Spotlight Quiz
Risk Appetite and Culture
Question 1
Responsibility for Risk
In discussing risk management in a company it is really tempting to focus immediately on the
technicalities of risk management: how should we recognise particular risks and, assuming that we
can recognise all of our risks we then have to decide what to do about managing them. But, as a
senior executive in any large corporation it is impracticable for you to try to recognise each risk
yourself. As so often in business management, you have to work through others. The difference for
risk management is that here we are not primarily trying to motivate and inspire, although we do
need to do that of course. In risk management through other people, first we must find a way of
communicating what sort of risks we are comfortable with and what sort of risk we are definitely not
comfortable with. Further, we need to find a way of instilling an appropriate risk culture within our
organisation; a culture that may be complex in terms of being willing to accept a high degree of risk
in some circumstances but very risk averse in others, but consistent in that risk is always considered
in a more or less formalised structure and the issue of risk is discussed openly and widely.
Question
This is an intentionally easy question to start with.
Whose responsibility is risk management within a company or group?
(a)
(b)
(c)
(d)
(e)
The risk manager
The risk committee
The risk sub-committee of the Board
The Board
Don’t know
Answer
The right answer is (d) the Board
This should be obvious – the Board carries the ultimate responsibility for everything that happens
within the company or group. But it is clearly not as obvious as it might be – it is necessary for it to
be restated in the UK Corporate Governance Code revised in September 2012. To quote from the
Code, Section C Accountability “Main Principle: The Board is responsible for determining the nature
and extent of the significant risks it is willing to take in achieving its strategic objectives. The board
should maintain sound risk management and internal control systems.”
The Financial Reporting Council, http://www.frc.org.uk/getattachment/a7f0aa3a-57dd-4341-b3e8ffa99899e154/UK-Corporate-Governance-Code-September-2012.aspx
Question 2
Risk appetite
Understanding risk appetite is at the heart of corporate governance. In fact it might be argued that
taking and managing risk is what enterprise itself is about. Understanding which risks are acceptable
and which are not, and being confident that this understanding is imbued throughout the
organisation, must be core to corporate governance. Examples of failure abound; Enron, and most
of the other major disasters testify to this.
There are some key principles for defining and communicating risk appetite.
 The acceptance that the definition of corporate risk appetite is complex. That
complexity must be addressed rather than ignored or even denied.
 Discovering a methodology for making the risk appetite measurable. Board
members need to understand the trade-off between risk-taking and performance,
so that they can appreciate the impact of risk-taking on EVA or other measures of
shareholder value. Clearly ‘risk’ is not one dimensional in that the commercial risk
of launching a new product is not the same as financial risk of leaving a long FX
exposure open. Complexity abounds!
 Risk appetite is not a single fixed concept. Appetite can be different for different
risks as well as different for the same risk at different times.
 The organisation’s capability to take and manage risk is a function of the capacity to
accept risk plus risk management ‘maturity’, or the extent to which risk
management is embedded into the fabric of corporate culture.
 Risk appetite must include differing views of risk and risk-taking at different levels
and different parts of the organisation. So, around the group the appetite will
reflect the activities and the managerial stance, be it strategic, tactical or
operational.
 Finally, risk appetite must be integrated with the control culture of the organisation.
Possibly one of the most important insights is the interaction between the
propensity to take risk and the propensity to exercise control.
Question
The interaction between the propensity to take risk and the propensity to exercise control operates
differently for three different aspects of management: strategic management, tactical management
and operational management.
Match the ‘management’ aspect to the balance between taking risk and taking control, i.e. the ‘riskcontrol trade-off’.
Management Aspect
Strategic management S
Tactical management T
Operational management O
(a)
(b)
(c)
(d)
(e)
Risk - Control Trade-off
Primarily which risks to take R
Balance – risk and control important B
Primarily exercising tight control C
S goes with R, T with B, O with C
S goes with C, T with B, O with R
S goes with B, T with R, O with C
S goes with R, T with C, O with B
Don’t know
Answer
The right answer is (a) S goes with R, T with B, O with C
Strategic management is about deciding new product lines, investment in R&D or new methods of
financing. This is determining which risks to expose the firm to and which to avoid – much more
about risk than control.
Tactical management is about implementing strategy, balancing risk with control. If risk appetite is
well specified, then the balance of time to be devoted between risk and control will be clear.
Operational management is much more concerned with exercising control so that budgets and
targets are met and therefore avoiding risk as much as possible. Again, clarity is needed to
articulate the risk appetite within the organisation.
