Faculty of Economics and Business Master’s Thesis Strategy & Innovation

(1)

Faculty of Economics and Business

Master’s Thesis Strategy & Innovation

Risk appetite disclosures

A study on the motivation of Dutch non-financial

organizations to non-disclose.

Caroline Breitenstein

Scheldestraat 14-3R

1078GK, Amsterdam

06-45258559

c.s.breitenstein@student.rug.nl

S1765337

First supervisor: Dr. R. van der Eijk

Second supervisor: Dr. F. Noseleit

(2)

Master thesis Caroline Breitenstein 2 The concept of risk appetite is introduced by the COSO (Committee of Sponsoring Organizations of the Treadway Commission) as the amount and type of risk an organization is willing to accept in pursuit of its business objectives. There is a demand from several stakeholders for more risk information such as the risk appetite because they want more insight in how much risk an organization is willing to take in order to achieve its business objectives. When knowing this information, stakeholders can decide if this amount of risk is compatible with the amount and type of risk the stakeholder is willing to take in the pursuit of its personal objectives. Organizations could meet this demand by disclosing the risk appetite in their annual report or on the corporate website. However, looking for examples at the annual reports of the AEX-listed organizations, there is found that only five organizations actually disclosed the risk appetite in their report. This study investigated why non-financial organizations that are headquartered in the Netherlands do not disclose their risk appetite in order to contribute to a solution to obtain greater transparency on risk appetite. The research question this study therefore answered is the following:

“Why are non-financial organizations headquartered in the Netherlands not articulating their risk appetite publically?”

In order to answer the research question, this study uses both qualitative and quantitative research. In the qualitative research the sample is created of 11 risk experts of non-financial organizations headquartered in the Netherlands active at 10. In addition, 1 representative of an organization looking after the interests of investors is interviewed. In-depth interviews were conducted in order to examine the conceptual model that was prepared based on the literature review. On the basis of this information obtained through the interviews, an adjusted conceptual model is composed. In order to examine this adjusted conceptual model, an online survey is completed by 43 respondents working in the field of risk at non-financial organizations headquartered in the Netherlands. To examine if the propositions in the conceptual model are correct a factor analysis, binomial tests and a logistic regression are performed.

(3)

(4)

Master thesis Caroline Breitenstein 4

ACKNOWLEDGEMENTS

In front of you lies the final product of my master studies Strategy & Innovation at the University of Groningen. In February 2012 I started with my graduation internship at Ernst & Young, at the Risk department. The decision to do an internship at Ernst & Young was due to my eagerness to learn more in practice. I am proud of the final result and would like to thank a number of people for their contribution to this study.

First of all, I am very grateful that Ernst & Young provided me with the opportunity to write my Master Thesis with their help on a very interesting topic. I would like to thank the entire Risk department for making me feel very welcome and providing me with a stimulating and fun working environment. A special thanks goes out to Cees Visser, Marcel van de Wal, Wil Weerts and Fenna Wegman who all were huge contributions with their feedback and support on my research project. Second, I would like to thank my supervisor René van der Eijk in guiding me during this project with critic feedback and useful information. Next, I would like to thank all interviewees and survey respondents that were willing to cooperate in this research. Without their help and willingness to cooperate this study would not have been possible.

Finally, I would like to thank my friends and family. Without my father, mother, brother and sister’s continuous support I would not have been able to write this thesis. I especially want to thank my mother, Nava, for her limitless support throughout my entire study. Thank you for believing in me, no matter what. I could not have done it without you.

(5)

Master thesis Caroline Breitenstein Pagina 5

ACKNOWLEDGEMENTS ... 4

TABLE OF CONTENTS ... 5

INDEX TABLES AND FIGURES ... 7

1. INTRODUCTION ... 9

1.1 PROBLEM DEFINITION ... 11

1.2 RELEVANCE ... 12

1.3 STRUCTURE ... 13

2. THEORY AND HYPOTHESES ... 13

2.1 RISK AND ENTERPRISE RISK MANAGEMENT ... 13

2.2 RISK APPETITE ... 15

2.3 RELEVANCE OF RISK APPETITE DISCLOSURE ... 18

2.4 NON-DISCLOSURE OF RISK APPETITE ... 19

2.4.1 Risk appetite not defined ... 20

2.4.2 Commercial disadvantages ... 20

2.4.3 Fear of potential claims ... 21

2.4.4 Lack of (legal) requirement ... 21

2.5 CONCEPTUAL MODEL... 23

2.6 CONCLUSION THEORY AND HYPOTHESES ... 24

3. METHODOLOGY ... 25

3.1 RESEARCH STRATEGY ... 25

3.2 SAMPLE... 27

3.2.1 In-depth interview sample ... 27

3.2.2 Survey research sample ... 29

3.3 DATA COLLECTION ... 29

3.3.1 In-depth interview data collection ... 30

3.3.2 Survey research data collection ... 31

3.4 DATA ANALYSIS ... 31

3.4.1 Data analysis in-depth interviews ... 31

3.4.2 Data analysis survey ... 32

3.5 VALIDITY AND RELIABILITY ... 34

3.6 SUMMARY METHODOLOGY ... 36

4. INTERVIEW RESULTS ... 37

4.1 INTERVIEW RESULTS: RISK APPETITE NOT DEFINED ... 37

4.1.1 Interview results: Risk appetite defined ... 41

4.2 INTERVIEW RESULTS: COMMERCIAL DISADVANTAGES ... 44

4.3 INTERVIEW RESULTS:FEAR OF POTENTIAL CLAIMS ... 47

4.4 INTERVIEW RESULTS: LACK OF (LEGAL) REQUIREMENT ... 49

4.5 INTERVIEW RESULTS: ADDITIONAL MOTIVES NOT TO DISCLOSE THE RISK APPETITE ... 51

4.6 INTERVIEW RESULTS: MOTIVATES TO DISCLOSE THE RISK APPETITE... 53

4.7 QUALITATIVE MATRIX ... 56

4.8 CONCLUSION INTERVIEW RESULTS ... 60

4.9 ADJUSTED CONCEPTUAL MODEL ... 61

5. SURVEY RESULTS ... 62

5.1 TESTS CONCEPTUAL MODEL ... 64

(6)

5.1.2 Statements on motives not to define the risk appetite ... 65

5.1.3 Statements on motives to define the risk appetite ... 66

5.1.4 Statements on motives not to disclose the risk appetite ... 66

5.1.5 Statements on motives to disclose the risk appetite ... 67

5.2 ADDITIONAL FINDINGS FROM THE SURVEY... 68

5.2.1 Relationship between defining the risk appetite and the maturity of the risk management in an organization ... 68

5.2.2 Relationship between disclosing the risk appetite and the maturity of the risk management in an organization ... 69

