The economic problem of organizational risk appetite

Door Arie de Wild

In our current era of major global challenges and worldwide crises the human race is contin- uously searching for solutions to the fundamental economic problem of how to determine which aims should be pursued and how limited resources ought to be allocated. Economics as the science that studies “human behavior as a relationship between ends and scarce means” (Robbins 1932 p.16) is poised to prescribe normative antidotes to the calamities and acts of man that plague today’s financial and economic markets. Aiming to minimize the adverse effects of risk at minimum cost, organizations are engaged in a balancing act between the ex ante allocation of resources for risk reduction and the ex post adequacy of resources to absorb losses. The outcome of this trade-off is an expression of the organization’s willingness to accept risk, also known as its risk appetite. Scarcity of resources implies that the probability of occurrence and the potential impact of events identified as risks cannot always be reduced beforehand, and thus requires these risks to be ranked in priority by a decision maker in the organization. Risk attitude, a concept from decision theory, allows one to specify the rank order of a set of identified risks. In addition, the concept of risk appetite specifies the subset of this rank ordered set of risky events that requires control measures and its complement that, in contrast, is accepted. Given that organizational risk appetite is not unlimited, this thesis explores how measurements of risk attitude can be applied meaningfully in risk man- agement to the economic problem of scarcity of resources.

In order to survive, human kind has always been engaged actively in the management of risk. As a formal field of study and practice, however, risk management only established itself in the second half of the 20th century. In the 1990s the idea that organizations should manage their risks holistically led to what is now commonly referred to as enterprise risk management (ERM). The COSO (2004a p.4) framework for enterprise risk management provides the following definition for this enterprise-wide view of risk management:

“Enterprise risk management is a process, effected by an entity’s board of directors, manage- ment and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

The risk management process is typically composed of the following steps: setting organiza- tional objectives, identifying events that threaten the objectives (risk identification), assessing the probability that these events will occur and their impact on the objectives (risk assessment),

determining the acceptability of the events identified (risk evaluation), formulating a suitable response to the events in terms of control measures (risk treatment) and finally monitoring whether the controls are effective. The risk evaluation step requires the organization to for- mulate its risk appetite. Through its definition of enterprise risk management, the COSO framework formalized a requirement for organizations to become more explicit about their risk appetite and thereby created “a new managerial and regulatory object of attention” (Power 2007 p.78). In the COSO framework, organizational risk appetite is defined as “the broad-based amount of risk a company or entity is willing to accept in pursuit of its mission” (p.110). The large number of internet pages on risk appetite and an abundance of references in professional literature indeed demonstrate that the topic has not been wanting in attention. Despite this large stock of guidelines, advice and good practice examples, practitioners still characterize the topic as “challenging”, “tough”, and “one of the hardest things to define” (www.LinkedIn.com ERM discussion group).

The communis opinio in risk management is that risk appetite should be formally ex- pressed and that it should reflect the risk attitude of the senior management of the organiza- tion, which acts in the interests of its stakeholders. In line with the “rituals of verification” that today’s “Audit Society” (Power 1997) requires organizations to perform, these Board approved statements of risk appetite act as traces of evidence of good governance. A formal and approved expression of risk appetite is presumed to attest to the active involvement of senior management in the setting of risk appetite so that it supposedly reflects a deliberate and well thought-out attitude towards organizational risk taking. Recent publications by risk management practitioners explicitly call for the need to embed the senior management’s risk attitude in the organizational risk appetite.

These demands for the validation of organizational risk appetite could be addressed by models and methods from behavioral economics that facilitate the analysis and the elicita- tion of a decision maker’s risk attitude. Behavioral economics is a branch of economics that incorporates findings from psychology into economic models with a view to understand- ing human decision making in economic settings. Since the 1990s, behavioral economics has been a mainstream branch in economics and, rather recently, received a lot of media attention due to the publication of popular monographs such as Thinking Fast and Slow (Kahneman 2011), Predictably Irrational (Ariely 2008), and Nudge (Thaler & Sunstein 2008). The discipline in which behavioral economists and cognitive psychologists cooperate in the study of individual decision making under risk and uncertainty is referred to as deci- sion theory. An accessible academic treatment of decision theory recently became available in the form of the textbook Prospect Theory for Risk and Ambiguity (Wakker 2010). The application of decision theory to decision problems in practice is referred to as decision analysis. Despite the high regard in which decision theory is held in academic circles, it is not yet commonplace for its concepts to be applied in practice, not even in very important decisions. In relation to risk appetite, decision theory holds the promise that its descriptive models can uncover the professional risk attitudes of key decision makers and that its nor- mative models may offer to improve strategic decisions on organizational risk appetite.

 

Bron: Arie de Wild – Unraveling Risk Appetite