Dynamics of Organizational Risk Appetite

Dynamics of Organizational Risk Appetite

By Stefan ter Bekke S2376083

S.W.H.ter.Bekke@student.rug.nl

University of Groningen

Master of Science, Business Administration

Specialization: Organizational and Management Control (O&MC)

First supervisor: Prof. Dr. D.M. Swagerman Second supervisor: TBA

Abstract

This study discusses the risk appetite of several organizations, extending the literature by giving an overview of determinants of risk appetite and the way this changes over time. Since the last decades, risk management within organizations turned from a rather unknown area into a widely discussed subject. Despite all the risk management models and attention paid to the implementation of risk management, there still are many (major) flaws during the process of managing risks. This is mainly because organizational risk appetite is far from understood, although this appetite is crucial for managing risks. For determining the amount of risk an organization is willing to take, several factors, so-called determinants of risk appetite, are important. There is very little known about these determinants. Furthermore, the way these determinants change over time as a result of what events or developments, and thus in which way the risk appetite changes, is rather unknown. This explorative study provides a cautious overview of how risk appetite is set within organization, what possible determinants of organizational risk appetite are, and in which way these determinants change over time. By conducting 23 interviews with key organizations and experts in the field of risk management, the contours of organizational risk appetite and the way it is applied in organizations are sketched. In addition, general recommendations are done regarding implementing risk appetite. Further research can focus on the composition of the Board of Directors. Even though this group of people sets the risk appetite for the organization eventually, little attention is paid to the people that are part of this Board. Finally, large-scale testing of determinants is and their relatively importance are aims for the future.

Table of content

Introduction ... 4

1 Literature Review ... 8

2 Methodology ... 20

2.1 Study sample ... 20

2.2 Data collection and analysis ... 21

2.3 Data validity ... 25

3 Results ... 26

3.1 Setting the risk appetite ... 26

3.2 Determinants of risk appetite ... 35

3.3 Change of risk appetite ... 40

4 Discussion ... 45

4.1 Setting the risk appetite ... 45

4.2 Determinants of risk appetite ... 49

4.3 Change of risk appetite ... 52

4.4 Annual reports ... 55

4.5 General recommendation regarding risk management ... 58

5 Conclusion ... 62

6 Limitations and further research ... 64

6.1 Limitations of this research ... 64

6.2 Further research ... 66

References ... 68

Appendix 1: Overview of organizations ... 75

Appendix 2: Overview of determinants of risk appetite ... 76

Appendix 3: Overview of events by which organizational risk appetite changes and how ... 77

Introduction

Since the last decades, risk management within organizations turned from a rather unknown area into a widely discussed subject. Although there are substantial differences in risk attitudes, almost every relatively large organization has at least some risk management activities. Mainly because of the economic crisis of 2008, there is a significant increase of attention being paid to risk management. According to Sabato (2010), “the real estate market bubble and the subprime mortgages have been often identified as the causes of this crisis.” (p. 1) However, in this study it is stated that “this is not entirely true or, at least, these subjects cannot be considered as the main cause. A poor regulatory framework based on the belief that banks could be trusted to regulate themselves is among the main sources of the crisis. At the same time, risk management at most banking institutions has failed to enforce the basic rules for a safe business: i.e. avoid strong concentrations and minimize volatility of returns.” Concluding: because of societal fundamental institutions such as banks with failing control systems (including risk management) a crisis like the current one could take place. If this is not to be improved, there is no reason to believe there will not be a crisis like the current one again. According to Leenaars (2003), risk management is very important, especially in the case of banks as they are, besides being fundamental for capital markets, risk transformation machines. The author stated that, in case of escalation of these transformation processes, there will be an inevitable meltdown. Apparently, there is a difference in importance of risk management across industries. This difference is a result of having differences in type and size of powers.

Regarding improvement of the system of organizations for making it safer, Rasmussen (1997) stated “in spite of all efforts to design safer systems, we still witness severe, large-scale accidents. A basic question is: do we actually have adequate models of accident causation in the present dynamic society?” (p. 183). For being able to approach risks in a structured way, the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management, abbreviated COSO ERM1, framework has been developed. At the moment, many organizations are using this framework as appeared from the interviews that will be discussed during the results and discussion of this study. However, this does not mean that there is any kind of certainty about handling risks, as Lavoie (2011) stated that risk management is not an exact and objective science. It is about perception, which means it will differ among people.

However, despite the model that is used, employees have to execute the risk management guidelines. As most organizations are a collective a people, a mixture of ideas and attitudes have to be combined into one general vision concerning how to deal with the different risks an organization is facing or will face. When it comes to people, Kaplan and Mikes (2012) stated that people overestimate their ability to influence events that, in fact, are heavily determined by chance. It is stated that “we tend to be overconfident about the accuracy of our forecasts and risk assessments and being far too narrow in our assessment of the range of outcomes that might occur. We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain variable future” (p. 51). Furthermore, it is stated that, “despite the several personal and organizational biases, effective risk management processes should counteract these biases. This risk mitigation is painful, as it is not a natural act for humans to perform” (p. 52). Kaplan and Mikes (2012) implicitly conclude that for managing risks, leaders have an important role, as they have to implement the behavior of ‘be-aware’ next to the ‘can-do’ mentality that is needed for executing the corporate’s strategy. In order to create the right culture, De Pooter (2013) stated that for example asking key questions, clarifying responsibilities and rules, using suitable reward systems, recognizing the limitations of risk assessments, putting business managers in the driver’s seat and demanding integrated management information should lead to an appropriate risk management culture, by which the organization is able to react on changing environments.

The managerial contribution of this study is to gain an understanding of the determinants of risk appetite and possible differences between different industries. When having an understanding of the determinants of risk appetite, an organization is able to change its own risk appetite, which can be increased or decreased. In any case, knowing the determinants, an organization is far more aware of its risk position and is able to act more appropriate and responsible. In case of incidents related to risk management (for example: trading in stocks, which directly linked risk-taking), the organization is able to evaluate its current situation and has the possibility to do something about it. Furthermore, the risk appetite of a specific organization might comprise several determinants that are unknown to many people in the organization. By having a view on these rather unknown determinants, measures can be taken to control these determinants.