5.2.3 Relationship between defining the risk appetite and the communication of the risk appetite in an organization ... 71

5.2.4 Relationship between disclosing the risk appetite and the communication of the risk appetite in an organization ... 72

5.3 CONCLUSION SURVEY RESULTS ... 74

5.4 FINAL CONCEPTUAL MODEL ... 75

6. DISCUSSION... 76

6.1 DISCUSSION OF HYPOTHESES ... 76

6.2 DISCUSSION ADDITIONAL MOTIVES ... 79

6.3 DISCUSSION OF THE MOTIVES TO DISCLOSE THE RISK APPETITE ... 80

6.4 DISCUSSION OF ADDITIONAL FINDINGS FROM THE SURVEY ... 81

7. CONCLUSION AND RECOMMONDATIONS ... 83

7.1 CONCLUSION ... 83

7.2 RECOMMENDATIONS ... 85

8. LIMITATIONS AND DIRECTIONS FOR FURTHER RESEARCH ... 88

8.1 LIMITATIONS ... 88

8.2 DIRECTION FOR FURTHER RESEARCH ... 89

REFERENCES: ... 92

APPENDICES ... 97

APPENDIX I: OVERVIEW AEX COMPANIES AND RISK APPETITE DISCLOSURE ... 98

APPENDIX II: CONCEPTUALIZATION OF VARIABLES ... 99

APPENDIX III: INTERVIEW GUIDE ... 100

APPENDIXIV:INTERVIEW COVER LETTER/E-MAIL ... 104

APPENDIX V: IN-DEPTH INTERVIEW ... 106

APPENDIX VI: ONLINE-SURVEY COVER LETTER/E-MAIL ... 122

APPENDIX VIII: DETAILED SURVEY RESULTS: BINOMIAL TEST ... 131

Statements on defining the risk appetite ... 131

Statements on motives to define the risk appetite ... 136

Statement on motives to non-disclose the risk appetite ... 138

Statements on motive to disclose the risk appetite ... 141

APPENDIX IX: DETAILED SURVEY RESULTS: CHI-SQUARE TESTS ... 145

APPENDIX X: DETAILED SURVEY RESULTS: FACTOR ANALYSIS ... 147

(7)

Master thesis Caroline Breitenstein 7 Index tables and figures

Table 1: Overview in-depth interview sample ... 28

Table 2: Qualitative matrix ... 56

Table 3: Numbering statements... 62

Table 4: Descriptive statistics and correlation coefficients ... 63

Table 5: Overview on the concept risk appetite ... 64

Table 6: Motives not to define the risk appetite ... 65

Table 7: Motives to define the risk appetite ... 66

Table 8: Motives not to disclose the risk appetite ... 67

Table 9: Motives to disclose the risk appetite ... 67

Table 10: Crosstabulation of the maturity of risk management and risk appetite definition showing percentages within the (non) definition of the risk appetite ... 68

Table 11: Crosstabulation of the maturity of risk management and risk appetite disclosure showing percentages within the (non) disclosure of the risk appetite ... 70

Table 12: Crosstabulation of the level of communication of the risk appetite and the defining of the risk appetite showing percentages within the (non) disclosure of the risk appetite ... 71

Table 13: Crosstabulation of the level of communication of the risk appetite and the disclosing of the risk appetite showing percentages within the (non) disclosure of the risk appetite ... 73

Table 14: Overview AEX Companies and risk appetite disclosures ... 98

Table 15: Conceptual variables ... 99

Table 16: From conceptual variables to raw indicators ... 100

Table 17: A high priority is given to defining the risk appetite in my organization ... 131

Table 18: Defining the risk appetite is very useful... 132

Table 19: Defining the risk appetite is a very complex process ... 132

Table 20: The risk appetite is not defined because the process is very complex ... 133

Table 21: The risk appetite is not defined because the Enterprise Risk Management is not mature enough ... 133

Table 22: The risk appetite is not defined because it would lead to more bureaucracy ... 134

Table 23: The risk appetite is not defined because it costs too much time ... 134

Table 24: The risk appetite is not defined because it is not pragmatic ... 135

Table 25: The risk appetite is not defined because of legal considerations ... 135

Table 26: The risk appetite is not defined because of competitive considerations ... 135

Table 27: The risk appetite is defined because it provides direction to the organization ... 136

Table 28: The risk appetite is defined because it helps to create an appropriate/desired organizational culture ... 136

Table 29: The risk appetite is defined because it leads to efficiency ... 137

Table 30: The risk appetite is defined because it provides the organization with risk boundaries ... 137

(8)

Table 32: The risk appetite is not disclosed because it is complex to disclose the risk appetite ... 139

Table 33: The risk appetite is not defined because there is no consistent terminology ... 139

Table 34: The risk appetite is not defined because there is no leading practice on risk disclosure ... 140

Table 35: The risk appetite is not defined because it is commercially sensitive information ... 140

Table 36: The risk appetite is not defined because of the fear for (financial) claims ... 141

Table 37: The risk appetite is not defined because of the fear of reputational damage ... 141

Table 38: Disclosing the risk appetite provides significant added value to the company ... 142

Table 39: The risk appetite is disclosed because it enhances the transparency ... 142

Table 40: The risk appetite is disclosed because it provides the organization with a better reputation ... 143

Table 41: The risk appetite is disclosed because it shows that the organization is in control of its risk management process... 143

Table 42: The risk appetite is disclosed because it creates a better relationship with the stakeholders ... 144

Table 43: The risk appetite is disclosed because it helps attracting appropriate, long term investors ... 144

Table 44: Chi-Square test relationship between the maturity of risk management and risk appetite definition ... 145

Table 45: Chi-Square test relationship between the maturity of risk management and risk appetite disclosure ... 145

Table 46: Chi-Square test relationship between the communication of the risk appetite and risk appetite definition 145 Table 47: Chi-Square test relationship between the communication of the risk appetite and risk appetite definition 146 Table 48: KMO and Bartlett's Test ... 147

Figure 1: Risk universe (source IRM, 2011) ... 17

Figure 2: Risk tolerance (Source IRM, 2011) ... 17

Figure 4: Risk appetite (Source IRM,2011) ... 17

Figure 3: Risk appetite ... 17

Figure 5: Bar chart to illustrate the relationship between the maturity of risk management and defining the risk appetite ... 69

Figure 6: Bar chart to illustrate the relationship between the maturity of risk management and disclosing the risk appetite ... 70

