Nonprofit Business Advisor, Strategies to Survive and Grow in Tough Times

Incorporating Risk Appetite Concepts in Board Governance

Risk is a topic high on every board’s agenda. What does the latest thinking

By Richard Baker January 16, 2013
Policy Governance provides a coherent theoretical basis for board governance. In this article, Richard Baker, long time UK risk and corporate governance consultant, applies that theoretical basis to the board’s role in risk appetite. Although this article addresses for-profit organizations in the UK regulatory environment, it also generally applies to forprofits and non-profits everywhere.

The concept of risk appetite, along with enterprise risk management (ERM), has grown in significance since the 1990s; yet understanding of risk appetite and its implications is weak.1 Despite the widespread use of risk appetite, and it being considered2 important to ERM success, one of the risk management failures of the financial crisis was poorly implemented risk appetite frameworks. Institutions took more risk than they had intended, and they exposed themselves, whether deliberately or inadvertently, to more risk than they had the capacity to bear. Not surprisingly, expectations of organizations in this area are increasing and becoming more explicit.

In 1999, the Institute of Chartered Accountants in England and Wales issued the so-called Turnbull guidance for directors to support the risk management requirements of the UK corporate governance “combined code.” This guidance stated that the board’s deliberations should include consideration of the nature and extent of the risks facing the company, and the extent and categories of risk it regards as acceptable for the company to bear. This is risk appetite, then, in as many words.

Since that time, an enterprise risk management framework , from the Committee of Sponsoring Organizations of the Treadway Commission, has gone on to define risk appetite as “the broad-based amount of risk a company is willing to accept in pursuit of its mission or vision.” The British Standards Institution’s standard for risk management (BS 31100) refined this definition to “the amount and type of risk that an organisation is prepared to seek, accept or tolerate” (in pursuit of its objectives,) which is almost identical to that of the International Organization for Standardization’s risk management standard (ISO 31000).

One of the five key themes of the 2009 Walker Review commissioned by the UK government was that “boardlevel engagement in risk oversight should be materially increased, with particular attention to the monitoring of risk and discussion leading to decisions on the entity’s risk appetite and tolerance.” And so to the present day, in June 2010 the revised UK Corporate Governance Code from the Financial Reporting Council includes, as a main principle, that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.” Other national codes are adopting a similar stance to what is, again, risk appetite in as many words.

As a result, even if their practical application remains a challenge, some management techniques have developed around the expression of risk appetite. However, there is still little by way of coherent theory within board practices—unless one considers board governance as merely an extension of management—a suggestion that will raise the hackles of any Policy Governance advocate.

Current Approaches to Expressing Organizational Risk Appetite

Recent research3 has identified some common measures by which risk appetite is expressed: profit/loss, credit rating, economic capital, valuebased (e.g., share price volatility), probability/impact grid, key indicator limits, and qualitative statements. These are consistent with other commentators on risk appetite.4

An example of this is an earningsat- risk measure whereby a limit is set on the reduction in operating profit over a one-year time horizon following a one-in-ten-year loss event (for instance a company might be prepared to accept the risk of £10 million in earnings or profitability for a loss event expected to happen once in every ten years).

Qualitative examples (taken from the Annual Report 2010 Business Review of the Man Group in the UK) are statements made in terms of reputation, regulatory, and operational risks in the execution of business plans. Such expressions of risk appetite provide the reference point against which to benchmark all risk-taking activity within the organization, defining boundaries within which riskbased decision making can occur.5 In this way, the board’s attitude to risk taking is communicated such that it can be consistently applied in managing the organization.

To date, the techniques for risk appetite do not distinguish between the boards’ role and management’s. At an organizational level, risk appetite should represent the board’s limits, not management’s; after all, it is the board that has been put in place by the ownership to represent their interests. It is my view that has led to confusion about how the board should discharge its responsibility in this area, with these emerging management techniques being passed on to the board on the assumption that governance and management are the same. It is my proposition that the Policy Governance model constitutes a framework for how this board responsibility for risk appetite can be conducted coherently.