Finally, supervisors (e.g. De Nederlandsche Bank) are able to interfere in case of risk-taking that is inappropriate. As mentioned, by having the determinants more or less clear, they know what to do for changing the situation into a safer one. Considering the above, the main purpose of this study is to increase awareness with respect to organizational risk appetite: knowing more about the way risk appetite is shaped and what its determinants are is an important step for organizations and supervisors toward influencing the risk appetite. Risk appetite at Board of Directors level is chosen, as the general risk appetite is affected by local (department level) developments or actions. To be more specific: cases of fraud, mistakes and specific market developments affect the local department directly, but the organization as a total is suffering among with this department, as a result of reputational damage or sanctions.

accounting firms, and governmental pressure towards municipalities. Thus, it is expected that more attention is being paid towards risk management if the external pressure becomes higher. This expectation implies that risk management is more extrinsic motivated, for maintaining the organization´s image or keeping pace with new fashions, something that risk management can considered to be, as most companies with less societal importance will leave the area of risk management when the economy is becoming better over time.

As mentioned, it is unclear what the determinants of organizational risk appetite are. Furthermore, it is not clear how risk appetite changes over time as a result of what reasons. Determinants of risk appetite can be internal and/or external driven and can change over time. For determining these determinants and the events or developments that trigger risk appetite change within organizations, the research question is:

“In which way does organizational risk appetite change?”

1 Literature Review

This literature review will discuss relevant existing literature regarding risk (Zou et al., 2010; Williams et al., 2008), risk management (De Bakker et al., 2011; Sabato, 2010; Zou et al., 2010; Monetti et al, 2006; Stulz, 1996), risk appetite (Belghitar and Clark, 2012; Baker, 2011; Gierlach et al., 2010; Williams et al., 2008; Sitkin and Weingart, 1995) and risk perception (Wachinger et al., 2013; Webe and Hsee,1998). Extra attention will be paid to Taleb (2007, 2011 and 2012) for having both a philosophical and practical approach towards risk management and the way people deal with risks. His ideas are becoming increasingly influential, which will be discussed further during this section. Furthermore, cultural differences (Wachinger et al., 2013; Gierlach et al., 2010; Desai, 2008; Webe and Hsee, 1998), the effect of gender (Hardies et al., 2013; Nekby et al., 2008; He et al., 2008, Iqbal et al., 2006; Bajtelsmit, et al., 1999), Powell and Ansic, 1997) and age (Serfling, 2014; Weller et al, 2011; Jianakoplos and Bernasek, 2006; Ashman et al., 2003; Wang and Hanna, 1997; Vroom and Pahl, 1971) on risk appetite will be discussed, ending with the effect of time pressure on risk appetite (Kocher and Sutter, 2006; Kerstholt, 1994; Ben Zur and Breznitz, 1981). By giving an overview of relevant literature up to now, there is a starting position by which results of this study can be interpreted and existing literature can be extended by new insights and nuances can be applied. Eventually, the purpose of this study is to extend the existing literature by identifying determinants of risk appetite and its dynamics.

Risk

With respect to risk management processes, Monetti et al. (2006) stated that these processes typically include risk identification, risk analysis, risk response and risk communication, monitoring, review, and learning. Risk management is fundamental to accomplish business or project objectives, and is not only trying to keep away bad results but also acting as a guide to maximize positive results.

Sabato (2010) stated about ERM that “it is a rigorous approach to assessing and addressing the risks from all sources that threaten the achievement of an organization’s strategic objectives. A well implemented ERM approach should be able to provide a comprehensive and coherent view of the risks that an institution is facing allowing senior management to focus on the full picture and not on the single ‘silo’” (p. 11). Furthermore, it is stated that “a good ERM framework should be able to summarize all risks into one number. In case of the banks, this can be the optimal level of available capital” (p. 13). Zou et al. (2010) have given five reasons for organizations to develop and implement risk management systems (p. 854). Furthermore, Zou et al. (2010) developed a model (RM3) for testing five different aspects of an organization’s risk capabilities (p. 855), based on four maturity levels (p. 856) Additionally, a more general study by Stulz (1996) researched the value of risk management as a total. It is stated that, when considering leverage, the lower the leverage (and thus the lower the risk) the less valuable risk minimization is (p. 21).

management is a continuous attempt to control the situation, but it is also stated that professional conceptions and common sense perspectives on the practices disappeared. In a world that is increasingly risk-oriented, this is an interesting given that places the need for risk management into perspective. It is important, but not all risks can be controlled.

Risk Appetite

As mentioned in the introduction of this study, there is something behind the risk models that is crucial for the real risk management practice. With respect to the way organizations see and deal with risks, Baker (2011) stated that “the concept of risk appetite, along with ERM, has grown in significance since the 1990s; yet understanding of risk appetite and its implications is weak. Despite the widespread use of risk appetite, and it being considered important to ERM success, one of the risk management failures of the financial crisis were poorly implemented risk appetite frameworks. Institutions took more risk than they had intended, and they exposed themselves, whether deliberately or inadvertently, to more risk than they had the capacity to bear.” (p. 1). Furthermore, Baker (2011) stated that there are some common measures identified by recent research by which appetite is expressed. Baker (2011) named profit/loss, credit rating, economic capital, value-based (e.g. share price volatility). However, techniques to date for risk appetite do not distinguish between the boards’ role and management’s.

Figure 1: Proposed determinants of risk intention (Williams et al., 2008, p. 61)

Williams et al. (2008) have concluded that managers perceive more risk when they assessed higher amounts of outcome uncertainty, greater potential losses, more personal consequences, negatively framed situations, and when risk willingness decreased. Risk willingness, however, did not influence managerial risk intentions. Although this model is looking at several characteristics and is focusing on managerial level, there is no general organizational view, taking several stakeholders into account. The risk appetite (comparable to the ‘risk intention’ of the model of Williams et al., 2008) at organizational level, therefore, is still unaddressed.

Risk management and Taleb

Taleb (2007) discussed the impact of the highly improbable. The Black Swan stands for events that are unlikely to happen, that are very difficult to expect by people, and that will have a very high impact. At the same time, these events can be explained afterwards by the same people. Extreme things, so a very low possibility and a very high impact, are the things that matter during history. These risks are also called ‘tail risks’ by Taleb. These risks becoming reality shape history and it is exactly this extremity that cannot be understood by most people. Regarding risk management, this means that employees are having difficulties with handling uncertainty, especially when it is difficult to imagine because of intangibility.

