No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

The Board-Management Risk Appetite Dialogue

Advice from the NACD on a Determining the Organization’s Appetite for Risk

by Jim DeLoach
December 17, 2019
in Featured, Risk
businessman jumping between increasingly taller stacks of coins

Considering unpredictable markets, myriad uncertainties and unprecedented market opportunities, how should the board and executives engage with respect to the organization’s risk appetite? Protiviti’s Jim DeLoach offers sage wisdom.

In 2017, the National Association of Corporate Directors (NACD) Advisory Council on Risk Oversight released a publication based on input obtained from a meeting with risk and audit committee chairs from Fortune 500 companies.[1] This publication offers useful insights to directors and senior executives alike that are consistent with the Enterprise Risk Management Framework[2] of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), also released that year, and that boards and executives can use to advance their risk appetite dialogue.

The practical advice offered by the NACD advisory council is framed around three major takeaways:

  • Align the risk appetite statement with company strategy.
  • Use the risk appetite statement to inform critical processes and decisions.
  • Continually re–evaluate the risk appetite statement.

Each of these recommendations is discussed below.

The risk appetite dialogue offers executive management and the board of directors an opportunity to get on the same page regarding the drivers of and parameters around opportunity-seeking behavior. Once they reach agreement as to the types and amount of risk the entity is willing to take in creating value, the risk appetite statement serves as a guidepost for subsequent boardroom and C-suite discussions and the entire organization.

The NACD publication is stocked with sage observations from savvy directors who practice what they preach in working with their company’s management. There is no academic conjecture or suppositional expounding of theory anywhere in its 12 pages – just a crisp discussion of how and why risk appetite is used in the boardroom.

Align Risk Appetite with Company Strategy

Risks are inherent in every strategy, whether the organization chooses to express them explicitly or not. When determining the level of acceptable downside risk, directors and management should agree on the most critical risks, whether expressed qualitatively or quantitatively, and evaluate the organization’s tolerance level for each one. The idea is to frame the risk appetite statement as a means to optimize the competitive advantage unique to each company.

The NACD advisory council suggests the use of metrics to set boundaries around the risks the entity is willing to accept. These metrics may be expressed as targets, ranges, floors, ceilings or prohibitions that set parameters within which the company is to operate. For example:

  • Strategic parameters consider matters such as new products to pursue or avoid and the investment pool for capital expenditures and M&A activity.
  • Financial parameters consider matters such as the maximum acceptable variation in financial performance, risk-adjusted return on capital, target debt rating, target debt/equity ratio EBIT/interest coverage ratio and derivative counterparty criteria.
  • Operating parameters consider matters such as capacity management, sustainability, environmental, social and corporate governance (ESG) requirements; R&D investment pool; safety targets; quality targets; and customer concentrations.

In addition, the advisory council recommended benchmarking against peer groups (e.g., the company’s cybersecurity risk rating compared to the rating of its competitor peer group). Taken together, these considerations help frame the entity’s risk appetite.

Use Risk Appetite to Inform Critical Processes/Decisions

Articulated crisply with both forward-looking and backward-looking metrics, a robust risk appetite statement can be used in the following ways:

  • Establish performance targets: Risk appetite statements facilitate setting more balanced performance targets that avoid incentivizing excessive risk-taking behavior. In making risk-appetite assertions, executive management and the board predetermine where the trade-offs are in terms of promoting superior perfor­mance versus limiting exposure to unwanted risks.

Pushing these determinations down into the organization drives strategic alignment of processes and people, preventing trade-off decisions from being made in isolation. An effective risk appetite statement offers decision-makers a reasonableness test to avoid bad or risky deals or setting unrealistic performance goals that can lead to corner-cutting.

  • Shape corporate culture: When the risk appetite statement is translated into actionable guidance with well-defined thresholds and tolerance levels that are used across the organization to measure and monitor the level of acceptable variation in performance, the risk awareness of the organization’s culture is influenced significantly. For example, an organization with a lower risk appetite may prefer less performance variation compared to an entity with a greater risk appetite.

