What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto


Thursday, July 11, 2013

A failure of risk appetite

A recent survey titled the Expectations of Risk Management, It's time for action, leaves the expectations kind of wanting quite frankly. Published by KPMG in co-operation with the Economist Intelligence Unit, the survey encapsulates some excellent results and across various aspects of enterprise risk management. Don't misunderstand me, the survey is fantastic but those being surveyed might need a touch of help.

Specifically, I am rather disheartened to see that setting and measuring risk appetite appears to be a rare thing to consider for most executives in business.

Majority of firms fail
If you ever pondered why so many firms failed during the credit crisis and why so many investors lost half their entire life's savings, you often have to look no further than directly at the way these people set their risk appetites.

It has been found that out of no less than a thousand C-suite executives surveyed (CEO's, CFO's CRO's), only 19% have enabled a risk appetite statement in their businesses and it follows that without a risk appetite statement or even a definition being in place, the other aspects of risk measurement will be unfastened at best. In some cases, measuring risk against return may not be in place at all. Additionally, we aren't dealing with small garage workshops here either but companies with revenues in the range of a billion plus.
  
Massive failure to measure risk appetite | Causal Capital  [Click image to enlarge]

Most risk managers will accept that establishing a formal process for defining, capturing and measuring risk appetite is quite a challenging exercise to entertain. However, failing to achieve this requirement can spawn some very unwanted outcomes in the world of risk management especially for large integrated and complex firms.

Before we dive into why risk departments fail with this risk appetite task, we should perhaps define what Risk Appetite means. The risk standard COSO, has it labeled as "the amount of risk an entity is willing to accept in the pursuit of value".

If risk is thought of as uncertainty in objectives, then it would follow your appetite for risk could be equivalent to how much uncertainty you are willing to accept to reach your goal. In a different way of thinking it is discerned as the distance between what you don't exactly know and what you desire.

So then if risk appetite is easy to define, why are so many firms failing to explain or measure it?
  
Why is it so difficult?
There are several reasons why risk teams drop this requirement, there always are numerous dilemmas with risk management paradoxes and different analysts seem to be stumped by alternate problems. To avoid discussing in detail a huge array of various difficulties, let's list the common hurdles that need to be overcome so that we can have risk appetite tracked and embedded in a business. If being verbose is a bit of a torture for you and you'd prefer a quick review of these hurdles, I recommend you grab the schematic on risk appetite at the end of this posting.

Okay then, steps for risk appetite ...
[1] Businesses need to establish a risk framework, business unit map, definition structure and taxonomy that can be used to measure risk. At the outset, risk appetite may not actually be embedded in the risk reporting system and good operators will often bring their risk reporting framework into operation before attempting to review risk appetite. This is a subtle point to accept but risk appetite is easier to work with when you specifically have risk information to review and we'll call this risk information or data, DATA SET A.
[2] The next effort on the risk appetite 'roadmap' would see risk teams examining financial data around returns, profit or rolling business outcomes, as well as the associated costs for business units. Much of this information will be harvested from the finance department of course but risk teams will need to dashboard or report exposure downside and costs against revenues, sales and profit taking. If we are to understand the tracking error in risk appetite, we need to show risk and return along side each other. These financial profits, returns and costs become our second data series or DATA SET B in the quest for measuring risk appetite.
[3] In general, business units will already have some form of risk appetite in place and every human has an inbuilt risk appetite system running through their minds. 
So then, what is the problem? 
Well in short, our mental models around risk appetite are part of our individualism and everyone's risk appetite is going to be different. 
What one person classifies as a risky business, another soul might have an appetite for. To ensure it is clear that prevailing risk appetites are captured across the entire business, policy and control information around risk taking needs to be recorded in the risk system. In part, much of this policy information will come from DATA SET A but it will be framed differently as DATA SET C.
[4] Now we are ready to go, we report DATA SET A with DATA SET B against DATA SET C and we compare these data sets alongside each other in a single report. 
Sometimes risk managers might even model a correlation between the different data sets to identify if the outcomes from objectives are consummate of the costs taken to reach those objectives. Either way we now have a risk appetite result report to work with. All this aside, this is just the beginning on risk appetite.
[5] Monthly, Quarterly or whatever, senior managers will review the result report and change risk appetite policy to directly impact the cost/profit/risk in their business model. The outcome of this review also needs to be tracked and changes to risk appetite policy would normally be recorded as a point in time decision on why senior managers have chosen to take on more risk or let it go.
The following diagram below outlines these five steps in a pictorial format.
  
Fixing Risk Appetite | Causal Capital  [Click image to enlarge]

If there is one effort that should be considered high and critical on the agenda of requirements for the risk management department, it would definitely be; defining, setting and tracking risk appetite across a business ... Why is that? Well, it is perhaps the biggest area of risk management that can be of a value add for any company.

The survey on Expectations of Risk Management Outpacing Capabilities can be downloaded from the following [ LINK ].

The complete infographic for this posting can be found here LINK ].

No comments:

Post a Comment