Taleb (2011) at the difference between skills and luck, something that is difficult to distinguish sometimes. What is more difficult, is to understand that for example a trader that earns a fortune on stock markets, might have had an enormous amount of luck instead of a useful set of skills. Another example is the turkey that is getting food every day. Each day, the turkey thinks it is getting wealthier and better, although it is not realizing it is to be consumed when it is fat enough. Its pattern thinking of eating and sleeping was interrupted. All the time, it was thinking it was doing well, but it was not having a clue of what it was doing or what the purpose of his existence was. Eventually, it was thinking it were his skills, while it was just luck that it was still alive, as it was not fat enough. Considering this example, it can be argued that organizations should be self-critical and risk-aware, if they want to survive.

Taleb (2012) suggested that banks are so big and fundamental to society that they are in no risk of going bankrupt and therefore are behaving reckless. By letting people, or in this case large banks, both feel the upside and downside of life, people, organizations, and systems will be far more aware of their way of acting and will behave more balanced. In case of risk management: someone that is responsible for both performance and managing the risks will do his best to balance performance and risk-taking. With respect to the financial services industry, Taleb (2012) stated that the system of banks will improve when banks are facing the risk of going bankrupt. This way they will the system of banks will be more risk aware and are taken the downside of risk-taking into account, instead of only looking at the higher yields.

especially banks going bankrupt is the best thing that can happen for the system of organizations and banks, since the system will improve. Finally, if an organization does not want to face the negative consequences of an activity and it is somehow possible to not perform the activity, the organization should just do not do it. Reflecting on these ideas, it can be stated that large banks nowadays are too big, but that makes it very difficult to apply the thoughts of Taleb (2012). Letting banks go bankrupt would work when there are many smaller banks, so the culture is more entrepreneurial: both the upside and the downside. Today, it is much more difficult to let banks go bankrupt, because of the enormous amounts of money that will be gone.

Cross-cultural differences

Gierlach et al. (2010) researched cross-cultural differences in risk perceptions. Gierlach et al. (2010) focused on mental health workers. The main conclusion is that Japanese participants were having the highest risk perception. Argentineans were having lower risk perception, but equal to the U.S. group. These results are considered to be unexpected, but explained as Japan being active in an unstable environment. This research is relevant for risk management as, apparently, Japanese people (and thus their organizations) have higher risk perception than other parts in the world. This is expected as Japanese participants are more exposed to natural disasters, such as tsunamis. Webe and Hsee (1998) conducted a similar research: citizens of America, Germany, Poland and China within the area of risk-taking were compared. The main result was that risk perceiving differs a lot between countries, but the risk attitude is more or less the same across countries. This means that the countries, if they would have perceived the same risk, would have reacted in the same way towards the risk.

Copying this to organizations, there should be an embedded risk management model, such as ERM, and constantly creating risk awareness and enhancing responsibility. This way, there will be balanced risk management behavior. Desai (2008) stated that performance shortfalls might impact risk-taking. The specific nature of this influence, however, depends on how the shortfalls are interpreted. Specifically, poor performance might be viewed as repairable among experienced firms, as it leads to increased risk-taking when risk-taking is measured as operating asset growth. Poor performance might be viewed as repairable among legitimate firms, as it leads to increased risk-taking when risk-taking is instead measured as installed capacity growth.

Besides the differences between cultures regarding risk perception mentioned earlier, there are also differences known based on gender and age. First, differences in gender will be discussed. Second, differences in age will be discussed. Finally, the effect of time pressure on risk appetite is to be discussed.

The effect of gender on risk appetite

With respect to gender differences there has been done a lot of research towards risk appetite. Hardies et al. (2013), Nekby et al. (2008), He, et al. (2008), Iqbal et al. (2006), Bajtelsmit et al. (1999), Powell and Ansic (1997) have discussed the relation between gender and risk appetite. Bajtelsmit et al. (1999) compared women and men with respect to pension account allocations. Women tend to be very risk-averse with respect to this allocation decision, and it is likely that women will retire with significantly lower pension wealth than their male counterparts. Hardies et al. (2013) researched gender difference in overconfidence. In their research, Bajtelsmit et al. (1999) refer to current developments within literature concerning the area of gender differences with respect to risk-taking. The main result of recent research (for example, Nekby et al., 2008) is that women were as confident/competitive as men when they were given the opportunity to self-select into start groups.

Iqbal et al. (2006) have done research towards the difference between female and male executives with respect to risk-averseness. The expectation was that females would take less risk than males in their financial decisions. However, women did not appear to be more risk-averse than male executives. Powell and Ansic (1997) stated that men and women have different strategies concerning risk preference, as women tend to have a greater desire for security, while men have a tendency to focus on higher returns. Despite this difference, no significant differences between males and females exist in their ability to perform in financial decision-making. Concluding, the results of comparisons between men and women with respect to risk-willingness and risk-taking are not pointing in one direction. However, women seem to have a tendency for focusing on security and preventing losses, while men are more focusing on potential gains.

The implications of the difference between men and women regarding risk appetite would be that, when determining which people become member of boards that determine the organizational risk appetite, attention can be paid to the composition of these boards. More women or men with the same or different backgrounds might be of difference concerning the specific risk appetite, as these people are determining and setting the guidelines of how to behave within that specific organization within the area of risk-taking.

The effect of age on risk appetite

Serfling (2014) researched the relation between the age of CEOs and the riskiness of corporate policies. The main findings are that older (younger) CEOs reducing (increasing) firm risk through less (more) risky investment policies and that older CEOs invest less in R&D, manage firms with more diversified operations (thus: less risky), make more diversifying acquisitions, and maintain lower operating leverage. Considering the higher risk appetite of younger CEOs, Serfling (2014) also stated that firms want older (younger) CEOs to take fewer (more) risks, which implies that CEO and firm risk preferences are aligned.