The Institute of Risk Management, Risk Appetite and Risk Tolerance, A Guidance Paper
http://www.theirm.org/publications/risk_appetite.html
Question 3
Risk Appetite and Risk Tolerance
In practice, many firms use the terms ‘risk appetite’ and ‘risk tolerance’ to mean pretty much the
same thing. Perhaps we should articulate our thinking about risk more carefully than this. If we are
to communicate our risk strategy and have people throughout the organisation understanding which
risks we want to take and which we want to avoid, then vocabulary becomes very important. We all
need to be talking the same language.
Question
What is the difference between the two terms ‘risk tolerance’ and ‘risk appetite’?
(a) There is no difference between them.
(b) Risk tolerance is the extreme acceptable outcome, risk appetite is where we set the limits,
knowing that those limits might be exceeded.
(c) Risk appetite is the extreme acceptable outcome, risk tolerance is where we set the limits,
knowing that those limits might be exceeded.
(d) Risk tolerance is the quantified measure of risk appetite, using Value at Risk at 95%
confidence.
(e) Don’t know
Answer
The right answer is (b) Risk tolerance is the extreme acceptable outcome, risk appetite is where we
set the limits, knowing that those limits might be exceeded.
Risk appetite is about the level of risk that we, as a business, are comfortable with. It is about the
level of risk that we seek, or are willing to accept if it comes our way. On the other hand risk
tolerance is what the organisation might just about be able to deal with. Both are about the impact
on performance over time. Each company must find its own level of risk ‘comfort’ and that may well
vary over time. As an example often used, Kodak invested to develop their business when
photography was new. New products flowed – each with its own risk – as the market grew and new
competitors emerged. But then the market became mature and the company became less willing to
take commercial risk, while the market changed from primarily film-based to being digitally-based.
As a result, when the film market faded, Kodak failed to find a place in the new order. Exposure to
risk can create a global company, but having built the business unwillingness to accept further
exposure can leave the company defending a shrinking position and ultimately dying.
Risk appetite is the level of risk that the company actively wants to engage with. Risk tolerance is the
level of risk that, in the worst case, we can just live with.
The Institute of Risk Management, Risk Appetite and Risk Tolerance, A Guidance Paper
http://www.theirm.org/publications/risk_appetite.html
Question 4
Risk Culture
Defining risk appetite is not easy. It requires a lot of discussion and consensus building throughout
the company. In fact the corporate culture, or more specifically, the risk culture within the company
determines the risk appetite in practice – what happens rather than what is supposed to happen.
Changing the risk appetite possibly requires changing the risk culture.
Organisational culture is often described as being composed of attitudes, behaviour and culture:
attitudes determining the way that people behave and then collective behaviours determining
organisational culture.
Risk attitude is described as the position adopted by an individual or group towards risk.
Behaviour, in this context, is the external observable actions i.e. risk-based decisions, risk processes
and risk communications.
Risk culture is the set of values and beliefs, knowledge and understanding about risk, within the
organisation.
The risk culture can be top-down, imposed from above or it may emerge naturally. If the latter, then
the Board had better be sure that it is in line with their view of how risk should be managed within
the company. When we consider changing risk culture, then the feedback loop within this AttitudeBehaviour-Culture becomes extremely important.
Individuals in the organisation are bound to notice the impact that specific types of behaviour have
on other individuals. The delivery of bad news is a prime example. Is the bearer of bad news
encouraged to expand and investigate further, or blamed for the fact that the news is bad? If the
bringer of bad news is treated badly, that is the strongest encouragement for others to hide bad
news. On the other hand, if the messenger is treated well and shown appreciation for not sweeping
things under the carpet, then that will encourage others to be open and to welcome discussions
about risk.
A similar example could be drawn around whistleblowers – are they welcomed and their claims
investigated or do they become pariahs? The feedback loop is a strong determining factor on
peoples’ attitudes, their behaviour and therefore the subsequent culture. The management of this
process is clearly vital for risk management.
Question
As a newly appointed treasurer for a chain of DIY outlets, you find that the previous treasurer had
acquired a portfolio of bonds. You can see no reason for keeping these bonds as they bear no
relation to your business. Your decision to sell is reinforced when you realise that a sale would net a
profit of £2 million. You go ahead and sell the bonds.
When the profit is booked, you get a call from the CEO. What do you expect when you enter her
office?
