Working In Uncertainty
Reviewing policies on risk taking
Sometimes it is feasible and worthwhile to establish policies to govern risk taking. To be really effective these need to affect decisions taken within an organization's core management activities. Failing that they might be applied within meetings convened specifically to talk about 'risk' and to make risk related decisions, though this is likely to be less effective because so few decisions are purely about risk responses.
Many of the policies that have been drafted are flawed, usually in more than one way. This has been made worse by the recent fad for talking about 'risk appetite' and 'risk tolerance', which are phrases that have confused and misled many people and already have associated themselves with a morass of misconceptions. The three examples below show some of the flaws you can learn to spot. All are taken from, or slightly anonymised from, actual risk appetite statements made or recommended.
1. From the 'earnings volatility' section of a 'risk appetite statement'.
"Deliver annual target EBITDA growth of 15% through 2009."
You're probably wondering where the 'risk' is. Quite. There isn't any. This is just a typical earnings growth target.
2. Here's an example that at least tries to mention something related to risk.
"Earnings at risk capacity: We will position ourselves in the top 1/3 of our peer group in terms of deviation from expected earnings."
Vagueness seems to be a big problem here. What is their 'peer group' for these purposes? How is 'deviation' measured? What are 'expected earnings'? Expected by whom? Expected on the basis of what evidence, for what period, and using what forecasting method? Without clarity the policy is meaningless puff. It would be interesting to know if they had any intention of calculating the 'deviations' for themselves and their 'peer group'.
Even if the statement was well defined it is unstated when the policy is to be used and by whom. Without that information it is just a nice idea, and not one that any person in particular is expected to adhere to.
3. Lastly, a pseudo-statistical statement.
"Level of risk that results in no more than a 0.1% chance of failure over a one-year horizon, where failure is defined as loosing 100% of capital, measured by US GAAP."
On first reading this seems impressively scientific. But wait! What is the basis of the probabilties involved? All probabilities are conditional, so what are the conditions? What model is used? More simply, how often is this calculation performed? Is it daily or annual? Clearly it is more likely that a breach of the rule will be found if the calculation is made more often (provided nothing is done in response to the calculations).
As so often there is no information about who is to use the policy or when. Also, there is no hint as to what action might be expected if a breach of the rule occurs.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.
Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.
Words © 2012 Matthew Leitch