Serfling (2014) concluded that risk-taking behavior decreases as CEOs age, lower risk is accomplished through more conservative investment policies, and CEO and firm risk preferences in most cases aligned. This means that the risk preference (risk appetite) of the CEO is the same as in case of the organization and that or organizations look for a younger CEO if they want to take more risk, or the CEO sets the risk appetite to a more risk willing attitude and thus changes the risk preference of the organization. Belghitar and Clark (2012) stated that CEO risk appetite is playing an important role in the determination of the volatility of firms in the financial sector. Furthermore, it is stated that “CEO age has a positive effect on firm volatility, while CEO education, job tenure, and experience on other boards affect it negatively. Finally, CEO wealth is marginally significant, suggesting that an increase in wealth leads to more risk-taking” (p. 197).

Figure 2: Risk value versus age (Vroom and Pahl, 1971, p. 404)

The figure above from Vroom and Pahl (1971) shows that risk-taking decreases when age increases. Between the 50 and 60 years, risk-taking is getting risk-averse. This is the point where the graphic becomes negative. Contrary to the statement that risk appetite decreases when age increases, is the research of Wang and Hanna (1997). Wang and Hanna (1997) concluded that risk tolerance increases with age, considering a case of predicting risky asset proportion of total health by age and retirement status. Finally, Weller et al. (2011) researched the trajectory of risky decision making for potential gains and losses from ages 5 to 85. One of the findings is that risk-taking to avoid losses is an early learned strategy and thus might become relatively reflexive. Furthermore, there is an increased risk aversion in the face of uncertain, potential gains, with little change in risk propensity past young adulthood. Finally, an increase in age was associated with decreased risk-taking to achieve potential gains, rather than an increase in risk-taking to avoid losses.

attention can or should be paid to compositions of these boards. A relatively young or old board is expected to make other decisions based on a difference in risk appetite. By knowing the difference in risk taking as these people are determining and setting the guidelines of how to behave within that area.

The effect of time pressure on risk appetite

The effect of time pressure on risk appetite is not discussed extensively in literature. Although Ben Zur and Breznitz (1981) researched the effect of time pressure on risky choice behavior and Kerstholt (1994) and Kocher and Sutter (2006) have discussed the link between time pressure and decision-making, it is not clear what the effect of time pressure on risk appetite is. Understanding this relation is important for analyzing a risk appetite that is too low or too high. It might be a solution for controlling the risk appetite in case of an outlier. With respect to time pressure, Hofstede’s cultural dimensions2 _{can be used to assess several cultures based on five}

dimensions. One of these dimensions is masculinity, which is inter alia about the level of competition (and therefore also time pressure). The reason for bringing in Hofstede’s dimension masculinity is that, considering the difference in time pressure, the level of time pressure influences the risk appetite.

Ben Zur and Breznitz (1981) discussed the effect of time pressure on risky choice behavior. Their main finding was that “under high time pressure, choices were less risky and there was a tendency for preferring the negative dimensions. Since time pressure is a stressful condition adding to apprehension induced by threat or negative consequences, a less risky choice could be the immediate available solution for lowering such apprehension, contributing to feelings of safety while under stress. (…). When there is sufficient time to consider and evaluate information, cognitive strain as well as feelings of inadequate performance diminish. Under such conditions we found a lower activity rate and preference of the positive dimensions.” (p.101-102). Kerstholt (1994) discussed the effect of time pressure on decision-making in a dynamic task environment. This author agreed with Ben Zur and Breznitz (1981) that an increase of time pressure leads to an increase of information processing in static task environments. What changed going to a dynamic task environment was that under changing conditions, too many risks were taken, resulting in a significant increase in collapses. Finally, Kocher and Sutter (2006) discussed the slogan ‘time is money’ with respect to time pressure, incentives and the quality of decision-making. It is stated that ‘time is money’ suggested that quicker decisions

2

might imply higher profits, but also that quicker decisions might cost money by possibly reducing the quality of decisions. For becoming well balanced with respect behavior under time pressure, it is suggested to use of time-dependent monetary incentives. These can be considered as an appropriate means to speeds up decision-making significantly without a loss in decision-making quality.

Concluding the literature review

2 Methodology

This section describes the research method used during this study. First, the study sample is discussed. Second, the way of data collecting and analyzing is reflected upon. Finally, the validity of data is discussed.

This study extends scientific literature by identifying determinants of risk appetite and its dynamics. Risk appetite, including its determinants and events or developments by which the risk appetite changes, has not been researched at Board-level. Although discussed in literature, no scientific research has been conducted towards this subject. Because of a lack of available scientific theories, new theory was developed to extend the current scientific literature regarding risk appetite. Since there was a lack of research with respect to determinants of risk appetite and the dynamics of risk appetite, there were no propositions available that can be tested by theory testing. The aim of this explorative study is to sketch the contours of the field of risk management and in particular the development of risk appetite. It aims to show impressions regarding risk appetite and the way organizations treat risk management. For developing theory, this study is marked as qualitative research (Blumberg et al., 2005, p. 124). This study delivers a set of determinants (appendix 2) and events or developments by which the risk appetite changes (appendix 3), resulting from interviews with different organizations (appendix 1). Opportunities for further research are discussed in paragraph 6.2.

Several organizations of different industries were interviewed for being able to compare and explain similarities and differences in determinants of risk appetite between companies and to some degree even between industries in general. This was explained as being the second tactic by Eisenhardt (1989, p. 540). The purpose of this study is not to make a hard distinction between industries, but to find remarkable differences and organizational approaches regarding risk management. The 22 organizations that have been interviewed were positioned in different industries (although sometimes within the same industry or industries) with different business activities and target groups. By comparing their determinants of risk appetites, similarities and differences can be discussed.

2.1 Study sample

organizations. There was no hard distinction made regarding the progression of risk management implementation, but only ‘large organizations that are relatively progressing within the area of risk management’ were approached. The interviewees of organizations that have been interviewed were anonymized as it was aimed to provide a comfortable atmosphere where interviewees could speak freely without restrictions. The selected organizations were divided into several categories based on their business activities, for making it easier to compare groups of organizations. The industries include accounting firms (2), banks (4), health insurance (1), educational, administrative support (1) energy, gas & oil (5), municipality (1), consultancy / government (1), technical production and service (6) and communication (1). By having multiple categories, it was possible to compare the categories and point out similarities and differences between the categories. More fundamental, having several types (in this study the term ‘categories’ is used), means different perspectives regarding risk could be obtained.