(9)

1. INTRODUCTION

Enterprise risk management (ERM) is a management strategy that is becoming more popular due to the recent financial crisis (Aloini, 2007). The crisis that started in 2007 when the U.S. financial institutions caused a panic that spread out across the global markets and the failure of risk management has often been seen as the origin of this crisis (McShane et al., 2011). Therefore, how organizations think about risk shifted fundamentally and they became aware that the appropriate management of risk is very important. Risks are necessary for all companies to take in order to be innovative and to survive, and in addition, all firms face risks due to unexpected changes in their business environment (Hain, 2011). Risk management is not concerned with the avoidance of risk, instead it includes the early diagnosis of risks and tries to find solutions, controls, for these risks that limit the negative consequences (risks cannot be taken away) (Dickinson, 2001). Enterprise risk management aims to maximize shareholders’ wealth as it is set to maximize profitability while at the same time it reduces the probability of financial failure (Salomon et al., 2000; Ballou and Heitger, 2005). This study will define enterprise risk management according to one of its most used definitions formulated by the Committee of Sponsoring Organizations of the Treadway Commission, which is a voluntary private-sector organization that is established in the United States and is set to help businesses and other entities assess and enhance their internal control systems, as follows: “Enterprise risk management is a

process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004, p. 2). Good risk management, therefore, can

(10)

is willing to accept in pursuit of its business objectives” (COSO, 2012, p. 1). In most literature

(11)

Master thesis Caroline Breitenstein 11 they have a financial interest would seem to be an adequate motive for organizations to disclose their risk appetite. However, organizations are not disclosing their risk appetite, and therefore, one could assume that there are (rational) motivations not to disclose the risk appetite. This leaves the question what the motives could be for not disclosing the risk appetite, since there must be beliefs within the organizations for non-disclosing their risk appetite that these outweigh the benefits of disclosing. Therefore, this study will examine which factors or believes influence the decision made by organizations to not disclose the risk appetite.

1.1 Problem definition

Despite the demand of stakeholders for more risk information such as the risk appetite and research that indicated the beneficial relationship between disclosing risk information and performance, the majority of Dutch headquartered non-financial organizations are still not disclosing their risk appetite. As an example there can be looked at the 25 AEX registered organizations. In the 2011 annual reports only ten mentioned the concept of risk appetite, and only five of these actually disclosed their risk appetite (an overview can be found in appendix I). This illustrates that there are still many organizations that are not disclosing their risk appetite publically. Therefore, to gain insight into the motives behind the decision to non-disclose the risk appetite, the aim of this study is to determine why non-financial organizations headquartered in the Netherlands do not publically articulate their risk appetites. Due to laws and regulations it is appropriate to compare the results within the Netherlands before comparing to other countries that are facing different rules and regulations. When the factors are known that are preventing organization from two-way communication with their stakeholders and transparency about their risk appetite, it will be an important contribution to the solution to increase the transparency regarding risk appetite. Therefore, the following research question is formulated:

(12)

Master thesis Caroline Breitenstein 12 To answer this research question there are sub-questions that will be answered in order to completely understand the main research question. These sub-questions are:

1. “What is risk and enterprise risk management?” 2. “What is risk appetite?”

3. “Why is risk appetite disclosure relevant?”

4. “What are plausible factors that influence organizations to not disclose their risk appetite?” 5. “To what extent do the proposed factors influencing organizations to not disclose their risk

appetite exist in reality?”

The first four sub-questions will be answered in the literature framework of the thesis, the fifth will be answered on the basis of an empirical study.

1.2 Relevance

(13)

1.3 Structure

This study is structured as follows. The second chapter is concerned with the literature framework; this includes the formulation of the research hypotheses. The third chapter of this thesis will present the sample and research method. In the fourth chapter, the results will be presented. Finally, in the last chapter, the discussion is presented, consisting of the conclusion, limitations, recommendations and future research.

2. THEORY AND HYPOTHESES

The main focus in this thesis will be to investigate why a large share of the non-financial organizations does not articulate an organizations’ risk appetite publically. As is mentioned prior, all organizations are faced with risks. Therefore, it seems to be logical that defining the amount and type of risk a company pursuit is critical for the value creation of an organization (Nocco and Stulz, 2006; Segal, 2006). This has become more important in the last years since risk management has become a critical function for management due to the fact that there became more awareness that organizational environments are very turbulent and complex (McShane et al., 2011). And even though most firms are performing some sort of risk management, the large bulk is failing to completely integrate risk management into their organization (Moeller, 2007). There are firms that are not determining their risk appetite, and even when top management has used appropriate information to determine the risk appetite of the organization and to formulate an appropriate strategy that is in accordance with the risk appetite, the risk appetite is not communicated and management fails to monitor risk appropriately and maintain the firm’s targeted risk position (Stulz, 2008). This section will provide explanations of the different concepts that are used in this study (sub-questions 1 and 2), it will go deeper into the reasons why companies are not integrating their risk management ‘optimally’ (sub-question 3)and which factors are behind the lack of articulation of risk appetite (sub-question 4).

2.1 Risk and enterprise risk management

(14)

Master thesis Caroline Breitenstein 14 variables such as revenues, costs, profit, market share, and so on (March and Shapira, 1987; Miller, 1992). Thus, bearing in mind either this unanticipated or negative variation, ‘risk’ can be seen as the variation in corporate outcomes that cannot be forecasted ex ante. Put differently, risk is the likelihood that something happens (negative or positive) that has got a consequence or impact upon the achievement of objectives (Ow, 2008). Risks are often measured by organizations on two scales: severity and frequency (Hampton, 2009). Severity refers to the intensity or the magnitude of a potential (negative) outcome. Frequency refers to the likelihood of occurrence of that potential (negative) outcome. On other words, the likelihood a risk occurs and the impact the risk will have on the organization. Therefore, enterprise risk is the extent to which the outcomes of the corporate strategy may vary from the outcomes specified in the corporate objectives. The strategy that an organization chooses to be able to achieve these specific objectives embodies a risk profile (risk appetite), which arises from multiple factors that can be influential on an organization’s activities, processes and resources chosen to implement the strategy (Dickinson, 2001). The overall enterprise risks are thus an integral part of its corporate strategy, and therefore, these risks can be managed within the corporate strategy itself, which is enterprise risk management. When introducing enterprise risk management, the organization gives explicit consideration to numerous uncertainties. Risk management recognizes that some risks are serious, while others are not. In addition, risk management assesses the risk profile of an organization, and sets the corporate strategy in accordance with the defined risk profile. In summary, risk management can be simply put as ‘the process of identifying major risks that

confront an organization, forecasting the significance of those risks in business processes, addressing the risks in a systematic and coordinated plan, and holding key individuals for managing critical risks within the scope of their responsibility” (Hampton, 2009). Researchers

(15)

Master thesis Caroline Breitenstein 15 Thus, it can be said that there is value relevance from enterprise risk management for organizations.

