When I was a kid in Texas, I would spend most weekends squandering my hard-earned allowance at the local arcade. The local arcade was the place to see and be seen. Where you could connect with friends away from parental supervision and escape into the fantasy
world of gaming, a much more analogue experience than today’s online gaming and social networking communities.
Back then, only two types of arcade games existed: shooter and strategy. You could waste all your ammo just randomly pointing and shooting or take a little more time strategising. The latter was my preference at the time and worked to my benefit later in
life as a risk manager.
Two of my favourite games, which were also two of the first commercially successful video games, were Asteroids and Space Invaders. They were already considered classics when I started spending my first summer with the cool, older kids in those dark arcades
at the mall.
Asteroids was a multi-directional shooter game while Space invaders was the first, fixed-shooter video game. Both were space-themed which really resonated with most of kids given the popularity of
Star Wars and the Empire Strikes Back with our generation. Asteroids and Space Invaders were not strategic games by design. The player would simply point and shoot and dodge return fire, asteroid fragments, and other dangers. They were both very
reactive games.
By contrast, another video game which came out around the same time was designed differently and intentionally to attract a broader audience. This game required and developed hand-eye coordination, muscle memory, all like the others; but unlike the others,
required a little strategy and some risk-based decision making. That game was Pac-Man.
The goal (think business objective) of the game, and each round really, was simple: gobble up all the pellets on the screen while avoiding the ghosts (think risks). When ghosts were close (think threshold breach), the player would need to take corrective
action such as move in a different direction to reduce risk or consume a power pellet (think controls) temporarily enabling the player to remove that risk.
Note: Just like in real life, a player could never eliminate risks as the ghosts simply regenerated and came at the player again, but from a different direction. Years later, my discussions around risk appetite often remind me of playing Pac Man back
in the day and how much more complex it was as a video game when compared to its shooter peers.
Well, Pac-Man turns 40
this year so I thought I would pay homage to the game I fed so many of my hard-earned quarters into all those, very memorable summers ago. And to be honest, maybe at the same time prove to my parents once and for all that my time spent in the arcade away
from the sun and away from fresh air wasn’t a complete waste of my time or their money.
A little history
All businesses take on risk the minute they open their doors, the minute they hire employees, the minute they start selling products and services to the public, and the list goes on and on. All business activity incurs risk. There are risks around legal
and regulatory obligations specific to your industry or geographic footprint. There are risks associated with having employees. Will they follow established
policies and procedures? Will they conduct themselves in an ethical manner? Are you as an employer hiring and promoting fairly? Are you providing a safe environment for employees to work?
There are even risks associated with clients and vendors with whom you conduct business. Is your client a sanctioned business or sanctioned individual? If a business, are the ultimate beneficiary owners of that business listed on any sanctions list? Are
they creditworthy? And that list goes on and on.
So, what does this have to do with risk appetite? Let us start with what is risk appetite.
Risk appetite is referenced in or by multiple national and international committees, standards, regulators, and other authorities. Most regulators in the US, UK, and EU reference risk appetite as a requirement, an expectation or at least an encouraged best
practice.
And we all know what it means when a regulator ‘encourages’ something. Up until the last decade or so, risk appetite was primarily as part of lending and credit practices. Today, it is referenced as part of broader risk frameworks. The FFIEC IT Examination
Handbook references “risk appetite” on 17 different pages.
Risk appetite is defined by the International Organization for Standardization (ISO) as part of
ISO 31000, which is a set of standards specific to risk management providing key principles and guidance for effective risk management frameworks and practices. The central bank of the US references
risk appetite in 579 different
documents and the central bank of the EU references risk appetite
over 790 times.
I have been exposed to pretty much every definition used within most contexts in the financial services and financial technology space. What I can tell you is that basically, risk appetite is the level of risk an organisation is willing to take to meet its
business objectives before taking corrective or risk mitigating actions.
In other words, and why it is so important, a company needs to understand its current risk profile and how far the company is willing to stress that profile to reach its goals. How much more risk are you willing to take on before pulling back? What is your
turnback point and is it defined at a level which prevents irreversible loss or damage to the company?