2.2 Data collection and analysis

From a scientific point of view, the larger the variety of sources that are used, the more reliable the outcomes. This is known as “triangulation”. Triangulation is discussed by Johnson (1997), Eisenhardt (1989) and Mathison (1988). Johnson (1997) defined triangulation as the “cross-checking of information and conclusions through the use of multiple procedures of sources. When the different procedures or sources are in agreement you have ‘corroboration’” (p. 285). Eisenhardt (1989) stated that multiple data collection methods strengthen the grounding of theory by triangulation of evidence. As mentioned by Mathison (1988), triangulation rarely provides a singular view of situations, but it can provide a rich and complex picture of the studied phenomenon.

First, a literature review was used for having a scientific starting point. For this literature review, mainly scientific papers were used. By using Google Scholar and Business Source Premier, the database of the University of Groningen, scientific literature was found by making use of keywords like ‘risk’, ‘risk management’, ‘enterprise risk management’ and ‘risk appetite’.

all interviewees were risk-oriented. This risk orientation is useful regarding the appropriateness of the study sample, as, according to Morse et al. (2002), “the sample must be appropriate, consisting of participants who best represent or have knowledge of the research topic” (p. 18). An expert in the area of risk management suggested various organizations, while other organizations were approached by the author of this study or one of the other three students that are graduating on risk management. Each interview was attended by at least three people: two students, out of a group of four students MSc Business Administration that are graduating on risk management in general with each having his own subtopic. These subtopics included risk appetite, risk appetite linked to strategic planning, risk appetite linked to the organizational culture and finally, risk appetite linked to reputational risk. The four interview questions that are relevant to this study are:

1. How is the risk appetite set within your organization? (Paragraph 3.1) 2. Who sets the risk appetite within your organization? (Paragraph 3.1)

3. Which factors do play a role with respect to decision-making within the area of risk management? (Paragraph 3.2)

4. Which events or situations have changed the organizational risk appetite in what way? (Paragraph 3.3)

As stated by Eisenhardt and Bourgeois (1988) and Eisenhardt (1989), several advantages like dividing roles are obtained by interviewing each interviewee by two students. The interviews used for study are semi-structured, because they give, according to Myers (2009), the opportunity for questions arising based on the answers given by the employees that are interviewed (p. 125). As Eisenhardt and Graebner (2007) stated, interviews are a highly efficient way to gather rich, empirical data” (p. 28). According to Blumberg et al. (2011), semi-structured interviews also have the advantage of being able to give room for clarification of terms used in the questions. The main reason for using for making use of semi-structured interviews is that impressions of the interviewee and the way of thinking can be written down by having an open conversation. This is something that cannot be done by using, for example, questionnaires.

transcripted. The reason for this is that doing these interviews was done by having the non-directive approach (Batten, 1967) in mind. The main aim of the interviews was to get impressions instead of actual facts regarding the way of applying risk management within the selected organizations.

As said, the intention was to record all the interviews, but four interviews could not be recorded as the specific organizations rejected the request. One accounting firm (number 1, appendices), one bank (number 4, appendices) and two technical production and service organizations (numbers 17 and 21, appendices) rejected the request. The rejection with respect to the recording of the interviews for these four companies had to do with privacy concerns. In return, the interviewees were willing to tell more inside information without recording. Each interview, including the impressions during the conversations, was written down in general by both interviewers. The notes of both interviewers were used for this interview. No alignment of content took place, which means two different views instead of only the one of the author was used. This is a good replacement of recording, when recording is not allowed. This way, the interview can be reflected upon as objectively as practically possible. Even though Hopper and Powell (1985) stated “there is no such thing as a totally objective or value free investigation” (p. 429), the aim was to remain close to the gathered data. Therefore, the 19 recorded interviews were listened to repeatedly, while the detailed interview notes of the 4 interviews that could not be recorded were re-read. Eisenhardt and Graebner (2007) stated that this is important as sticking close to the data keeps researchers ‘honest’. As mentioned earlier: because of the subjective nature of this study (aim to sketch the contours of organizational risk appetite and feelings of risk managers regarding this subject), this study is considered to be explorative. No hard conclusions can be drawn eventually, but showing the feelings and impressions gained during the interviews could be start of many in-depth research papers regarding this subject.

The number of days between the first interview and the last interview is sixty-six. Finally, all interviews took place in The Netherlands, although having a great diversity of cities.

Third, annual reports were used for having risks and risk management discussed by the organization as a total. The information and impressions received from these annual reports will be compared to the content of the interviews, for discussed possible differences and general way of reasoning. This will be done during the discussion (paragraph 4.4, based on the highlights of the annual reports, that can be found in appendix 4) Publicly available documentations were chosen as the source, because of their advantage of unobtrusive measurement (Webb et al., 1966). As Bowman (1984) explains, “they are written for purposes and to audiences different from content analysts” (p. 5). Furthermore, Bowman (1984) stated that CEOs are seriously involved in the writing process because “CEOs see annual reports as major communication devices to many constituencies, both internal and external, concerning their and their companies performances” (p. 6). It should be clear that these documents might not give a complete or fair picture of the actual situation within the organization towards the several stakeholders.

Three annual reports of the interviewee’s organization were not available: number 6, 11, and 15 (appendix 1). As mentioned, the difficulty with analyzing annual reports is that information can be read that organizations want to be read and doubtful statements will be avoided. Furthermore, when interviewees would prepare the interview by reading the most recent annual report (and thus the same report the interviewers have read), the content of the interviews and the annual report can be partly the same and therefore it is possible that the impression will emerge that the situation given by the interviewee and the situation given by the annual report are the same and, thus, that this might be the real situation within the organization. However, because some content of the interviews might be based on the annual reports, this is considered to be misleading.

2.3 Data validity

By combining four master theses of four MSc students Business Administration, it was possible to acquire more data by generating interview questions for the other researchers which adds to the richness of the data and increases the external validity (Eisenhardt, 1989; Yin, 1989). Interviews were recorded as much as possible, but this appeared not always possible. Although the impressions gained throughout the interviews that not were recorded were written down individually by the two interviewers and uploaded for group usage without alignment, it is still doubtful regarding internal validity, since it is not an exact representation of what has been said during the interview. Furthermore, there is no transcript of the interviews, considering the aim of gaining impressions instead of comparing facts. The audio fragments were saved at multiple computers, so they are available if needed.