2.2 Risk appetite

When an organization wants to integrate the risk dimension completely in the corporate strategy, as discussed prior, it is important that it is aware of how much risk it is willing to take, and how it wants to balance its risks and opportunities (E&Y, 2010). Therefore, the process of governing the organization’s risk appetite is a core consideration of enterprise risk management, which is the process that keeps risk and potential losses within the tolerance that is set in advance by the organization (Barnes, 2006). Answers on questions such as “When does a company start to feel

uncomfortable if the percentage of its revenues generated by just its five biggest clients rises continually?” and “When does a company start to feel uncomfortable when the growth through acquisitions rises as a percentage of total growth?” represent the amount and type of risk that a

company is willing to pursuit (E&Y, 2010, p. 1). In other words, risk appetite is how much risk a firm wants to be exposed to, or the variability in results that an organization and its senior executives are prepared to accept in support of their stated strategy (Oliver Wyman, 2005). Risk appetite can be stated very specific for a particular risk, and in addition, risk appetite can be stated more generic in the sense that there is the aggregated risk that an organization is prepared to accept at any time (Treasury, 2001; Price Waterhouse Coopers, 2009). Therefore, all companies have to identify their own risk appetite. With this identified risk appetite decisions concerning risk can be made, taken into account the amount of risk that the organization tolerates. It is unlikely that an individual organization has got one single risk appetite. The extent to which the organization will tolerate risk depends on the perceived importance of particular risks, and therefore, the risk appetite can be higher or lower for a particular risk. It seems only logical that the tolerable financial risk that an organization is willing to bear depends on a number of features, such as the size of the relevant budget and the source of the loss. The risk appetite, thus, needs to be considered to establish the appropriate balance between the potential realization of risk and the costs necessary to limit that risk as much as desired.

(16)

Master thesis Caroline Breitenstein 16 capacity, and the risk universe. First, the concept risk universe should be understood. The risk universe demonstrates all risks which the organization could face, regardless if the organization is able to bear or willing to take these risks. Next, the risk capacity should be understood. The risk

capacity of an organization can be defined according to the Institute of Risk Management (IRM)

(2011) as the ability to carry risks, and the risk management maturity to manage them. Thus, the risk capacity demonstrates what an organization financially can bear. This is different from the risk appetite, since the risk appetite demonstrates what an organization is willing to face. Finally, it is important to make a clear distinction between risk appetite and risk tolerance. Often these terms are used interchangeable, although they represent related, yet different concepts. Whereas risk appetite can simply be put as the maximum risk an organization is willing to take while pursuing its strategy, the risk tolerance is the variation an entity is willing to accept around specific objectives (COSO, 2004). COSO states “Risk appetite is a broad based description of the

desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.” This shows that the risk tolerance is at a lower, more granular level

(17)

Figure 1: Risk universe (source IRM, 2011)

Figure 2: Risk tolerance (Source IRM, 2011)

Figure 4: Risk appetite (Source IRM,2011)

(18)

2.3 Relevance of risk appetite disclosure

(19)

Master thesis Caroline Breitenstein 19 information asymmetries is beneficial since it will cause more confidence for investors to trade at a fair price, which in turn leads to higher stock liquidity (Welker, 1995). Next to these benefits that are mostly for the individual investors and for managers who gain the confidence of investors, there are also potential economical benefits for the wider community in terms of improved risk-based resource allocation, with as a result increased long-term capital formation (Rajab and Handley-Schachler, 2009). Moreover, the risk management process can be enhanced as it can create disciplining effects on risk management (Jorion, 2002). Risk disclosure is a step in the risk management process, and as is also seen in a study by E&Y (2012), communicating risk (appetite) is an essential part of risk management. When an organization decides to disclose on risk management, it can be expected that the internal information that is collected on the risk that the enterprise faces and the risk appetite will improve. As such it can act as a form of indirect regulation that achieves the goals of regulators (Spira and Page, 2009). This all would imply that there are sufficient incentives for organizations to voluntarily report matters such as the risk appetite, however, the poorly reporting of the risk appetite publically shows that organizations must have other motivations to believe that disclosing would not be beneficial for the company.

In summary, risk appetite disclosure is relevant because of the following reasons:

 Enhance risk information transparency;

 Meeting the demand of stakeholders;

 Disclosing the risk appetite leads to a lower cost of capital;

 Improved risk-based resource allocation;

 Improvement of an organizations’ risk management.

2.4 Non-disclosure of risk appetite

(20)

Master thesis Caroline Breitenstein 20 2.4.1 Risk appetite not defined

The first plausible explanation that organizations are not disclosing their risk appetite can be due to the fact that the risk appetite is simply not (yet) defined. There are several reasons that could be the origin that risk appetite is not defined. First, the organization gives a low priority to defining the risk appetite (Waal and Counet, 2009). Instead of defining the risk appetite for the organization, there can be decided that short-term organizational problems are more important which delays or slows down the development of risk appetite. Second, defining your risk appetite is a complex process, which some organizations can find too complex (Stulz, 2008; Waal and Counet, 2009). When organizations do not have the sufficient skills and tools to define the risk appetite they can decide not to define it at all. Next, it can be the board does not define the risk appetite because they are lacking the commitment to defining risk appetite. Instead they delegate this task, and create an impossible task to let others set the risk appetite of the board. In this way the risk appetite will have difficulty being defined, and even more difficulty being communicated throughout the firm and beyond (Govindarajan, 2011). Finally, it can be that risk appetite is not defined due to ‘human behavior’. As explained earlier, people do not always base their decisions on the theoretical best option. Instead, they base their decisions on real-life choices. There could be feared by the board that identifying the risk appetite will increase the risk perception of the employees which can be negative for the organization as people tend to associate higher risk with less beneficial outcomes (Siegrist and Cvetkovich, 2000). These arguments lead to the following hypothesis:

H1: Risk appetite is not disclosed by organizations because the risk appetite is not (yet) defined.

2.4.2 Commercial disadvantages

(21)

Master thesis Caroline Breitenstein 21 with disclosing the risk appetite and management can believe that these costs are not worth the value that disclosing creates. It can be that organizations believe that it would only be beneficial to disclose risk appetite that is below a threshold, since the higher risk appetite could bring along a higher cost of capital, and therefore can be associated again with higher cost (Gao, 2008). This leads to the following hypothesis:

H2: Risk appetite is not disclosed by organizations due to commercial reasons.