Every organisation starts taking risks the minute they open their doors (literally and figuratively) whether you are a for-profit business, not-for-profit business, bank, fintech, food services provider, or health services provider. Therefore, it is imperative
management identify their risks, measure them, track them, and make business decisions based on them.
What’s In It For Me (WIIFM)?
Risks and losses incurred from unmitigated risks (fraud, theft, reputation, etc.) will impact your company even if you hit all your sales targets. Given this, risk appetite as a defined statement to measure a company’s ability to meet its business objectives
makes absolute sense. If you own the risk, you should know your risk appetite. I always tell managers to think about risk very selfishly and even personally. Let us look at an example of what I mean.
Ask yourself this question: Would you take up sailing? If your answer is “no,” this means you have no appetite for this kind of risk. From a policy perspective, you could simply state that it is your policy not to participate in sailing activity. What if
you do want to participate in sailing activity? You may be drawn to the upside or ROI of such activity which could include exercise, spending time on the water, developing nautical skills, logging hours as part of a certification requirement, hanging with
friends, or simply just for the adventure or the rush associated with such activity.
All valid ROIs of such activity. But you also know there are risks factors associated with this activity such as hypothermia, overexertion, sunburn, physical damage to you or the boat, and of course the most critical risk, death (by drowning or other means).
These are all components of a risk appetite that can be defined and measured.
This scenario can also be applied to a financial services setting. Let us say you are a US bank or other financial services firm that wants to enter the cannabis industry. Obviously, there are risks associated with this industry but there are also benefits
supported by facts such as cannabis legalisation spreading globally with an estimated economic impact as high as
$77 billion by 2022.
A business case for the upside of entering this market could be easily built. But what is the potential downside? In addition to existing risks associated with onboarding and banking a business customer, additional, heightened risks specific to this industry
could include reputational, physical security, and enhanced money laundering risk. Will current customers change banks if you start banking cannabis? Will new customers come onboard knowing you serve this market? All valid risks to consider.
As this industry is currently very cash intensive (i.e. many do not have the ability to take credit cards for payment), are current branch physical security controls sufficient? Could or would you experience an uptick in branch robberies? These are all components
of a risk appetite that can be defined and measured using tools such as risk appetite metrics and risk appetite thresholds.
Both examples above articulate risks associated with a specific initial activity or ‘transaction,’ such as sailing on the bay or onboarding a cannabis company. To assess the risk associated with new activity like these, you should conduct a risk assessment
(I will dive deeper on risk assessments in a subsequent article).
However, once these become ongoing activities, such as sailing every weekend or onboarding, transacting, and growing relationships with cannabis-focused businesses, you should consider developing a risk appetite specific to this kind of risk.
For example: “Management is willing to accept risks associated with open water sailing activity with effective controls in place to minimise harm to individuals” and “Management is willing to onboard cannabis clients and provide limited products and services
as long as clients maintain sufficient regulatory adherence and change management controls and clients restrict their activity geographically within legalised jurisdictions.” Both statements will require ongoing monitoring of the activity and key controls
to ensure activity remains within the firm’s risk appetite.
What works?
Banks use risk appetite and underlying risk appetite metrics and thresholds as tools to measure progress against business objectives. The risk appetite can be simple, such as financial loss not to exceed a certain percentage of total revenue or compliance
with all regulatory obligations. “Management will accept loss events at any given time up to a maximum of x% of total revenue.”
This is a common risk appetite statement but why is it relevant to the company? The Board may have a strategic goal, funding obligation, regulatory obligation, etc. to where losses exceeding a certain percentage of total revenue could impact capital reserve
requirements, internal funding of growth initiatives, or other capital needs. As an enterprise, management, Board and even employees should be informed with respect to how the firm is performing against their articulated risk appetite and take actions where
necessary, such as when the metric approaches a defined threshold and certainly if it breaches that defined threshold.
This can be accomplished using risk appetite metrics and risk appetite thresholds, which is typically a sub-component of a risk appetite metric. Risk appetite metrics are usually composed of underlying performance indicators. The aggregate value is then
used to articulate performance against the threshold. Let us take an example of an extremely basic risk appetite metric using the example above.
