13 minute read 13 Nov 2019
woman doing yoga on a tension line

How can appetite boundaries better align with corporate performance objectives?

By

John Rogula

EY Americas Advisory Central Region Risk Managing Director

Over 25 years in management consulting. Passionate about working with creative persons and organizations in the development of innovative solutions.

13 minute read 13 Nov 2019

Show resources

To better balance risks to performance, organizations should redefine the way appetite is measured.

In this Transformative Age, the case for change is being driven by shifting organizational models, industry convergence and, of course, technology. One of the few certainties is that risks are abundant. For organizations that know how to reap value from effective risk-taking, that’s a winning proposition. But, this isn’t the case for most organizations. “Risk appetite” is a nebulous term and a moving target, which negates effective risk-taking — and the gains it would otherwise make possible.

This article is part one of a two-part series. In it, we propose redefining “risk appetite” as “performance appetite.” This new, measurable definition and its associated concept, “tolerance,” can be understood and embraced by executives, boards and risk practitioners alike. It’s a shift that is essential amid this dynamic, ever-evolving landscape because it enables us to see more of what is possible. The second article will recommend a framework for effective implementation and management of performance appetite.

(Chapter breaker)
1

Chapter

Introduction to appetite

Providing a consistent, standard definition of appetite and its associated concept, “tolerance”

In the wake of the regulations and changes that disrupted the business model for its sector, the chief risk officer (CRO) of a Fortune 100 company asked, “What is risk appetite, and how do I measure it?” He was reacting to executive management’s desire to articulate, across the company, the impact of the new regulations on their business model and the guardrails that needed to be set. He is not alone: this question continues to echo across boards and executive teams in almost all sectors and geographies. The Institute of Risk Management (IRM) in its 2011 Guidance to Risk Practitioners on Risk Appetite noted, “Risk appetite is a phrase that is widely used but frequently in different contexts and for different purposes.” The phrase means different things to different groups of people, said the IRM. But it went on to say that “there seems to be almost unanimity that it could be, and indeed ought to be, a useful concept, if only it could be properly expressed.”

Seven years later, the Association of Financial Professionals’ 2018 Risk Survey suggested that “risk appetite” as it exists today is still nebulous and poorly defined. Results confirm that many organizations (about 54%) have not defined their risk appetite to provide clear guidelines for decision-making. Clearly, executives, such as the aforementioned CRO, are still struggling to define the risk appetite of their organizations in measurable and repeatable ways.

We have learned notable lessons in recent years, some captured in the IRM’s guidance and some that are new. A lesson with broad consensus: there is tremendous opportunity for organizations to realize true value from effective risk-taking through definition, management and measurement of appetite. But, according to the EY Global Governance, Risk and Compliance Survey 2015, only 16% of companies consider the link between risks and the attainment of business goals to be close enough to enable them to effectively and efficiently respond to the sort of risk drivers that can emerge and evolve quickly, including shifts in the economy, technological changes and cybersecurity.

Particularly in the Transformative Age, the case for change is being driven by shifting organizational models, industry convergence and, of course, technology. The winners are organizations that have mastered appetite and risk-taking and are operating in systems of trust by design  ̶  those that are exploiting both downside risks and threats as well as the rewards and upside risks to reap value.

Organizations are managing evolving consumer expectations, new partnerships, dynamic ecosystems, changing industry boundaries, disruptive business models and new competitive domains. The lingering questions are: “How do we realize value from effective risk-taking?” “How do I maximize return on investment from my ERM program?” and, for the more cynical, “Is the matter simply theoretical?”

In this article, we aim to provide a consistent, standard definition of appetite and its associated concept, “tolerance,” that can be understood and embraced by executives, boards and risk practitioners alike. We will also provide a standard implementation framework for application of appetite in an organization based on proven examples and using a pragmatic, common-sense approach.

Trust is the new currency to derive value and loyalty

Organizations recognize that trust is critical to sustain consumer loyalty and differentiate their brand in the market.

