We talk a lot about risk appetite, but what does it mean in practice? That was the question posed by Airmic deputy CEO Julia Graham at the Cambridge risk summit. The event also heard from a leading academic that knowledge is an often-neglected area of risk management.
Risk appetite as an easily defined, well ordered concept came under challenge during a panel debate at the Judge Business School, Cambridge Annual Risk Summit. Risk appetite is normally determined by the market, not by the board, argued one speaker. As he put it, “very rarely will the market reward you for being too cautious”.
Airmic deputy CEO Julia Graham took the question one step further by asking what is actually meant by risk appetite, arguing that it can be more art than a science to determine, at least outside the area of financial services. She pointed out that the expression ‘risk appetite’ does not translate well into some other languages, which is one reason why the ISO 31000 standard refers instead to ‘risk attitude’. Beware of cultural differences, she advised.
According to research, many organisations that set a risk appetite, she said, did not assess whether or not employees follow it. Of those that do, one in three find employees are taking decisions outside the agreed appetite. Furthermore, large organisations have more than one risk appetite, with significant differences between different parts of the business according to business function or region. Regional variations can be material with the United States for example, typically more cautious than Europe.
Challenged to produce her own definition of risk appetite, she said “How much risk a business is willing to take.” Looking back at her time as chief risk officer at a global law firm, they had laid down a strict central view of risk appetite (and risk tolerance), based on financial indicators which was incorporated into the firm’s risk policy, business plan and risk financing programme. This had been supplemented by regional risk statements, and embedded in the risk management training given to lawyers at all stages of their career. Despite the financial nature of the metrics used, determining risk appetite at the firm had been more art than science.
Knowledge “a much neglected area of risk management”
The management and use of knowledge to inform board decisions is a much neglected area of risk, according to a leading academic. The banking crisis had resulted in too much attention being paid to the damage caused by greedy and reckless individuals, Professor Mike Power of the London School of Economics told the Cambridge risk summit. You will always get risky employees, he said. What matters is the framework within which they operate.
Citing the Airmic report Roads to Ruin, he said it was essential to create and sustain a network for producing risk information that boards could use when making decisions. A chief risk officer has to collect disparate types of data, a task that involves working and sharing information with other parts of the organisation to develop what he called a “cultural dashboard”.
Crucially, he said, such information has to be filtered and edited to be genuinely useful. An important question is: who within the organisation collects information for oversight by the board and committees?
Power, who is Professor of Accounting, hit out at the common use of empty statements by some organisations and regulators. This could, he said, result in “the risk management of nothing”.