2.4.3 Fear of potential claims

The third plausible explanation for the lack of disclosure of risk appetite is concerned with the forward-looking aspect that risk appetite brings along (Linsley et al., 2006). This type of information will be beneficial for the stakeholders since they can make more appropriate decisions. However, directors can be reluctant to provide this information since forward-looking information remain unreliable and directors could fear potential claims from stakeholders who have acted upon this provided information (Linsley et al., 2006). Organizations could be afraid to disclose a risk appetite they cannot or will not stick to (Hutton, 2004). Thus, organizations can fear that they will be held accountable for the provided information and are not willing to provide a benchmark for the stakeholders. The possibility for litigation in connection with the risk appetite disclosure withholds them from disclosing (Deumes, 2008). This leads to the following hypothesis:

H3: Risk appetite is not disclosed by organizations due to the fear for potential claims by stakeholders.

2.4.4 Lack of (legal) requirement

(22)

Master thesis Caroline Breitenstein 22 Counet, 2009). When risk appetite disclosure is voluntary, and organizations do not believe that it would be beneficial to disclose their risk appetite, organizations could have little incentive to disclose sufficient and useful information (Law, 2010). If organizations do not believe in the added value of disclosing risk appetite, it will be seen as a time consuming process that is associated with more costs than benefits. Organizations need to be aware of the added value of risk appetite disclosure before they will commit themselves. Especially firms that are performing financially well are more likely to withhold from disclosing risk information due to a lack of incentive. Research has shown that organizations that are in financial distress are more likely to start disclosing risk information (Holder-Webb and Cohen, 2007). When an organization faces distress, investors estimate future cash flows as more uncertain, which is likely to increase the cost of capital (Whitaker, 1999). However, as long as there is no regulation on risk appetite disclosure and it has to be done on a voluntarily basis, and there is no distress that forces managers to disclose more on risk, there is a lack of incentive for organization to disclose. This leads to the following hypothesis:

(23)

2.5 Conceptual model

In this section the conceptual model is presented which is a summary of all proposed hypotheses (H1, H2, H3, and H4). Together it provides an overview of the motives not to disclose the risk appetite as discussed in the literature.

Non-disclosure of risk appetite Commercial

disadvantages (H2)

Fear of potential claims (H3) Commercially sensitive information Associated cost Lack of (legal) requirement (H4)

(24)

2.6 Conclusion theory and hypotheses

This section discusses the overview of the relevant concepts to understand and answer the research question. In addition, the relevance of defining and disclosing the risk appetite is explained, and finally, the motives not to disclose the risk appetite as discussed in the literature are presented.

The risk appetite of an organization can be defined as the maximum risk an organization is willing to take while pursuing its strategy. Defining the risk appetite is part of the process to integrate the risk dimension into the corporate strategy. Next to defining the risk appetite, it is beneficial for organizations to disclose their risk appetite publically. This disclosure is beneficial because of the following reasons: it enhances the risk information transparency; organizations meet the demand of stakeholders; disclosing the risk appetite leads to a lower cost of capital; it can improve the risk-based resource allocation; and finally, it could improve an organizations’ risk management.

Despite these benefits that express the relevance of risk appetite disclosure, the majority of non-financial organizations is not disclosing the risk appetite. In the literature, several motives are presented why non-financial organizations are not disclosing their risk appetite. Based on these motives, the following hypotheses are formulated:

 Risk appetite is not disclosed by organizations because the risk appetite is not (yet)

defined;

 Risk appetite is not disclosed by organizations due to commercial reasons;

 Risk appetite is not disclosed by organizations due to the fear for potential claims by

stakeholders;

 Risk appetite is not disclosed by organizations due to a lack of (legal) requirements to

(25)

3. METHODOLOGY

The following section will discuss and justify the research methodology of this study. This includes a discussion of the research method, the selection of the sample, the data collection process, and the validity of the research methodology.

3.1 Research strategy

(26)

Master thesis Caroline Breitenstein 26 flexible method that allows for examination of the answers of respondents in order to understand the underlying motives and perceptions (Emans, 2004). In addition, in-depth interviews are suitable for studies that are explorative and are aimed at theory building. As this study wants to propose a theory why risk appetite is not disclosed, the in-depth interviews are suitable. It is also important to understand the disadvantages of in-depth interviews. First, due to the time-intensive nature of this type of research the sample size will be limited, and therefore the results should be interpreted with care. In addition, in-depth interviews (as are surveys) are representing an individual point of view, and this could be different from the business view (Cooper and Schindler, 2006; Yin, 2009). A final note should be made to the fact that interviews can be biased by social desirable answers (Treviño & Weaver, 2003).

This qualitative research will consist out of 10 interviews with experts on risk management and risk information that meet the preconditions that are formulated in the ‘sample section’ in section 3.2 of this chapter. In addition, 1 interview will be conducted with an organization looking after the interest of investors. The results of these interviews are a qualitative matter of validating the conceptual model and will be used to answer the main research question, thus, providing answers to what the obstacles for risk appetite disclosure are.

The second research method will be the survey research. With the results gathered from the in-depth interviews a survey will be constructed in order to empirically test the (adjusted) conceptual model. The survey will be done in the form of an online questionnaire and will be sent to multiple organizations.

(27)

Master thesis Caroline Breitenstein 27 and validity by making use of the collection of data by more than one method: in-depth interviews and surveys. This is due to the fact that the weaknesses and intrinsic biases that come from a single method can be reduced or overcome.

3.2 Sample

The sample that is needed for this study is derived from a population of experts on risk active at multinationals that are headquartered in the Netherlands. In order to specify which organizations have risk experts that would be knowledgeable about risk appetite, the following sections will elaborate on more detailed selection criteria used. This will create a good scope of the population and to increase the validity and reliability of the sample. The criteria for the in-depth interview sample and the survey sample differ, and will be discussed in this section.

3.2.1 In-depth interview sample

(28)

Master thesis Caroline Breitenstein 28 consultancy, as this will provide a better overview and insight of the non-disclosure reasons of organizations. Finally, there will be an investor included in the in-depth interview sample to complete the understanding of non-disclosure of risk appetite, and confirm the belief that this group wants risk appetite disclosure.

To summarize, the sample criteria are:

(1) MNEs that are headquartered in Netherlands; (2) MNEs that have over 250 employees;

(3) MNEs that are operating in the non-financial sector;

(4) Interviewees must be the risk expert within the organization (such as the chief risk officer), and

(5) Consultants with enterprise risk management experience;

(6) (Representatives of ) investors in non-financial, Dutch headquartered MNEs.