3 Results

This section will discuss the four questions used in de interviews for discussing the risk appetite. The first two, how risk appetite is set and by whom, are pooled, for having better readable and integrated results. The way risk appetite is set and by whom, will give an impression of what risk appetite is, the different approaches towards setting risk appetite. After giving this impression, determinants of risk appetite and the change of organizational risk appetite can be discussed, together with the effects of these change. For an overview of the organizations that are interviewed, see appendix 1. Furthermore, appendix 2 gives an overview of the determinants of organizational risk appetite, while appendix 3 is giving an overview of the events or developments by which organizational risk appetite changes and in which way. After answering the questions as much as possible (because sometimes it was difficult for an interviewee to give the answer explicitly or precise), the results will be discussed, interpreted and compared in the next section, the discussion.

3.1 Setting the risk appetite

The first question is ‘how and by whom is the risk appetite set within your organization?’ This question deals with the way of determining the risk appetite, the implementation of and the people that are responsible for determining and implementing it. The question will be answered based on industries, as mentioned during the methodology section.

Accounting firms

for many decisions, risk management is fully integrated into the daily processes and this way, they risk appetite that has been is to be translated to all levels of the organization. There is some difference across accounting firms regarding the degree of making the risk appetite explicit. Although both interviewees of the two accounting firms agree that making a risk appetite explicit is making it far more easy for translating it to lower levels, the second accounting firm is actually not making the risk appetite that explicit. So, there is a difference in what some accounting firms say that is necessary to their customers during their advising activities, namely making the risk appetite explicit for being able to translate it to every level within the organization, and what accounting firms are doing themselves during their business activities.

Banking

Two major international banks (with Dutch roots; one purely commercial, the other a cooperative bank), a smaller but more entrepreneurial bank and a writer with a HR background at another, large commercial Dutch bank and interests within the areas of incentives and risk management have been interviewed. Although they agree that risk appetite is a very broad term, all of them are looking at their ambition and then derive the risk appetite, translating them to the several business units. The two commercial banks are asking several key employees within their organizations for naming the main risks they perceived and have been thinking of, and then act by linking risks and control measures. Long-term orientation is limited to three years in most cases, as the market is considered to be complex, and forecasts over a longer period are considered to be (too) unreliable. This complexity has also to do with the high level of product innovation, that has led to a large difference in knowledge between clients (individuals and organizations) and providers (banks). This large difference of knowledge is a result of attempts from banks to meet the increasing complexity of the market by introduction new, more complex financial products.

From a practical point of view, each business unit can determine their own ambition and this ambition is judged by the risk department, controllers and/or Board of Directors based on the main risk appetite that is determined based on the organization’s strategy. Bank’s risk departments can do suggestions regarding the risk appetite. Eventually, the Board of Directors will, although being informed and advised by their risk department, set the risk appetite (explicitly) and this appetite is integrated in the (financial) models that are used within the banks with respect to for example lending and trading. The higher the level of risk of a certain decision or action, the higher the level of authority that is needed for pursuing. This means that, for example, the Board of Directors has to decide in case of essential decisions.

Risk management has become increasingly important for the banking industry. Interviewees stated that because of political pressure, legislation has been tightened, with for example the introduction of Basel III. As a result of Basel III, banks are required to have higher levels of liquidity (financial wealth on short term) and solvency (financial wealth on longer term). Besides the legislation, societal pressure has led to a focus on ‘good and ethical behavior’ and therefore risk management had to be taken more seriously than before. One of the implications is that the CRO function has become more explicit than before. First, it was a function that was integrated within the CFO function. Now, the CRO is a stand-alone job in the Board of Directors more often. The CRO of the small entrepreneurial bank could not tell why her function was now represented in the Board of Directors, but she thinks it is a good thing to make risk management more explicit by using a CRO function.

Care insurance

One large Dutch care insurance organization is interviewed. The risk manager of this organization stated that “risk management is nothing but culture. How do you deal with risks? He stated that people should be aware of the risks they are facing and act like it is about their own wallet, when dealing with risks that have financial consequences.” The risk department is reporting to and is advising the CFO/CRO in the Board of Directors. Information about risks is gathered bottom-up, it is discussed in meetings and spoken of during management meetings. The Board of Directors is setting the general risks that are appropriate for the organization and based on suggestions of risk, this board will set the appetite. Risk management is fully integrated in the daily business. Each month or quarter, risk management will be discussed in the (financial) control cycles. This means key performance indicators and risks included will be analyzed. This is because risks are linked to (strategic) objects.

although it is an ongoing effort to make employees aware of the risks around them. He stated “eventually, it is like car driving. In the end, you should be able to take notice of and anticipate on risks almost automatically without having to think about it.” Currently, the risk management is busy with implementing risk management within the organization for two years now. The supervising authorities in The Netherlands have asked whether risk management could be implemented faster. The reaction of the risk manager was: “I could implement risk management in a few months if I have to, but then it is only a formal risk management practice instead of culturally integrated, that in the end means nothing.” These comments are making clear that risk management is not something that can be forced in a short period of time, it should be implemented in a convincing, almost elegant way. Employees need some time to get used to risk management thinking, including risk awareness and behaving in a way that is appropriate with respect to the risk appetite that has been set.

Educational

Energy, Oil and Gas

Five organizations are interviewed for this category. Four of these are originally Dutch: the first is active in the energy market and the production of complex projects like offshore windmills, secondary raw materials and fuel alternatives. The second organization is focusing on gas transportation towards its customers for the European market. The third organization traces and extracts petroleum from Dutch soil. The fourth organization is a very large, international player concerning oil. Fifth, a foreign organization is part of a very large, international energy organization.

Generally, preparing and discussing risks with the Board of Directors appeared to be a common way of approaching risk management, in combination with illustrating these risks by giving practical examples and the direction the organization can progress. Part of this is to determine what the level of risk willingness (risk appetite) is, and what control measures might be. This is part of the mission and the vision of the organization, and it should be translated to lower levels in de organizations (top-down). They all stated that risk appetite is a difficult subject and difficult to set. For the implementation of risk management and translating the risk appetite to lower levels, it is very important that there is openness and transparency, next to the awareness at lower levels within the organization. Risk management is considered to be both active (preventing) and reactive (incident-driven).