When risk thresholds and tolerances are embedded into operating processes, employees are positioned to make thoughtful day-to-day, risk-adjusted decisions that are in line with executive management’s and the board’s expectations – particularly in areas that are either high priority for taking on more risk in the pursuit of enterprise value or where there is zero or low tolerance for risk.

  • Improve communication, including reporting to executive management and the board: The advisory council agreed that an effective risk appetite statement is an important com­munication tool for driving alignment with and awareness of the strategy through a better and more transparent risk policy and more focused risk reporting. A robust statement of risk appetite clarifies the acceptable or on-strategy risks the organization intends to take and forces dialogue as to whether the upside rewards of the strategy warrant acceptance of the downside risks.

These risks are typically foundational elements of the business strategy (e.g., invest in developing countries to fuel market growth and innovate in specific areas to drive new revenue streams). The risk appetite statement also addresses the undesirable or off-strategy risks for which zero or minimal tolerances should be set in policy prohibitions (e.g., unacceptable risk concentrations, appropriate credit limits and adherence to core values). These assertions frame the specific issues that should be addressed in regular risk reports to executive management and the board and facilitate a risk es­calation policy that establishes formal lines of communication from management to the board at the first sign of a prob­lem or an emerging risk.

  • Make decisions about compensation: A formal risk appetite state­ment can inform a company’s overall compensation philosophy with the objective of preventing employees from taking unacceptable risks to achieve performance targets. To that end, the NACD publication lists important questions executives and directors can consider when evaluating whether the design of incentive compensation plans may inadvertently encourage risk-taking that is in conflict with the company’s established risk appetite.

These questions pertain to such matters as incentive payout outliers, extreme outperformance versus peers, comparison of incentive targets with the industry and excessive upside payout opportunities, among other factors.

No one disputes that successful organizations must take risk to create value. The question is, how much risk should they take? A balanced approach to value creation means that the enterprise accepts only those risks that are prudent to undertake, given its capacity to bear risk, and that it can reasonably expect to manage successfully.

Continually Re-Evaluate Risk Appetite

As the business environment and strategic priorities change, the risk appetite statement should be revisited periodically. The risk appetite statement is a benchmark for discussing the implications of opportunistic value-creation pursuits as they arise and is not intended to handcuff management. Therefore, it is a living document that may change as the company’s perspective toward risk changes over time.

The NACD publication acknowledges that not all companies have a formal risk appetite statement. That said, the participating directors agreed that formulating a statement can help clarify strategic objectives, equip employees to make better decisions and make clear when it is time to escalate problems up the chain. More importantly, it can be an effective tool for getting everyone in the boardroom on the same page with respect to risk.

The four appendices to the NACD publication also provide useful insights. One appendix points out that an effective risk appetite framework has four core elements:

  • A collection of principles that articulate the compa­ny’s philosophy about risk-taking;
  • A set of limits that identify the thresholds of acceptability in key areas;
  • An analytical tool that enables the development of those limits and facilitates reporting against them; and
  • An implementation framework that describes how the risk appetite is deployed in corporate decision-making.

Of particular interest, the risk appetite analytics example illustrates net available cash flow to cover risk during the enterprise’s planning period. This example begins with starting cash (and presumably other liquid assets) and expected cash flow for the planning period before committed and noncommitted cash outflows. It then totals committed cash outflows for interest, dividends and maintenance capital expenditures and noncommitted cash outflows for such planned discretionary outlays as growth capital expenditures, M&A investment and share buybacks.

By deducting committed and noncommitted cash outflows from total cash available, one is able to calculate total cash available to cover risk. Whatever that number is, the question “is this sufficient based on the assessment of corporate risks?” is raised.

In our view, this conceptual illustration is important. A winning strategy exploits to a significant extent the areas in which the company excels relative to its competitors. The execution of any strategy is governed by the entity’s willingness to accept risk in its pursuit of value as well as its capacity to bear risk. From a strategy-setting standpoint, it is useful to have a notion as to when the capacity for bearing risk is encroached upon (i.e., when is the organization taking on too much risk?).

