Summary of Risk Appetite and Example of Apple

Semple (2007) states that, “There are considerable benefits in taking time to articulate risk appetite properly” (p25). He goes on to add that, “Different parts of organisations and external stakeholders have different perspectives [on risk appetite]” (p25) and that, “culture, strategy and competitive position all influence risk appetite” (p26).

Therefore, Semple (2007) highlights the importance of risk appetite but, as may be expected, does state that, “Consequently, articulating risk appetite is a complex task” (p25).

Required:

1. In view of Semple’s statements (above) you are required to provide a critical view on whether or not you believe it is desirable, and possible, for a company to effectively articulate its risk appetite.

Your discussion should encompass a wide range of literature and should be fully supported by a good deal of academic underpinning (i.e. references). There should be evidence of wide-reading in addition to the article by Semple (2007).

2. Given your work on the previous tasks you are required to provide a detailed view on the ‘risk appetite’ displayed by Apple Inc. You should provide full support for any assertions that you make with regard to this response.

Amount of risks are faced by organizations all the time during pursuing their objectives. Management and the board has to conduct an appropriate vision to encounter the the risk amount that allow for achieving these objectives. Whereas regulators and other oversight bodies are calling for better descriptions of organizations’ risk management processes, including oversight by the board.

Risk always has been a part of the human effort (Rosa, 1998). Hansson, (2010) noted thatthe risk has developed in “divergent approaches and traditions that show no sign of rapprochement”. As a result, risk is all about subjective beliefs, and structures. The cultural theory understands risk as a cultural phenomenon and as a representation of our collective thoughts framework.

A definition of risk appetite by the Enterprise Risk Management is “the amount of risk, on a broad level, an organization is willing to accept in the pursuit of value” – Integrated Framework (COSO, 2004). It has adopted the concept of risk appetite as an important part of the ERM process. Risk appetite is considered a key concept and precondition for enterprise risk management, and Paape and Speklé (2012) argue that COSO (2004) promotes a clear preference for quantification when it comes to risk appetite at lower levels. In addition, it has been argued that this view on risk management is mechanistic, and problematic if they find that formulation of risk appetite and risk tolerances does not contribute to “perceived risk management effectiveness” and that this challenges the core assumptions that COSO (2004) are based on. Another definition by the risk-vocabulary companion guide to ISO 31000 is “the amount and type of risk that an organization is willing to pursue or retain”.

On the other hand, Bromiley et al (2015) argued that the concept of risk appetite is being very ambiguous. While Power (2009) argued that the concept of risk appetite should be more concerned about human behaviour and focus on risk appetite as a dynamic process including a plenty of actors in an institutions, in order to improve these many shortcomings.

(Figure 1- Semple, 2007)

Organizations and risk appetite    

Several organizations have had to account for a broader base of risks after high profile environmental disasters, corporate scandals and financial crisis of 2008 (Woods, 2011). These have increased the governmental push towards more control and better risk management than the traditional risk management (Mikes, 2009). In addition to the fact that management systems are accountable (Spira& Page, 2003). The government response to such incidents has been to increase regulatory pressure on organizations to implement more effective corporate governance and internal control mechanisms (Soin & Collier, 2013). This broader and more holistic approach to managing risks, is known as enterprise risk management (ERM). The ERM system can be described as “how organizations should seek to identify all material risks to their objectives and sub-objectives, design controls and mitigations which produce a residual risk consistent with a target risk appetite, and monitor this entire process, making feedback adjustments as necessary” (Power, 2009).

Organizations have to set terms of risk appetite which can be updated and refined over time as the organization becomes more experienced with the concept (Rittenberg & Martens, 2012). The risk appetite has to be set in order to align the organization by setting risk tolerances, where the management have to considers the relative importance of the related objective and aligns risk tolerances with risk appetite COSO (2004). Operating within risk tolerances keeps the organization within its risk appetite and that it will achieve its objectives. The risk tolerances are the allocation of the organization’s risk to the different levels in organization. These risk tolerances should be measurable in order to prevent organizations taking risks outside of their risk appetite. Interrelated risks raised some issues arising in which organization should uncover such interdependencies through stress testing of risks. The risk tolerances are the disaggregated elements of the quantitative risk appetite measurement. The qualitative risk measurements are not disaggregated in the same way, but set the organizations overall approach of the to risk taking.