The set sample criteria are hard and will be strictly maintained during the execution of the empirical study in order to guarantee and increase the validity and reliability, which will be discussed extensively in section 3.5. The sample was composed by investigating the websites of several Dutch MNEs and their annual reports. Table 1 will provide an overview of the selected sample.

Table 1: Overview in-depth interview sample

Company Code

Number of

employees1 Sector Function interviewee

X1 27.000 _{Food & Drink} _{Risk & Compliance Manager}

X2 57.000 Industrial Goods _{Director Risk Management}

X3 13.000 _{Industrial Goods} _{Risk & Compliance Officer}

X4 218.000 _Retail Director Risk & Control

X5 7.000 Energy, Oil & Gas _{Corporate Control Employee}

X6 4.000 Transport Global Director Control &

Business Analysis

(29)

X8 2.000 Professional Services _{Chief Compliance & Legal Affairs}

X9 19.000 Food & Drink Director Enterprise Risk

Management

X10 8.000 Technology Senior Director Corporate Risk &

Assurance

X11 45.000

(members)

Interest group investors Lawyer

1_{Approximate number}

3.2.2 Survey research sample

The survey sample contains the same criteria as the criteria set for the in-depth interview sample, however, criteria 5 will be somewhat milder. Employees who are informed on risk management within the company, such as internal auditors, yet not working at the highest level, would be adequate for the survey sample. This is because it would be harder to uphold this criterion for a larger sample. It is harder to uphold the hard criteria in a survey sample due to the time constraints that impose when investigating all criteria for a large sample. Therefore, there are controls questions included that guarantee the sample criteria and the sample quality. The survey sample was selected in the following ways. First, there is made use of the Ernst & Young client base to send email invitations to clients that meet the posed criteria. The second method to select MNEs for the sample was to approach risk experts through different databases of participants of postgraduate courses that are risk related. Participants received an invitation letter to fill in the online questionnaire. Finally, the invitation letter requested to forward the email to colleagues working in the field of risk.

In total the sample size was 47. The survey was filled out by 40 risk experts, 4 consultants, and 3 respondents that represent investors. The response rate cannot be determined for this study, because it is unknown how many risk experts were contacted through the different approach methods.

3.3 Data collection

(30)

Master thesis Caroline Breitenstein 30 3.3.1 In-depth interview data collection

This data is collected with the use of in-depth interviews conducted at large organizations with the current expert on risk (management/information). The MNEs are selected based on the established sample criteria. The variation in the sample will be in the industries where the organizations are active in: this is since this study aims to establish a theory applicable to all large organizations. Naturally, there are other variations in the sample, however, these are minor. The selection of organizations is done by looking at the Forbes 2000 list and selecting several organizations that are compatible with the sample criteria.

(31)

Master thesis Caroline Breitenstein 31 3.3.2 Survey research data collection

The survey data will be collected by sending an online questionnaire to (risk) managers of MNEs that meet with the sample selection criteria. The layout of the survey and the question posed are all kept as simple as possible in order to make the survey easy accessible for the managers from the MNEs. This is done since an easy accessible survey will take up less of the time of the managers that will increase the chances of participation of the managers.

The questions in the survey are based on the results obtained from the in-depth interviews (which questions were in turn based on the conceptual model). There are two types of surveys, cross-sectional and longitudinal. Cross-cross-sectional surveys are gathering observations on a population at a set point in time, whereas longitudinal surveys gather data over a period of time (Babbie, 1990). This survey will be a cross-sectional survey, as it will look at one point in time. The survey will be a self-administered survey, as respondents need to complete it by themselves when they receive the survey online. A considerably advantage of this type of survey is the potential anonymity of the respondent when desired, which in turn can lead to more truthful or valid responses, since socially desirable answer are not needed. In addition, the survey can be filled out whenever the respondent finds it convenient. Moreover, there is no interviewer error or bias. Finally, a large group can be reached in this way at low cost (Jenkins and Dillman, 1997). A pilot survey was used in order to improve the quality of the survey. In Appendix V the design of the questionnaire of the survey can be found.

3.4 Data analysis

This section discusses which method of analysis will be used to examine the results obtained from the qualitative and quantitative results.

3.4.1 Data analysis in-depth interviews

(32)

Master thesis Caroline Breitenstein 32 analysis (MacLean, 2004). With this method is can be assumed all relevant motivations for (non-) disclosure mentioned by the interviewees are taken into consideration in the research.

The transcribed interviews were analyzed with the use of the qualitative data matrix of Bijlsma-Frankema and Droogleever Fortuijn (1997), a scheme in which the collected information from each source (respondents, observations) is presented in an organized and concise overview to capture the essence. The data matrix considers the issues addressed in the interviews. The frequency with which answers were given will be checked and further analysis will code and group the outcomes in particular motivations to non-disclose the risk appetite. This method is known as pattern matching, which is a specific qualitative analysis technique that compares the empirical data with the theoretical framework.

This study uses the expected outcome technique, which means that the propositions are backed up by the data and that alternative patterns are absent (Yin, 1984). The internal reliability is enhanced in this way.

3.4.2 Data analysis survey

Although the qualitative data analysis is the ideally suited method to explore new fields, the quantitative research method is needed to test the proposed and adjusted hypothesis presented in the adjusted conceptual model. The quantitative survey data is collected through an online survey and transferred into the statistical calculation software SPSS v17. The survey is designed in such a way that there was no possibility for the respondents to non-answer the majority of the proposed questions, most questions are required, namely 17 out of the 23 questions were required. Only survey questions that ask for additional motives not mentioned in the survey are not required.

(33)

Master thesis Caroline Breitenstein 33 Thus, it provides the possibility to examine data and to obtain indicative results on variables such as the (non-) disclosure motives. One tool to test hypotheses and refining measures is the use of factor analysis (Tryfos, 1998; Conway and Huffcut, 2003). Factor analysis is a method used to reduce the number of variables when a data set contains a large set of variables. The factor analysis groups the variables that have similar characteristics together. These reduced factors can be used for further explaining.

The factor analyses will be based on three statistical tests. First, there need to be tested if the underlying assumptions of a factor analyses apply to the data set. The KMO & Bartlett’s test will be used to assure this. The significance level for the factor analysis should be at least α = 0,05 or 5%, thus, if the KMO & Bartlett’s test gives a significance of α ≤ 0,05 it is possible to do factor analyses. Second, communalities should be checked. Communalities indicate the amount of variance in each variable that is accounted for. In this type of research the variance that is accounted for by each variable should be 60%, values underneath this 60% do not fit well with the factor solution and should be dropped. Finally, there is looked whether separate survey questions measure the same concept. This will be done using Cronbach’s alpha, which is a measure of internal consistency, in other words, it looks how closely related a set of items are as a group (Sijtsma, 2009). Cronbach’s alpha should be 70% or higher to be considered acceptable. The results of these tests are presented in appendix X.

