I’m currently managing director of Content and Business Planning at The Korea Times. Before I took the current position in early 2024, I served as managing editor in charge of both paper and online for over three and a half years. In 2015-2018, I worked as Singapore correspondent covering ASEAN nations.
Hungry for risks?
By Towers Watson
The financial crisis and move toward market-based accounting both indicate a need for greater transparency about an organization’s risks. External stakeholders are increasingly demanding evidence of clear boundaries and guideposts that inform the nature and amount of risk an organization accepts.
A “clear risk appetite statement” goes some way to meeting these demands by expressing the nature of the risks that an organization is willing to accept to achieve its strategic objectives and meet its obligations to stakeholders. Such a statement can provide assurance to stakeholders that the company has established clear boundaries for overall risk taking.
Defined well, risk appetite (with the related tolerance and limits) forms the boundaries of a dynamic process that encompasses strategy, target setting and risk management. As a result, risk appetite is central to adopting and embedding enterprise risk management (ERM) in the business.
A framework for managing risk in the business
The aim of a risk appetite statement is to provide an overarching framework for accepting and managing risk in the business; it sets the boundaries for risk taking within the organization. To achieve this, there must be a clear articulation of:
• The nature of the risks to which the business may be exposed
• The risks which the business does and does not wish to accept
• The amount of risk to be accepted in different risk categories
• The desired balance of risk versus reward
• The risk measures and other method by which risk exposures are to be monitored and controlled
Typically, risk appetite is defined formally by the board to provide guidance to management by setting out the principles to be followed in managing the business, such that detailed policies and procedures can be developed and cascaded down to the business.
A well-considered risk appetite statement provides the reference point against which to benchmark all risk-taking and risk mitigation activity within the organization, defining boundaries within which risk-based decision making can occur.
When defining risk appetite, it is important to consider the organization’s different stakeholders ― policyholders, shareholders, debt holders, regulators, rating agencies, intermediaries, management and employees ― each with different (and at times conflicting) interests. The risk appetite statement should be articulated in a way that addresses the interests of all stakeholders. Therefore, a risk appetite statement will often have multiple dimensions and may require more than one metric to address the varying interests of a wide range of stakeholders. Just taking two examples:
• Shareholders are looking for return on their investment and are therefore interested in the risk exposure of the value of their investment. Shareholder value has a number of components, including the net asset value of the organization, the value of its in-force business and its franchise value ― all of which are at risk. Shareholders care, for example, about the risk of loss of product distribution capability just as much as loss of tangible assets.
Moreover, shareholders are interested in upside opportunities as well as the downside risks and how they balance, the shape of the risk distribution (for example, the potential for occasional extreme losses versus more routine mild variability) as well as the nature of the risks undertaken (for example, credit, market or insurance risk). They can then make informed decisions as to how the company’s risk profile fits within their own investment portfolio structure.
• Policyholders are generally risk-averse, which is often why they have taken out insurance. They are primarily looking for security of payment of the contractual benefits under their policies. They are therefore concerned about the organization’s level of capital and how the business will be managed over the term of their policies to ensure that their benefits can be paid when due. Typically, policyholders are mainly interested in the ability of the company to cope with extreme downside risk ― they are not usually interested in the upside possibilities.
However, where policies involve discretionary bonuses or dividends, policyholders do also have an interest in the upside returns, at least to the extent they have a reasonable expectation to receive a share in them. Finally, in contrast to shareholders, policyholders are relatively insensitive to the nature of the risks undertaken. They care little whether it is market or insurance risk that puts their benefits in jeopardy.
Approach to development of a risk appetite statement
Risk appetite is unique to each organization, reflecting the particulars of its business and its overall strategy. It must be directly calibrated to the company’s targeted financial performance indicators ― for example, capital, earnings and economic value.
Nevertheless, in setting the risk appetite, there are some basic questions that should be addressed such as: What is the purpose of the statement; who are our stakeholders; what range of risks do we face; which of these risks are acceptable/unacceptable; how should new risks be assessed; what metrics are appropriate for defining risk tolerances and risk/reward trade-offs; how are risks managed (avoided, mitigated, transferred, etc); and what is the process for updating the risk appetite?
Those tackling a first-time development of a risk appetite statement should expect an iterative process with the statement being influenced and refined in light of where the organization is now, the conflicting interests of different stakeholders and competitive realities.
The initial development of a risk appetite statement can be broken down into three steps as shown in the diagram below.
Step 1:
Develop a preliminary “strawman” risk appetite statement, with the associated metrics to measure tolerances, aligned with the corporate strategy. At this stage, a process of interviewing senior management can help to identify corporate objectives, confirm the range of stakeholders, identify current risks, and propose metrics.
Step 2:
Quantify the organization’s current risk exposures, using the metrics identified in Step 1, to compare against the top-down risk tolerances implied in the strawman risk appetite statement. Initially, various approximations will be needed in producing preliminary measures, as fully detailed calculation methodologies and systems are unlikely to be available.
Step 3:
Refine the strawman risk appetite statement and associated risk tolerance metrics in light of the top-down versus bottom-up comparison above. The above steps may need to be repeated until the company’s initial risk appetite statement has been finalized.
Linking risk appetite to the business
The achievement of a clearly defined risk appetite statement should rank high on the list of priorities for every insurer. This is not only in response to the external demands of rating agencies and regulators, but also in response to the growing need to incorporate ERM into strategic decision making.
In addition, a company will need to be able to develop a process to translate its articulated risk appetite statement and risk tolerance into individual risk limits so that they can become actionable on the front line. The risk appetite statement thereby helps to align day-to-day decision making with the strategic direction of the business, and enhance decision-making generally. And ultimately, better decisions will lead to better outcomes for all stakeholders.
Note: A version of this article was first published in Towers Watson's Insights ― Asia Pacific Insurance in June 2011.