That is the point of the illustration, as it raises interesting questions as to whether the organization has sufficient margin for error and flexibility to cover unexpected extreme losses (so-called tail risk), unforeseen investment opportunities and other contingencies and, if it doesn’t, whether it should. For example:

  • Is the enterprise’s capacity to bear risk (e.g., regulatory capital, borrowing capacity, expected free cash flow and other funding sources) adequate given the risks undertaken? What is the point at which the company’s appetite for accepting the risk of loss exposure is defined – meaning, is it at – or short of – the point of:
    • Canceling projects and deferring maintenance?
    • A profit warning?
    • A ratings downgrade?
    • A dividend cut?
    • The need to raise additional capital?
    • A loan default?
    • Insolvency?

Does management stress-test appropriate scenarios against the point at which the entity has defined its willingness to accept exposure to loss? Has the company’s history of performance variability and success in meeting market expectations been considered in developing its risk appetite?

  • Are there aspects of the strategy that may be unrealistic and may result in unacceptable risk if managers are pressured to achieve unrealistic stretch performance goals?

There is no such thing as a standard risk appetite. Management and the board formulate a risk appetite statement with full understanding of the trade-offs involved and in the context of the entity’s chosen mission, vision and business objectives. The statement serves as a reminder of the core risk strategy arising from the strategy-setting process, considering the organization’s capacity to bear risk as well as a broader understanding of the level of risk it can safely assume and successfully manage over the planning horizon in executing its strategy.

Questions for Senior Executives and Boards of Directors

Following are some suggested questions senior executives and their boards may consider, based on the entity’s operations:

  • Is there a periodic substantive dialogue in both the C-suite and the boardroom regarding management’s appetite for risk and whether the company’s risk profile, as measured through periodic risk assessments and stress tests against multiple future scenarios, is consistent with that risk appetite? Is risk appetite considered when significant matters – such as proposed M&A transactions, entering new markets and significant R&D outlays – are evaluated and approved?
  • Do the board and management engage in a periodic dialogue covering such topics as:
    • The maximum acceptable level of performance variability in specific operating areas?
    • The implications of changes in the business environment on the core assumptions inherent in the strategy, including the desired risk appetite?
    • Aspects of the strategy that may be a stretch or even unrealistic, leading to unacceptable risk-taking to achieve performance goals?
  • Does risk reporting to executive management and the board consider the organization’s key risk appetite assertions? Is the board informed on a timely basis of exceptions and near misses to the company’s risk tolerance parameters and the planned actions to address them? Is the risk appetite statement used to drive risk policy across the enterprise?

 


[1] “Board-Management Dialogue on Risk Appetite,” NACD Advisory Council on Risk Oversight, May 2017, available as complimentary content at www.nacdonline.org/insights/publications.cfm?ItemNumber=43377.

[2] Enterprise Risk Management – Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations, June 2017, available at www.coso.org.


Tags: Board of DirectorsCOSO
Previous Post

The Risks of Undervaluing a Focus on Culture

Next Post

The Expansion of Independent Monitors

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

kroger

Blocked, Sued and CEO-Less: How Kroger’s Board Must Navigate Triple Crisis

by Conor Johnston
June 9, 2025

Failed mergers often trigger talent exodus and shareholder fury, but strategic refocusing on core competencies can turn regulatory setbacks into...

money

CCO Salary Increases Cooling Off

by Staff and Wire Reports
June 6, 2025

35% of executives give boards high marks

seeing outside the box

Disrupters See the World Differently — and Act Accordingly

by Jim DeLoach
May 13, 2025

Critical differences in culture, technology adoption and talent strategies determine which organizations shape markets and which scramble to respond

signing deal signature

When the Ink Dries: 6 Critical Post-Transaction Areas That Make or Break M&A Success

by Jim DeLoach
April 14, 2025

Poor follow-up once the deal is closed can cause culture clashes & value erosion

Next Post
blue paper ship leading white paper ships

The Expansion of Independent Monitors

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights