We are all familiar with the Shakespearean origin of the comment used to derive the title, but unlike Romeo, modern-day companies tend to have much less leeway when it comes to descriptive terms, especially when they relate to compliance with good corporate governance standards.
One of the challenges in the rapid development in the risk management field has been related to standardised and accepted definitions. In some cases definitions used throughout the industry have intuitive meaning and the definitions applied by various practitioners are similar in meaning.
Conversely, there are definitions used in the industry that are not standardised nor do they facilitate mathematical derivation or quantification, even though these approaches are implied or mentioned in the definitions.
As a general contextualisation, many risk management projects conducted over the years for a variety of clients have highlighted one important concept – most exercises can relatively easily be categorised under one of two questions – “How much does it cost?” or “How much can I afford?”.
The first question generally relates to risks and their nature (distribution, expected value, volatility etc.) and the second generally relates to the resources available to manage the risks.
As an example, many risk control measures affects the answer to the first question as they impact on the nature of the risks. Now, the concept of cost and affordability can easily be expanded to encompass non-financial costs, although the majority of focus outside Health and Safety concerns is generally of some financial nature.
With specific regard to the area of ability or willingness to retain risk, the intuitive approach is that this concept generally resorts under “How much can I afford?”. Sticking to the financial side, the ability to retain risk naturally lends itself to some form of financial capacity, which is strictly independent of the exact nature the risk, although there is admittedly a myriad of contingent and dependent influences.
To complicate matters even further for listed South African companies with international operations or listings in particular, there is the issue of conflicting requirements. Below is the definition of Risk Appetite in both brief and (literally) expanded form from ISO 31000 as well as per the Report on Corporate Governance by the King Committee (King III).
Although very cumbersome, both expansions serve to demonstrate the level of complexity inherent in the few definitions already out there. Both definitions consider both the nature of the risks and the ability to retain the risks, effectively making it a composite result. Therefore, a company having derived its risk appetite would have to have answered both questions.
In addition, there are significant differences in specific parts of the definition. Specifically:
- Residual Risk: ISO 31000 does not make specific distinction between residual risk and risk whereas King III does. Although the ISO definition could be viewed as implying the same, it is not explicitly stated and cannot therefore necessarily be assumed.
- Individual Risk Basis: King III specifically refers to risk appetite as developed from an individual risk assessment basis and being applied individually to various risks. ISO 31000 does not appear to make this distinction other than to refer to the amount and type. This does imply some distinction between the various risks but not explicitly to the same degree. Neither address the issue of risk retention optimisation and dependencies explicitly, which can have a significant impact on decisions.
- Pursuit of Value: King III provides a single potential source of motivation for the setting of the Risk Appetite – the pursuit of value, indicating that other considerations not related to the pursuit of value should be excluded.
However, King III does address in some form the collective financial ability to retain or absorb risk in specifying the term Risk Bearing Capacity (RBC).
Although, on the surface, this appears to address the other side of the coin (How much can I afford? ), the focus is entirely different. Whereas the Risk Appetite definition is focused on risk costs related to the pursuit of value, the RBC focuses on company survival – definitely not business-as-usual or going-concern.
Although the maximum amount that a company can forfeit and survive is a critical element in the overall risk management framework, it does not assist in determining the value of risk that can be retained on an on-going basis without impeding the ability to operate.
In addition, the term Risk Bearing Capacity has been used in other contexts with different definitions several years prior to the issue of King III. Does this necessarily invalidate any other definitions?
The key to definitions is that they should clarify, rather than confuse; break concepts down into manageable components rather than confound. Clear thinking and analytical approaches are required in order for risk management to fulfil its promise to businesses. Irrespective of the labels we put on things, we need to ensure we are in the same forest before we start cutting down trees.
Although a measure of flexibility and principle-based direction is always welcome, it will remain important to consider the potential impact before committing to specific definitions that can have a significant impact on business.