(34)

Master thesis Caroline Breitenstein 34 strongly disagree, indicate whether a statement is validated. To guarantee which statements are actual motives, the binomial test uses the median as a measurement scale. Each statement is tested making use of the same binomial test. In this test a motive that scores < 3 exists. Therefore, there can be said that:

H0 : ŋ ≥ 3 and Ha: ŋ< 3.

Finally, additional tests are performed to understand if the maturity level of the risk management practices in the organization and the level of communications have a significant relationship with the defining and disclosure of the risk appetite. The test used is the chi-squared test, which tests how likely an observed distribution is due to chance. Thus, the chi-square tests the null hypothesis that the variables are independent of each other. This test compares the observed data to a model that distributes the data according to the expectation that the variables are independent. Wherever the observed data does not fit the model, there becomes a greater likelihood that the proposed variables are dependent on each other, which indicates that the null hypothesis can be rejected.

3.5 Validity and reliability

In order to be able to assure the quality of this study, several aspects have been taken into consideration to guarantee the validity and the reliability (Yin, 2009).

First, the techniques used to guarantee the construct validity are discussed. With construct validity is meant the identification of the correct operational measures for the concepts being studied (Yin, 2009). Multiple sources of evidence are used. Prior to the interview there will be looked at documentation, such as the annual report, of the organization of the interviewee. The in-depth interview focuses directly on the case study topic taking three different stakeholders (risk management experts, risk consultant, and investors) into consideration. Another technique to guaranty the construct validity is the use of the pilot interview. The interview will be discussed extensively with the supervisors of this interview within Ernst & Young and the University of Groningen.

(35)

Master thesis Caroline Breitenstein 35 phenomenon extensively without ignoring any options or defining overlap (Yin, 2009). In order to strengthen the internal validity, one of the most desirable techniques to use is a pattern-matching logic (Campell, 1975). This means that the predicted set of causes, which are based on the theoretical framework and are summarized in the conceptual model, will be compared with the findings of the interviews (Trochim, 1989). When these predicted and found patterns coincide, it will help to strengthen the internal validity of the study. Moreover, explanation building is used to analyze the case study findings and build an explanation. The initial statements were transformed based on these findings for the survey. This also strengthens the internal validity.

Next, the techniques to guarantee the external validity are discussed. The external validity is the degree to which the findings of the study can be generalized beyond the case study itself (Yin, 2009). The degree to which the findings represent the entire population, including those that were not questioned, depends on the quality of the findings. In order to increase the quality of the findings, there is looked at multiple cases. A multiple-case study is used to guarantee the quality of the findings. In addition, as is discussed prior, there is a strict sample criterion where key respondents are identified to accurately reflect the diversity of the population. This study is generalizable to non-financial organizations that are headquartered in the Netherlands, as this is the this study focuses on this particular group.

(36)

3.6 Summary methodology

This section briefly summarized the research methodology. This study makes use of both qualitative and quantitative research methods. The chosen methods are:

 Case study: In-depth interviews. A sample of 10 risk experts is created that had to meet a

strict criterion, which is explained in section 3.2.1. In addition one in-depth interview was conducted with a party that is looking after the interests of investors. There is made use of a structured interview. All interviews were tape-recorded and transcribed semi-verbatim. The data obtained in the in-depth interviews is systematically analyzed making use of the qualitative data matrix of Bijlsma-Frankema and Droogleever Fortuijn (1997). This study uses the expected outcome technique.

 Online-survey research. A sample of 47 risk experts, risk management consultants, and

(37)

4. INTERVIEW RESULTS

This section presents the result from the survey. In total eleven risk experts were interviewed in order to receive an overview of the motivations from the organizational perspective. Two risk experts were interviewed from firm X2, their answers are combined to one set of answers as they were talking from the same company perspective and were present in the same interview. In addition, one interview is conducted with a representative of a stakeholder’s party. The interview results cover both the motivations organizations have to (non-) define the risk appetite and the motivations organizations have to (non-) disclose the risk appetite. From the eleven risk experts active at ten non-financial organizations headquartered in the Netherlands 7 indicated that they disclosed their risk appetite, and 3 did not disclose their risk appetite.

4.1 Interview results: Risk appetite not defined

All interviewees indicated that they see value in defining the risk appetite. Opinions varied from useful to define the risk appetite to essential to define the risk appetite. All interviewees also indicated that they defined their risk appetite, however, the maturity of defining the risk appetite differed. For some organizations the risk appetite is at this point only discussed, and not yet defined on paper, where others indicated that the risk appetite is completely integrated into the organization. Although all interviewees indicated that their organization defined the risk appetite, there is discussed what the motives of organizations could be not to define the risk appetite.

As was stated in chapter two, literature indicated four main motives not to define the risk appetite:

 Not defining the risk appetite because the priority is not high enough;

 Not defining because the process is too complex;

 Not defining because of a lack of commitment to the process;

 Not defining due to ‘human behavior’.

In the interview there was first asked for motives not to disclose the risk appetite in general. In addition, the motives from literature were discussed in prompt questions.

(38)

Master thesis Caroline Breitenstein 38 Three out of the ten risk experts indicated that there was given a low to average priority in their organization to defining the risk appetite, the other seven risk experts indicated that the priority given to defining the risk appetite is high to very high in their organization. However, none of the interviewees believed the level of priority to be a motive not to define the risk appetite.

Not defining because the process is too complex

On the other hand, the reason that defining the risk appetite is not properly done, could be due to the fact that the organizations find the process to complex. Eight out of the ten risk experts perceived the risk defining process to be very complex and believe this would be an important motive for organizations not to define their risk appetite. The following quotes of the risk experts of respectively company X1, X7 and X8 illustrate this:

‘Defining the risk appetite is very complex and extensive, therefore, it becomes easily incomplete, and in addition there are many problems that could occur. This all makes the process very

difficult, which could make it an obstacle for firms to define.’

‘Defining the risk appetite is difficult to do because the world is changing so rapidly.’

‘One motive to not define the risk appetite is because it is very difficult, especially to define the risk appetite for all categories in a similar matter. You are then inclined to define the risk

appetite too generic, finding a balance here is therefore very difficult.’