Until now, risk has been focused on avoiding negative outcomes. To thrive in the Transformative Age, organizations need to embrace disruption and build in trust by design.

– The Confident and Trusted Enterprise, EY 2018

Ambiguity in the various definitions of appetite

There are many definitions of “appetite” from a corporate perspective. That, in itself, contributes to the lack of clarity among risk practitioners. In Table 1, we show the various definitions and their associated focus. The COSO 2017 ERM update, Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. However, most definitions place “appetite” traditionally in the compliance realm. Appetite and tolerance have often been defined from the perspective of the downside of risk without a well-rounded view of how risk effectively taken and managed can contribute to success within an organization. In addition, recent updates to some standards have avoided explicit definitions of appetite. In our view, this has also contributed to the continued lack of clarity. To better understand and balance risks and performance, the definition of appetite needs to be understood and measured from a more performance-centric approach.

Table 1: Definitions

Ambiguity in the various definitions

The definitions from HM Treasury (Orange Book), the IRM and the US Federal Government ERM Playbook are all oriented toward a more performance- and benefits-driven perspective of appetite. While we agree with these views, we argue that they still leave room for ambiguity and are burdened by a legacy term for which there is no consistent standard definition. This leaves the risk practitioner and business leader to apply their subjective perceptions of the term.

(Chapter breaker)
2

Chapter

Performance appetite

A new way to communicate the boundaries of risk-taking in your organization

The degree of variation in performance that executive management and the board are willing to accept on an aggregate basis in relation to strategic and business objectives is the organization’s “performance appetite.”

Performance appetite sets boundaries on how much variation in performance an organization and its business units and functions are prepared to accept throughout the course of operations. A defined appetite and tolerance for variation in performance helps management weigh how much risk is appropriate in working toward their business objectives.

Understanding the key performance indicators (KPIs) of each institution and then identifying, measuring and monitoring the degree of variation that is acceptable per KPI will not only allow companies to create more accurate risk profiles but also reflect the direction and language of management and the business.

Additionally, the degree of variation that is acceptable or tolerable will vary by performance type and risk area, and there is no one-size-fits-all approach. This determination requires management’s time and expertise, as well as a thorough understanding of what truly constitutes success. Benchmarks, standards and peer analyses afford a reasonable yardstick for reviewing the specific appetite and tolerance levels set for each performance type and risk area.

Once appetite is defined and tolerance limits set, executing according to appetite becomes a matter of organizational culture, monitoring and performance management.

Why redefine risk appetite as performance appetite?
  • Is less subjective or based on respective risk owners’ views of the risk
  • Enables effective decision-making
  • Is easier to understand and helps management relate to day-to-day operations
  • Expands focus from downside risk during implementation to a holistic view of upside, downside and outside risks
  • Is easier to measure, avoiding confusion and churn on what is acceptable
  • Ties into established KPIs
  • Aligns with leading practice, COSO ERM 2017
  • Intuitive people can relate to it, and most organizations already do it in some way in their day-to-day operations

Just as risk appetite raises the question of “risk capacity,” performance appetite raises the question of “performance capacity.” Whereas risk capacity reflects the amount and type of risk an organization can support in pursuit of its business objectives, performance capacity reflects the amount of variation in performance an organization can accommodate given its operating model, processes, tools and agility. It poses a different question beyond how much risk an organization can take before it fails (risk capacity), which is a balance sheet approach to “how much performance variation (negative or positive) can an organization accommodate,” and expands the definition of capacity to include the agility of the organization to adapt and accommodate shocks and trends in its environment.

Performance variation possesses upper and lower thresholds that executive management and the board are willing to accept relative to specific business objectives. This is known as the organization’s “tolerance.” Tolerances are the defined upper or lower limits of deviation from the performance appetite boundaries that an organization is willing to accept. The organization’s tolerance for performance variation relates to the degree to which performance can deviate from the expected outcome for a specific goal or objective and still be considered within an acceptable range from a business perspective. Within organizations, it is most often referenced in terms of a “do not exceed” threshold/upper limit of tolerance. In reality, it is a range and not a fixed limit. Breaching tolerance limits will typically act as a trigger for corrective action at the process level, immediate notification at the management level and reporting at the governance level. Tolerance limits are established around performance targets, which are widely understood and are the actual metrics that are measured and will be tracked to evaluate success or achievement of the goal.

