectives, such as risk appetite utilisation or risk adjusted performance metrics.
- Healthy risk governance via established forums at appropriate levels that review and challenge the levels of risk taken within the company. It is important that such interrogation is not limited to the quantity of risk taken, but also the types of risks assumed.
- Regular review of the risk appetite framework to ensure that new risks are identified, including those that might be difficult to quantify.
The benefits of risk appetite frameworks thus include insight into the risks a company assumes and commitment to manage these proactively, which will translate into fewer surprises in the financial statements, and less vulnerability in the business and support areas.
A robust risk appetite framework can also increase stakeholder confidence, create a competitive advantage, and balance earnings and risk objectives by enabling budgeting and forecasting on a more insightful basis.
With markets in their current state, it is critical for management to make the required mind shift from passively accepting certain risks or only managing them to a limited extent, to taking responsibility for the risks taken and, therefore, actively manage it by allocating risk appetite and limits to where risks can be taken more strategically.
A robust risk appetite framework will give the Board peace of mind that risks will be managed within the parameters they have defined.
Lex Kriel is Associate Director and Monique de Waal, Senior Manager at Deloitte Financial Services Advisory
This article originally appeared in the ACTSA 2016 Journal (“The Southern African Treasurer”) published by TMI.
Very true