Not defining because of the lack of a leading practice

The complexity of the process of defining the risk appetite is seen as one of the most important motives not to define the risk appetite. As the previous quotes also indicated, the process is especially difficult because the (business) world is so divers and so fast-moving. In addition, the risk experts indicated that the lack of a leading practice is making the process even more difficult and harder to grasp. The risk expert of company X10 said:

‘It would be good to see what a good practice would be. Maybe examples of organizations that successfully defined their risk appetite could be combined. Because I believe many organizations

(39)

Master thesis Caroline Breitenstein 39 Not defining because it costs too much time

In addition, due to the complexity, defining the risk appetite costs too much time (without delivering enough added value to compensate for this ‘lost’ time). The risk expert of company X8 explained:

‘It is a very complex and time consuming process, and I believe that defining the risk appetite explicitly could cost a lot of extra time which sometimes does not provide the intended added

value. When it would become a quicker process, it would be more valuable.’

Not defining because of the lack of commitment to the process

Next, the risk experts did not believe that the risk appetite is not defined due to the lack of commitment. However, there is the believe that the risk appetite is not defined due to the maturity of the process. Instead of not being committed, several risk experts indicated that defining the risk appetite explicitly is one of the final steps in setting up risk management, and not in all organizations this step is reached. As the risk expert of company X6 mentioned:

‘A motive for not defining the risk appetite could be the extent to which they are in the Enterprise Risk Management process. I remember that when we started this process at our own organization, the defining of the risk appetite were one of the final steps. You start to think about

your risks, about integrating risk management, assuring that reports are made, and afterwards you start to think about your risk appetite.’

Not defining due to ‘human behavior’

The motive not to define the risk appetite due to ‘human behavior’, the fear that defining the risk appetite would lead to negativity within the organization, is altered by the experts as the fear that defining the risk appetite will lead to more bureaucracy. Instead of creating ‘negative thought’, it restrains the free thought and entrepreneurial mind-set of your employees because the risk appetite is seen as additional ‘rules’. This is illustrated in the remark of the risk expert of company X5:

(40)

Master thesis Caroline Breitenstein 40 Not defining because the process is not pragmatic

This also causes that not everyone sees defining the risk appetite as a pragmatic process, which is seen in the comment of the risk expert of company X8:

‘For me it is the pragmatism. Eventually you can put a lot of effort and time into reaching a risk appetite definition, but if it eventually does not provide enough added value, it would be a motive

to not put any effort and time in it.’

Not defining because of competitive consideration

Finally, a few risk experts indicated that a motive not to define the risk appetite could be due to competitive considerations.

‘I believe organizations do not define it because it is competitive sensitive information. In addition, you have many competitors, and you compete differently with them, this makes it harder

to define the risk appetite, it become to general.’

In summary

In the in-depth interviews the following motives not to define the risk appetite were found:

 Not defining because the process is too complex;

 Not defining because of the lack of a leading practice;

 Not defining because it costs too much time;

 Not defining because the risk management is not mature enough;

 Not defining because it will lead to bureaucracy;

 Not defining because the process is not pragmatic;

(41)

Master thesis Caroline Breitenstein 41 4.1.1 Interview results: Risk appetite defined

In order to completely understand why organizations that do define their risk appetite not disclose it, this study also looked at the motives organizations have to define the risk appetite. Therefore, all interviewees were asked to describe the motives they had, or they can think of in general, to define the risk appetite explicitly.

Defining because it provides direction to the organization

First of all, several of the risk experts pointed out that a clearly and explicitly defined risk appetite provides direction to the organization. It is beneficial for the organization when they are aware of how the organization wants to deal with risk and risk taking. It can provide the possibility to be more in control of your organization and be able to better rein your organization. The risk expert of organization X3 made a comment that represents this benefit of defining the risk appetite:

‘When I define the risk appetite, and put it in black and white, and I keep to it, and I adjust my processes coherent to the risk appetite, then I as a risk manager have a good view how the

organization deals with risk, and on how you run the organization.’

Defining because it creates a desired culture

When the risk appetite is explicitly defined it can also help to create a desired culture. When an organization clearly defines the risk it is willing to take, and which not, the organization can incorporate this as part of its culture. This is explained very well in the comment made by the risk expert of company X2:

“A defined risk appetite steers the culture of the organization. When you define the risk appetite appropriately, everyone know what is expected of them, because thousands decisions are taken

each day through the organization, and one decision means that there is a choice, a possible dilemma. And with the risk appetite you create a culture that makes such decisions easier. For example, you can purchase something very cheap, but when this is made with child labor, it can

(42)

Master thesis Caroline Breitenstein 42 Defining because it leads to efficiency

Partly as a consequence that the risk appetite is incorporated in the corporate culture, and partly because of the direction it provides to the organization, a clearly defined risk appetite can also enhance the efficiency within the organization. When the risk appetite is explicitly defined, and known within the organization, people are better prepared to make the correct decisions and less discussion is required. When, for example, there is decided to move production to a specific country, it is immediately known if a specific country creates risks that fall outside of the risk appetite. It could be that the country would be cheap to set up a production plant, however, the country is not within the risk appetite due to political reasons. When the risk appetite is known, such a decision can be made instantly, instead of discussing such a matter extensively. In addition, when decisions are made bearing the defined risk appetite in mind, the board can react quicker. As the risk experts of company X10 said:

“ When the risk appetite is defined, and you have defined which risks you believe to be acceptable and which risks you believe to be unacceptable, and you know which risk you as a

company want to take as risk and which risks your stakeholders want to take, you can make better decisions which are more efficient and more effective.

Another comment made by company X3 also illustrates this point:

“You are better able of restraining matters and you are more effective in customizing your risk taking behavior. Having a risk appetite creates constant learning for the organization, and thus

constant improvements, which enhances efficiency.”

Another comment made by the risk expert of company X7 shows that defining the risk appetite can create more efficiency:

“It provides clarity for the risk management, and it makes it clear to see what risks you want to have, which provides a more efficient overview for the management and the organization.”

Defining because it provides an organization with risk boundaries

(43)

“Risk appetite is nothing more than your risk boundaries in which you can act.”

Another comment made by the risk expert of company X7 shows that defining the risk appetite creates the risk boundaries:

“It provides clarity for the risk management, and it makes it clear to see what risks you want to have, and which risks fall outside of the risk boundaries, which provides a more efficient

overview for the management and the organization.”

In summary

In the in-depth interviews the following motives to define the risk appetite were found:

 Defining because it provides direction to the organization;

 Defining because it creates a desired culture;

 Defining because it leads to efficiency;