The first organization does not use risk management in a strict way, as it is somewhat unorganized. However, it does work and the culture can be considered as a risk culture. They are aiming for a more organized approach, with less dependency on the CFO/CRO or risk manager, as it should not be their responsibility only. Every employee should be risk aware. The second organization is more or less an opposite of the first one, as their risk management system is considered quite integrated by using quality hand books, a strong monitoring of the risk management culture and still having a conscious balance between flexibility and risk management, as every organization should be able to react relatively quickly to customers. The third organization is using the COSO framework, based on a risk appetite that is set by the Board of Directors. The Supervisory Board and shareholders decide which control measures to use and feedback this to the Board of Directors.

Organizations four and five are very strict concerning risk management and especially safety considering the physical type of work of many employees. Risk management is fully integrated within these organizations. Especially the fourth organization is a benchmark for competitors and organizations overall, with truly integrated risk management systems and a high risk-awareness. Almost every interviewee referred to this fourth organization as a leading example. In this organization, each business unit has to write down what they want to achieve, what the goals are and what things might jeopardize this? Each risk is discussed and the more essential risks are discussed throughout the different hierarchical levels within the organization. Almost every organization stated about the fourth organization that “capital punishment is applied when not following the safety rules.” Safety rules are so clear within this organization that every employee is paying attention. Finally, one last interesting quote of the foreign energy organization is to be highlighted: “reputation risk is not necessarily a factor that is part of the risk appetite. The market will punish the organization for not being fair or right, compared to competitors.” This quote is saying something about this industry; legislations are not necessarily useful as long as the culture of the organization is right and fair. Organizations have to behave in a integer and right way for keeping their clients, so they will behave this way as long as competitors are doing this also.

Municipality

appropriate view on the possible consequences. Eventually, if an organization wants to be overall sustainable, they need to have an idea of the risks they are facing and what they can do against them. This process is integrated in the control cycles. The aim is to quantify risks, making it more tangible. This is done by controllers. Risk management within this organization is applied by using both top-down and bottom-up approaches, with a mix of strategic and operational risks. How much risk the municipality is willing to take, is not something that is explicitly stated. Like one of the two interviewed accounting firms, it can be problematic to navigate on risk appetite. Considering the financial crisis of 2008, it is important to have risk appetite frameworks (Baker, 2011), but this is very difficult without an explicit risk appetite while making use of centralized decision-making. It developed in a certain way, regarding the fact of doing business with public money. The executive board did not develop a common risk appetite, maar there is a common though of how to behave and how far to go.

Consultancy / government

Technical service and construction

For this category, six organizations have been interviewed. The first organization is a Dutch infrastructure-focused organization, active in the European market. The second organization is an European deliverer of technical services within the areas of electrical, ICT and mechanical engineering. The third organization is specialized in maintenance of the Dutch railway network. The fourth organization is a German, worldwide operating conglomerate in the electrical and electronics. The fifth organization is a global provider of knowledge-based asset integrity services focusing on the Oil & Gas, Chemical and Power sectors. The sixth organization is helping its customers in industries like railways, civil infrastructure and building by offering specific techniques.

In general, risk management is sometimes seen as a difficult subject, but in the end, it appears to be useful. Being able to look forward and making well balanced decisions outweighs the costs of risk management. Most of these organizations are working with projects, with different compositions of employees. Since most projects are done before, data is registered and available for creating a learning effect. For each project, there is a road map available for working in a structured way and being able to identify, assess and control risks. Because of working with projects, the risk appetite is only set in a very broad sense by the Board of Directors and there is much left to the participants in the projects. They are determining whether to execute the project of not, based on which arguments. Only for large risks or high financial impact, the Board of Directors will be approached for a second look and approval. With respect to risk management, a well-known rule used, the 80/20 –rule, by which 20 percent of the most important factors cover 80 percent of the risks.

Because the interviewed organizations are all very large, it is explicitly stated that entrepreneurial behavior should be at the lowest levels of the organizations, for not missing chances. Risk management and compliance can be perceived as a bodice, making it hard to move as an organization. Therefore, decision-making should be decentralized, within a broad risk appetite set by the Board of Directors, in cooperation with a risk board or controllers. The risk appetite is often coming from lower levels and then is discussed by the Board of Directors. This, however, has been a point of discussion for the sixth organization. They referred to an example by which employees (who were digging in the ground and) damaged telephone cables, since it was more effective than redirecting their own, knowing that possible damage is insured anyway. For creating more risk awareness and more ‘consequence-thinking’, the organization increased the level of ‘own risk’ from € 5.000 to € 25.000 for preventing this kind of laziness. This is a very easy and direct way of letting employees work according to the organization risk appetite.

Communication

The organization interviewed for this study is a key player in Dutch market with respect to communication by (mobile) phone, both customer and business. Because the presence of a lot of pressure from governmental institutions and strict telecom legislations, this organization is under a scope. Because risk management is very important considering these circumstances, the members of the Board of Directors will be interviewed individually about several subjects and this way, after summarizing and discussing the results, a risk appetite is formed. In the past, they have been implementing SOx-legislation, so there is already a risk management framework. The next years, risks will be monitored more intensively and will be kept closer to the Board of Directors, so the board will have a better view on developments and therefore it is easier for lower (management) level to gain support from top management, as they are more aware of it. 3.2 Determinants of risk appetite

The second question that will be discussed, is ‘which factors do play a role with respect to decision-making within the area of risk management?’. This questions deals with the determinants of organizational risk appetite.

Accounting firms

audit the same client year after year. These rules are introduced to enhance the image of ‘the independent accountant’. This focus on rules and regulation is called ‘rules-based’ (instead of principle-based, which gives far more freedom during practices). The interviewee of the first accounting firm stated that “this rules-based thought is necessary to restore the public’s faith in financial services and especially the accounting industry. This has to do with our image. The reason why our image is so important is that bad publicity will be linked directly to our organization. For example, a fraud or mistakes with large consequences are directly linked to the specific accounting firms, because of their attitude of confidence and reliability.” Furthermore, doing business with organizations and countries that are considered to be questionable, is a no-go regarding the image. She also stated that “reputational risk is the number one strategic risk and that will stay like this for the coming years.”