Risk Appetite and Policy Governance

The risk appetite measures quoted above, inadvertently it seems, tend to be expressed as limits using proscriptive language. I say inadvertently because I don’t believe that this has been done as part of a coherent design; more that it made sense. It is interesting therefore that these measures are, in this respect at least, not dissimilar to the Executive Limitations policies of an organization using the Policy Governance model.However, whether expressed proscriptively or not, these kinds of measures cannot be considered coherent, for two reasons. First, they have been selected primarily on the basis of what is known and therefore leave anything else (unknown) unstated. This is an important omission, given that it is often the unknown unknowns that cause organizations the biggest, and most unpleasant, surprises. Surely this part of risk appetite cannot be ignored if the board is to do its job satisfactorily. The second reason measures of this kind cannot be considered coherent is that they are indeed “a selection” and therefore not all-encompassing, even of the known.A fundamental building block of Policy Governance is that Executive Limitations start from the broadest, most all-encompassing expressions of limits and are therefore designed to encompass all possible owner concerns, including the unknown ones.Executive Limitations narrow down to more specific limitations to exclude any possible reasonable interpretations that the board would find unacceptable; but, crucially, if the board does not choose to express more specific limitations they are still covered by the broader one(s).

Another key advantage of the Policy Governance model is that board expression (and therefore monitoring) of risk limits makes no assumptions about how effectively management may or may not be managing, or believe they are managing, any particular area of risk. Because the board’s policy topics and specificity are not a function of what management believes at any time, but a function of what the board would find unacceptable at any time, the Policy Governance board does not monitor just those things that management tells it are going awry or in imminent danger of going

awry according to management-level analysis. The Policy Governance board monitors management against a comprehensive set of standing board-level risk controls regardless of the current status of any particular risk in the eyes of management. So, for example, a school board would very likely want to know (have assurance) that the school was providing appropriate protection to safeguard students from abuse even if management believed that the risk was well managed. Similarly, an oil company board would want to have assurance that safety standards are being met even if management thought it was doing a good job.In interpreting and monitoring Executive Limitations, management is required to furnish reasonable compliance standards and assurance (data), even in those risk areas that it thinks it is managing well. Policy noncompliance represents risk exceeding the risk appetite, and the board—and no doubt management too—will want to see a timely return to compliance. Overall noncompliance, then, will give a picture of where the organization is outside its risk appetite at any given time.The final piece in the jigsaw for many boards would be to create a statement such as “The CEO may not operate without an ongoing ability to anticipate, assess and address risks described as unacceptable by this board.” Boards can do this by developing an Executive Limitation to this effect, once again differentiating between their governance role and management’s role in managing risk.Therefore developing some of the techniques of risk appetite discussed in this article using the Policy Governance model amounts to a coherent basis for the board to discharge its role for risk appetite. After all, as John Carver writes in Boards That Make a Difference (2006), a board that wishes to ensure its organization’s actions are acceptable must delineate ahead of time exactly what is unacceptable. This of course does not tell us much about how management needs to translate this into practice. But then, that’s not the board’s job, is it?Notes1. Power, M. (2009). The risk management of nothing. Accounting, Organizations, and Society, 34, 849–855. 2. Towers Watson (2010). Financial crisis puts spotlight on ERM. Sixth Biennial Global Risk Management Survey, New York ( Association of Insurance and Risk Managers. (2009). Research into the definition and application of the concept of risk appetite. Undertaken by Marsh and University of Nottingham. Nottingham: ( Institute of Operational Risk (2009). Risk appetite. Sound Practice Guidance paper. Institute of Operational Risk, London. www.ior-institute. org; KPMG (2008). Understanding and articulating risk appetite. London (; Barfield, R. (2007). Risk appetite: How hungry are you? PWC, London ( Chase-Jenkins, L., & Farr, I. (2008). Risk appetite: A boundary for decisions. Emphasis. Towers Watson- New York ( Richard Baker has worked for nearly twenty years in risk management and corporate governance in blue chip organizations, industry, and consulting. He was Head of Risk Management at St. James’s Place PLC (UK) until he set up an independent consultancy specializing in corporate governance and risk management – Caerus Consulting Ltd (www. He has experience in the for-profit and nonprofit sectors and has worked in the UK, Europe, the Middle East, and the United States. Richard participated in the UK Carver Policy Governance Academy in May 2010.