(a) Congratulations and the promise of a bonus
(b) A request for a board paper on investing in more bonds
(c) A heartfelt thank you because operations had been disappointing this quarter
(d) A reprimand because without consultation you have introduced extraneous gains to the
Income Statement
(e) Don’t know
Answer
The right answer is (d) A reprimand because without consultation you have introduced extraneous
gains to the Income Statement.
This is based on a real situation (disguised) where the CEO and Chairman had spent a lot of time
persuading the City that the company was not indulging in any quick-profit schemes, their earnings
would be from the DIY business and would rise or fall on that; the company had no financial gambles
in its accounts. The extra £2 million profit had just destroyed that argument.
The point here is that the feedback here is communicating very clearly that risk management in this
company is about focussing our risk-taking on our business, and emphatically not on extraneous
financial deals. In most cases, the feedback says more about risk culture in the company than any
statements in the Annual Report
Question 5
Risk Culture Aspects Model
The Institute of Risk Management (IRM) has proposed a Risk Culture Aspects Model, with four
‘themes’: tone at the top, governance, competency and decision-making. ‘Tone at the top’ is
primarily about the risk leadership in the company and the reaction to bad news – is the news
investigated to find learning points or is it covered up after the messenger has ‘disappeared’?
Governance is mainly about the accountability for risk and clarity thereof and the transparency of
risk information. Is it communicated widely, and seen as an opportunity for discussion and learning?
Competency concerns the resources and skills associated with risk. Is there formal risk training? Is
the newer thinking about risk management and the language of risk management widespread in the
company?
Finally decision-making is about making informed risk decisions and not just avoiding risk.
Question
In the IRM’s Risk Culture Aspects Model, decision-making is one of the four themes. Which of the
following is NOT a decision-making characteristic of a healthy risk culture according to the model?
(a)
(b)
(c)
(d)
(e)
Leaders seek out risk information in supporting decisions
Performance management is linked to risk taking
Managers are willing to create risk exposure if their remuneration shows adequate reward
The business’s willingness to take risk is well understood by everyone
Don’t know
Answer
The right answer is (c) Managers are willing to create risk exposure if their remuneration shows
adequate reward.
Decision-makers in a healthy risk culture can view risk and reward from a company perspective
rather than from a personal perspective. The risk-reward relationship cannot be skewed by the
personal remuneration system, if shareholder value is paramount.
All of the others are indicators of a healthy risk culture.
The Institute of Risk Management, Risk Culture, Resources for Practitioners, chapter 3
http://www.treasurers.org/node/8323
Question 6
Latent Culture Risk
The idea of ‘enterprise pollution’ or ‘latent culture risk’ is a subtle variation on the idea that risk
culture is fundamental in the way that risk is managed within an organisation. Take a particular risk
event that sends shock waves through the company. A task force is set up to determine what went
wrong and make sure that it can never happen again. Actions are taken, maybe heads roll –
frequently the event is linked to an operational aspect of risk management. Changes are made to
procedures and all is now well.
But, very often the real underlying problem is not spotted because it is inherent in the way that the
firm deals with and manages risk. Routine risk management can become a tick-box affair, so that
individual managers cease thinking about the underlying risk and focus on the box-ticking exercise.
This is latent culture risk.
Question
Which of the following might be an example where the real underlying problem is, or was, one of
latent culture risk?
(a) Personal expenses being used as a substitute for allowances with consequent loss of
confidence of the public
(b) The repeated discovery of rogue traders in investment institutions
(c) Wilful blindness to underhand methods of newsgathering leading to the collapse of a weekly
newspaper
(d) Involvement in the manipulation of an interest rate index
(e) All of the above
Answer
The right answer is (e) all of the above.
While all are obviously imaginary situations, all are likely to be the result of looking at the detail of
the situation rather than focussing on the broader picture. It was surely only a matter of time before
the claiming of expenses for cleaning an MP’s moat appeared in a tabloid newspaper, and therefore
the discovery and ensuing outrage was entirely foreseeable. The incidence of rogue traders seems
far too frequent if the ‘rocket scientists’ were really trying to find ways of uncovering true risk
positions, rather than encouraging traders to take bigger risks to make bigger profits.
Conclusion
The “softer” aspects of risk management are occasionally derided in favour of the more technical
content. But, ultimately, risk can only be managed in a group or corporate scale through the actions
of other people. Those actions are only controllable through these “softer” aspects. The
management of the corporate risk culture is the most vital weapon in the armoury of the risk
manager. Without an appropriate risk culture, the cleverest techniques in risk management are
irrelevant.
The Institute of Risk Management, Risk Culture, Resources for Practitioners, chapter 7
http://www.treasurers.org/node/8323