The interviewee of the second accounting firm stated that “the way people are looking towards firms and risks (that are taken), is depending strongly on the time frame. During some cultural periods like ‘flower power’ in The Netherlands, risks are discussed far more relaxed than during an economic crisis like the current one.” Besides the external legislations, reputation and a country’s culture, accounting firms are active in very different industry, since their audit and advisory activities are applied to very different clients considering their industries. This has more to do with operational risk, as one industry is more volatile than one another. Real estate, for example, is more volatile than the banking industry, since the bigger banks will not fall as a result of having a key position in society. The performance of the accounting firms in these different markets have been evaluated constantly and depending on the result of this evaluation, risk appetite regarding specific markets can change. This correspondents to Desai (2008), as a pitfall of performance can result in a change of risk-taking. Finally, whether doing business with a client fits the chosen portfolio of the accounting firm and the level of experience of (top) management of the client, is also playing a role whether the accounting firm is willing to take the risk of going into a business relation with the client.

Banking

tightened with respect to the level of available capital, liquidity, solvency and activities in so-called subprime mortgages. These sub-prime mortgages are mortgages than can only be paid under ideal circumstances. When investing in it, most banks believed prospects would improve and improve. However, when the market collapsed, so did the mortgage payers. The rating of the banks, varying from AAA to D, is very important for them. It determines the level of interest paying, so it is reflecting the level of risk that is included. Standard & Poor’s, Fitch and Moody’s are international rating organizations. It should be clear that every bank would like to have a high rating, so they are considered to be a safe bank and they will pay less interest. Baker (2011) referred to this credit rating as being one of the measures by which risk appetite is made measurable.

Next, cybercrime is becoming an increasingly important factor for the risk appetite. As much banking traffic is done by the Internet at the moment and a further increase is to be expected, it is important that websites and pay tools are working well. In case of (many) problems with respect to payments by Internet or inaccessibility of the website, clients might switch to other banks where these problems are not occurring. Integration risk is another operational risk that is essential for entering new markets. Is the specific bank able to coop with the new market, other type of clients and other regulations? The question is whether they can coop with the differences. The writer with a HR and banking background, mentioned that his former Dutch bank wanted to have a sustainable growth. It did not want to blow itself up. In the light of risk management, the CRO of the smaller, entrepreneurial bank mentioned that it is about risk management and not risk aversion. For every business activity, risks are included. They still are commercial banks, which means making a profit is not forbidden. For really managing risk instead of just avoid risk, the CRO of this smaller bank stated that “risk management have to work in different places in order to be good in risk management. They have to understand what it is like to sell a product and way of reasoning behind it. That will, they will be better sparring partners for other departments and they are better in doing their own job, since they can think from different perspectives.”

Care insurance

should be adjusted to the new legislation, since it might be possible that former plans cannot be executed or pursued as a result of stricter rules. Besides the legislation, the number of insured people, the health care costs and investments results, control costs are very important. A final, but crucial risk is reputational risk. The role of social media (Facebook, Twitter, etc.) is difficult to handle from an organizational reputation perspective. Bad news on Friday evening can take on such a flight that the organization is damaged on Sunday. Therefore, social media teams within this organization are taking care of comments on these platforms for being able to react quickly and prevent worse. There is a key performance indicator for the number of times that the organization is discussed in a negative way. A key problem behind social media is that there is a inequality between the organization as care insurer on the one hand, and the client on the other hand. Clients can say anything about the organization, but the organization is not able to react publicly as they limited by confidentiality with respect to specific cases.

Educational

Reputational risk is very important for this industry since they exists for a large group of students and fulfill just an assisting role. Bad publicity is not a good thing for the public cause, since the organization did not fulfill its role then. Furthermore, there will be political attention, which means the effectiveness on the shorter term is gone. It is very expensive for bringing everything back on track.

Energy, oil and gas

Municipality

The most important risks are concerning financial and reputational risks, as they want to have a certain attitude towards the rest of The Netherlands. This image means a lot to them, so they are willing to invest in it. This willingness to invest in being or becoming the cultural capital of The Netherlands contradicts the risk-averseness that is applied to the rest of the activities. The reason behind this is that this municipality is ambitious and that, from a political perspective, it is honorable to do certain projects in favor of other municipalities that were also in de race.

Consultancy / government

The interviewee of this organization mentioned mainly financial consequences. Next to that, the reputation of this organization is important for staying active in this consultancy market, as most (governmental) institutions are only willing to do business with consultancy firms that are of good conduct.

Technical service and construction

The head of risk management of the third organization, maintainer of the Dutch railway network, stated about risks and risk-taking in general: “if you know what you are doing and you are good at what you do, then there is no risk since there is no uncertainty.” This statement is a very interesting view when considering other organizations regarding risk management. Her statement would suggest that an organization can take all uncertainty away by being good and knowing what it is doing. However, external uncertainty is impossible to fade away and making no mistakes where people are working is also impossible. Therefore, this view is considered to be quite opportunistic by the author of this study. Furthermore, holding on to this view can lead to risk blindness, since the organization thinks it is being able to avoid or ‘kill’ all risks. This seems to be quite unbelievable.

Communication

Reputational risk is very important, since this organization is constantly supervised by authorities and from a compliance perspective, it is crucial that they follow the rules. The organization wants to be reliable. Safety is also important, since workers should not face any unnecessary risk. Market developments are crucial, as they determine how far the organization would like to go. In times of crisis, more financial stability instead of entrepreneurial behavior is asked for. Next, the continuity of the organization is important, since this organization is delivering one of the basic needs in The Netherlands. If the situation would occur, that the service would not function (temporary or not), then there would be a problematic situation that would have disastrous effects on the image and continuity of the organization. Finally, social importance is playing a key role as the organization’s service is meant for this social importance. They exist for this task, so they better perform well.

3.3 Change of risk appetite

The third question is ‘which events or situations have changed the organizational risk appetite in what way?’ Which factors have played a role with respect to the adjustment of the organizational risk appetite and what was the effect of this change?

Accounting firms