What is risk appetite, and how does a board of directors manage risk?
Over the last few years, ‘risk‘ has become one of the main discussion topics in the boardroom. The conversations can vary from the organisation’s risk appetite to the operational risks the board tracks on the risk register.
As the business environment changes, the organisation’s risk profile also changes, hence the need to regularly monitor it.
The overall oversight of the organisation’s risk falls under the board’s purview. However, the board can delegate this function to a risk sub-committee.
The primary function of the risk sub-committee is to assess, quantify, evaluate and mitigate the risks involved in the day-to-day functioning of the organisation.
Let’s explore some of the questions that these committee members ask their executive team around managing them effectively.
Does your board have the correct terms of reference?
- The proper functioning of the risk committee will depend on how comprehensive the terms of reference (TOR) are.
- Details regarding the structure, membership, quorum, frequency of meetings, duties and responsibilities must be documented in the TOR.
- This must be reviewed annually to ensure they are current and relevant.
- The members of the board must sign off the TOR.
Is your board tracking all the risks?
- Risks to a business manifest in many forms – financial, strategic, reputational, operational, compliance, cybersecurity, regulatory, environmental etc.
- The type of risk and the impact of the risk will be specific to the industry/sector of the organisation.
- For example, a software company will face many cybersecurity risks, a non-profit might track financial and reputational risks, and an audit firm might face compliance risks.
- The committee must ensure that the management team tracks them appropriately, then analyses impact severity and designs mitigation strategies.
- Only if the risk is measured can it be managed.
What is risk appetite?
- Risk appetite can be defined as the amount of risk an organisation is willing to take to capitalise on business opportunities.
- Taking no risk is counterproductive for going concern as it reduces its competitiveness.
- The board has to consider plenty of factors, such as the strength of the balance sheet, competency of the management team and the industry in which the organisation is functioning to determine the optimal risk vs reward scenarios.
- Some organisations might have more capacity to take on additional risks than others; a good example could be a hyper-growth software company vs a non-profit.
- A company with high free cash flow can take on more financial risks than a company with a high debt level.
- Determining the risk appetite and making sure the board and the management team are on the same page is critical for managing risk.
How do you determine risk impact?
- The committee must agree on a framework that will be used to determine the impact of a particular risk item on the risk register.
- The completed risk register should be concise and contain all relevant information.
- Generally, a scoring system multiplies the severity of the risk and the potential frequency.
- The outputs are ranked by severity and escalated to the board for discussion.
- A high number does not inherently mean that the risk should be avoided, but rather how to manage and mitigate the negative impact actively.
- A risk that has a low number can be ordered through operational efforts.
How should your board manage risk?
- Once the risks have been identified and their impact assessed, the committee has to manage them proactively.
- Several strategies can be employed to manage risk – assume and accept risk, avoidance, controlling, transfer & monitoring.
- The actual method to manage these risks will depend on the risk appetite of the organisation and the capacity of the management team.
Is your board communicating your risk appetite to stakeholders?
- The management team should establish a regular cadence for communicating the operational risks with all the board members.
- There should also be a well-established playbook to immediately bring crises to the board’s notice so no one is caught off-guard.
- The management team should also decide on the frequency of updating the risk register and reclassifying the risks to stay abreast with the latest developments.
Do you have a contingency plan?
If risk mitigation is proactive, a contingency plan is reactive. Plan B ensures that the downside impacts are minimal if a risk event occurs.
For example, they communicated with users when a data breach occurred. The committee must consider the following when creating a contingency plan:
- Decide what risk must become real for a contingency plan to go into effect
- Identify the people responsible for implementation and how will they implement the plan
- Identify clear channels of communication and how these actions will be escalated to the board
- Regularly revisit and update the plan as needed.
Does your risk appetite and culture promote ethical behaviour?
- The board and the management team should ask if they promote a risk culture that embraces ethical behaviour.
- An effective risk strategy will ensure that the organisation constantly improves, evolves, and captures business opportunities.
- There should be a delicate balance between risk and conservatism to provide an effective push and pull tension, as being heavy on one side can topple any organisation.
Managing risk is an essential part of running a successful organisation.
Risk management does not mean do not take any risk; instead, the set of guidelines to pursue opportunities and reduce threats to achieve goals compatible with the organisation’s mission and risk appetite.