The above metric could be a risk appetite metric supporting a risk statement that aligns to an articulated business objective such as a specific revenue goal as we discussed previously. The company should track all risks to meeting business objective, such
as realised losses. Multiple risk appetite metrics could be identified, developed, and tracked to support an overall risk statement aligned to a business objective that includes defined revenue goals. Performance against these metrics is important to track,
share, discuss, and use for business decisions.
As simplistic as the risk appetite metric example above is, it still tells us many things. There was a significant spike in Fraud in Q1 which caused a threshold breach. The Board should have been informed of the breach and taken appropriate action. That
action could include a pause on new spending efforts (new innovations, technology upgrades, etc.) or existing projects until root cause is identified and remediation steps completed to minimize risk of similar losses in the future.
The action could be to recalculate the metric or the threshold. Maybe the underlying formula is wrong or maybe this level of risk is acceptable given a more aggressive risk stance the Board is now willing to take and therefore the threshold should be raised.
At a minimum, it creates an obligation for a discussion and/or action based on risk posture and existing, approved risk appetite and supporting metrics.
The other thing the above graph tells us is that the company did not come anywhere near the risk appetite threshold Q2 through Q4. This should initiate discussion as well. If the Board still supports the risk appetite threshold value, then the company has
some room to take on some additional risk should they choose. Or, maybe the Board was too conservative in its original assessment sometimes best to start this way) and wants to lower the threshold from 5% to 4% as is reflected in the graph above.
Each group head and in fact, each employee, can use the above information to inform their everyday business activities and decisions. Obviously, the company had an issue with a large fraud loss, so all employees need to be more vigilant with respect to fraud
controls. What this demonstrates is that even the most rudimentary risk appetite metric can be used in many ways to inform everyday business decisions and operational practices.
What does not work?
I have met so many business line risk owners and risk managers who do not understand the core value and the importance of an articulated risk appetite with meaningful, trackable supporting metrics. In my experience, many of the risk appetite statements I
have come across are too overarching with accompanying risk appetite metrics often oversimplified.
The good news is that risk appetite statements and metrics are more common in discussions with managers and Board members than they were even a few years back. The bad news is many of the risk appetite statements are not aligned to business objectives, difficult
or even impossible to measure, and do not address the true underlying risks or include lagging rather than lagging AND leading indicators. And finally, even where risk appetite statements are articulated and risk appetite metrics are in place and results included
in Board reports, the data is not being utilised consistently to inform strategic or business-line decisioning.
Here are a few examples of risk appetite statements I have come across in the past and what I would recommend as revisions for consideration:
What is the path forward?
As mentioned earlier, risk appetite is referenced in multiple international standards and across multiple industries. You should research whether an articulated risk statement is an expectation for your firm or industry. Whether or not it is, I would recommend
an understanding and adoption of its core principles.
- Work with the management team and Board to define and approve a risk appetite statement and an initial set of risk appetite metrics that support business objectives.
- Ensure all employees understand the importance of risk appetite and the role risk appetite metric performance should play in business-making processes.
- Clearly define ownership and accountability as well as repercussions for employees who do not adhere to risk appetite principles, policies, and procedures.
- Align risk appetite metric performance to Board reporting and require action (even if the action is to take no action or to change the metric) and document these decisions and agreed-upon next steps.
- Track all approved actions to completion. Success can be tracked via subsequent risk appetite metric reporting efforts.
- Be sure to revisit the risk appetite statement and supporting metrics periodically. Sometimes a threshold breach is simply an indication that the threshold needs to be changed or even that the metric may not be meaningful as designed. Metrics should be
reviewed and adjusted over time, so they remain relevant and useful.
- And finally, DO NOT waste everyone’s time tracking metrics that are not reflective of your risk environment and are not ultimately aligned to business objectives.
So, I know what you have been asking since the beginning of this article. Did I ever get the high score on Pac-Man? Does it matter? I did back then what I still do today as a risk manager: I assessed risks, took mitigating actions, made a good faith effort
to reduce those risks, adjusted where necessary, and enjoyed myself along the way. That is really all that mattered. I would challenge any parent or any regulator to make a solid argument against that.