Critical to the definition of performance appetite is a holistic consideration of the different forms of risk. Broadly categorized, risk falls into three types: upside, downside and outside. See Figure 2 for a brief explanation of their distinct characteristics.

Figure 2: Trust by Design – expanding consideration of risks that cause variation in performance: upside, downside, outside

Expanding consideration of risks
(Chapter breaker)
3

Chapter

Fluidity and specificity in performance appetite

Both appetite and capacity are ever-changing

appetite and capacity prior view

In some organizations, capacity and appetite are represented as fixed and the same for all risks. In addition, there is a tendency to think of performance appetite and capacity purely in financial terms. Our view is that both performance capacity and performance appetite are fluid and distinct by risk type and consider factors beyond financial strength.

... appetite has a temporal dimension: in other words, the appetite and tolerance will change over time as circumstances change.... appetite is not something that can be written in tablets of stone and then ignored for the rest of the year. Equally, the ... appetite for tomorrow may be very different to the ... appetite for a period ten or twenty years hence.
IRM 2011
There is no single ... appetite, but rather a range of appetites for different types of risk and this range of appetites needs to align under, and be consistent with, an overall ... appetite framework.
IRM 2011

In simple terms, an organization’s performance capacity is driven by two main elements:

  • Financial capacity – The IRMI defines it as the financial limit of an organization’s ability to absorb losses with its own funds or borrowed funds without major disruption. This value often comes into play when a risk manager attempts to find the appropriate retention amount, according to the institute. Any planned retention figures that an organization adds should fall below the financial capacity point.
  • Organizational agility – This includes the organization’s ability to harness other forms of capital in a responsive and rapid way. Other forms of capital may include resources (e.g., infrastructure, assets and people), relationships and knowledge.

The latter informs an organization’s ability to push the balance sheet capacity to exceed performance targets. Similarly, organizations with significant financial capacity may be constrained by their agility and culture, resulting in ineffective exploitation of opportunities, eventually eroding performance.

The shift

eys-point-of-view

Organizations often shift (inward or outward) outside of financial capacity depending on organizational culture and agility and often without recognizing that they are doing so.

They should step away from the traditional “equation” approach to appetite (i.e., capacity minus buffer equals risk) and consider a more fluid view to appetite and capacity, recognizing that it shifts over time and requires constant monitoring.

Conclusion

Performance appetite and tolerance have often been defined from the perspective of the downside of risk without a well-rounded view of how risk effectively taken and managed can contribute to success within an organization. In an effort to better understand and balance risks to performance, organizations should seek to redefine the way appetite and tolerance are understood and measured by taking a more specific performance-based approach – under a new name: performance appetite.

Intrinsic to the approach is understanding the degree of variation that is acceptable for each performance objective, the key performance indicators (KPIs), and then identifying, measuring and monitoring it.

Additionally, the degree of variation that is acceptable or tolerable will vary by performance type and risk area, and there is no one-size-fits-all approach. Benchmarks, standards and peer analysis afford a reasonable yardstick for reviewing the specific appetite and tolerance levels set for each performance type and risk area. Once appetite is defined and tolerance limits set, the effective execution according to appetite is influenced by performance reviews, management-reinforcing actions and organization culture.

What are an organization’s next steps? In the concluding part of the series, we will share a framework that applies leading practices and offers pragmatic guidance.

Summary

Redefine the way appetite and tolerance are understood and measured by taking a more specific performance-based approach — under a new name: performance appetite.

About this article

By

John Rogula

EY Americas Advisory Central Region Risk Managing Director

Over 25 years in management consulting. Passionate about working with creative persons and organizations in the development of innovative solutions.