The Curse of Risk Appetite

In this post, I go back to one of the fundamental aspects of an ERM framework: risk appetite. ‘The Curse of Risk Appetite’ is part of the title of an interesting paper reviewing the misuses of risk appetite.[1] Some of the misuses described in the paper might sound familiar, but perhaps the key point to take away from the paper is that there is a potential for risk appetite to become synonymous with ‘a consideration of risk’. I am not sure this was ever the intention. 

The paper includes several useful suggestions to enhance risk appetite. They are focused on the long-run value of the firm and on the structure of risk appetite statements, reflecting a view that risk is the likelihood of falling below critical levels of performance. However, my attention was really caught by the authors’ suggestion to improve the organisational process for risk management. They suggest that a risk function’s role should be defined to include responsibility for evaluating the combined effect of strategic initiatives and capital budgeting on the firm’s overall risk profile.

On one level, this prescription is consistent with the view that the aim of the risk function should be to ‘protect and enable’, with the emphasis on the ‘enable’ aspect which sometimes gets overshadowed by ‘protect’. I am attracted to this suggestion because it turns a vision into a practical requirement that can be incorporated into an articulation of roles and responsibilities for a CRO or risk function. 

If, however, this was implemented literally in UK financial services, I suspect there would be an issue with regulators’ expectation about the independence of the risk function (second line of defence) from the business (first line). 

A similar outcome could be reached by clarifying that the role of the CRO/risk function includes providing a risk opinion in the early stages of the consideration of major strategic initiatives that have the potential to alter the business’s risk profile. The emphasis on timing is important. Providing a risk opinion only when major strategic initiatives are presented for approval is unlikely to add value. A CRO/risk function opinion in the early stages is likely to support consideration of the details of the initiatives and how they can be shaped to strike the appropriate balance between risk and return.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here. 

---

[1] Alviniussen, Alf and Jankensgård, Håkan, The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appetite (May 7, 2018). 

Feedback Loops and Enterprise Risk Management (ERM)

One should not take things for granted and this also applies to ERM.  In the case of ERM, this would mean identifying feedback mechanisms about the effectiveness of ERM to provide assurance to boards about the value generated.  This should also generate further insights to enhance ERM’s value added.  

This connection between ERM and value has not escaped supervisors.   On a company level, EU directives covering prudential regulation of banks and insurers include requirements that aim to formalise these feedback mechanisms.

While boards and regulators may be interested in the effectiveness of ERM in specific companies, there seems to be less evidence at an industry level.  Wouldn’t it be useful to understand the link between ERM effectiveness and the role and experience of the CRO? How does board oversight contribute to ERM effectiveness? 

These are challenging questions, which are considered in a recent working paper by Cristina Bailey, assistant professor at the University of New Hampshire, using data for publicly traded US insurers.*  There is a fair amount of statistics and econometrics in this paper which would have been covered through peer review.  There are differences between regulatory requirements on the two sides of the Atlantic, which could challenge the ability to infer from US data for Europe.  However, it would seem that ERM effectiveness is driven by the underlying business rather than regulatory requirements and that the lessons should be transferable. 

So what can we learn from this paper?  There are a number of measures of ERM effectiveness and benefits.  The effectiveness of risk management can be gauged by reference to the ratings awarded by S&P for risk management.  There are five possible ratings: very strong, strong, adequate with strong risk control, adequate and weak.  In the paper, ERM is defined as holistic risk management and is associated with the top two S&P ratings.  ERM benefits can be considered by referring to the volatility in stock returns.  ERM benefits can also be inferred using a measure of strategic industry positioning defined as the difference between the return on assets for the insurer and the top quartile.

Normally, it is important to consider the experience that the CRO brings to the role.  A number of experiences are specifically identified: oversight (e.g. prior experience as CEO or COO), financial (e.g. accountancy qualification or prior role as CFO or financial controller), industry (previous employment in the insurance industry) and risk (previous experience as a CRO or a senior risk management position). 

The analysis suggests that the breadth of the CRO’s experience is positively related to ERM effectiveness after controlling for a wide range of relevant factors.  However, this logic does not seem to apply to the expertise of the risk or audit committee.  But before you despair about the value of effective risk governance provided by a board committee, consider the impact on ERM benefits mentioned earlier by reference to volatility or strategic industry positioning.  The breadth of expertise of the committee members turns out to be a significant determinant of the ERM benefits. 

This result is a useful reminder of the difference between outputs (effective ERM) and business outcomes (e.g. risk reduction).  A potential way of pulling together these results is as follows: a CRO with broad expertise can successfully shape the effectiveness of ERM.  However, the wider ERM benefits depend on shaping the overall direction of the company which requires, amongst others, board committee members with a similar breadth of experience to act on the outputs that the CRO leading an effective ERM system would generate.  The above points to the importance of the qualities of CROs. 

Headhunters Hedley May have also published an interesting paper on the role of the CRO – and the risk function – based on discussions with CROs in banking, insurance, investment management and other stakeholders.**  Their analysis seems to support the above hypotheses about the difference between an effective ERM system and delivering business benefits such as lower volatility.  The qualities of a good CRO were found to include relationship building, influence and an ability to synthesise. These would provide the CRO with appropriate credibility in front of the board to go beyond an effective ERM and affect business decisions.

* ‘The Effect of Chief Risk Officer and Risk Committee Expertise on Risk Management', (forthcoming, www.ssrn.com)

** ‘The Post Financial Crisis Chief Risk Officer: The Teenage Years’, 2015

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.