According to PwC (2009) a top-down approach is important to make sure that the risk appetite of the organization does not become a passive description of today’s risk profile, but rather that it is proactive and forward thinking to contribute to compliance and alignment across all levels, risk appetite is cascaded down in the organization to the risk categories that are relevant to the organization. Also FSB (2013) argues that risk appetite should be top-down leadership, but it should also have bottom-up involvement from management at all levels. The organization and its management should check that the top-down risk appetite is consistent with the bottom-up perspective, securing a common understanding across the organization. This should be an ongoing and iterative process of evaluating the risk profile of the organization with the risk appetite.

IRM (2011) argues that risk appetite is complex, and not a single, fixed concept in an organization. There may be a range of appetites for different risks, which need to align, and the appetites may vary over time as a response to changes in the organization’s environment. The risk appetite needs to be measurable in order not to promote an individual measurement approach but argues that directors should understand how their performance drivers are impacted by risk. COSO (2004) argues that organizations need to adopt a portfolio view of risk. An organization often comprise of several units that might be subject to different risks, and a portfolio view enables top management to consider whether the overall risk portfolio is proportionate to the organization’s risk appetite and potentially re-evaluate the nature and type of risks the organization wishes to take. For example, different risks may be within the different units’ risk tolerances. However, taken together, the aggregate of these interrelated risks might exceed the organization’s risk appetite. By adopting a portfolio view of risks, the organization can account for interrelated risks and make sure that the overall risk exposure is within its risk appetite.

Power (2009) argues that risk appetite, as a concept, must be more concerned about human behavior and the dynamic process of involving a multitude of actors. We find that the risk appetite involves both individual and collective interpretations, as some risk categories are subjective. It has been found that the risk appetite is not as important as the organizational culture in aligning the organization taking into account the amount of assumed risk. It has been argued that the risk appetite has changed over time, because the organization being aware to what extent they are willing to assume risks. This awareness effect resembles the emergence of a shared understanding as called by Scott (2014), which is indicative of the cultural-cognitive pillar.

Avoiding risk as part of the organization strategic initiatives does not rely on developing the risk appetite. As organizations set different objectives, they will develop different risk appetites. There is no standard or universal risk appetite statement that applies to all organizations, nor is there a right risk appetite. Management and the board must rather understand the trade-offs involved in having higher or lower risk appetites when setting the risk appetite. The organization’s history of handling undesirable risks, and the low number of incidents influenced how the organization viewed risk as a whole. The organization was still dealing with leftovers from the previous bureaucratic and more rule-driven culture that gave the organization a low willingness to take risks. Therefore, we argue that the organization is influenced by a mimetic institutional pressure that has a moderating effect on risk appetite.

Different institutional pressures affect the risk appetite in the organization. Externally, the regulative system is influencing through formal rule-like procedures creating a coercive pressure on the organization. Whereas, internally the cultural-cognitive system influences what level of risk that is acceptable through a collective understanding of their history and their role in society. This defines the organizational culture, creating a mimetic pressure on the organization’s risk appetite. The risk appetite influenced by the organization’s context is specific to it, and cannot be articulated without taking into consideration this organization-specific context. What determines and shapes the articulation of a risk appetite has not been addressed in the risk appetite literature. Therefore, the articulation of risk appetite does not happen in isolation as a visionary statement, as implied by PwC (2014). Rather, both external and internal institutional pressures influence risk appetite. This further challenge the practicability of the risk appetite concept and the notion that it is a top-down concept (Baunan and Berge, 2016).

Risk appetite in Apple Inc

A demonstration of the risk appetite in Apple Inc, is its board of apple Inc willingness of accepting risks in early stages by selling his Volkswagen van for start-up capital for Apple which he invested to start new companies like NeXT and existing companies like Pixar. NeXT was in the end dissolved, and not all of these risks were rewarded, however he benefited from his investment and effort to make Pixar a success. The characteristics of Apple Inc board define the characteristics of entrepreneurial traits, where they have the ability to find opportunity and gather resources to take advantage of opportunities. An example of that is the development of the new Breakout circuitry for them. On the other hand, the board of Apple Inc, is an inventor where he makes no claims about producing or wanting to make money off of his inventions. Apple Inc would never have existed without the vision of the board of Apple Inc vision, since they did not have the entrepreneurial instincts to create a company and make money. Board of Apple Inc vision to see the potential in technology allowed him to take full advantage of these opportunities. The vision that allows Steve Job to see the the high potentials in the first computer that Wozniak built or other companies that he was involved in running. The later products of Apple Inc innovations such as the iTunes, and iPhone, a proofing of this vision (Finkle&Mallin, 2010), (Apple Inc, 2015).

In conclusion, organizations are effective at creating a risk-aware culture that emanates from senior management, cascades through the organization, and is supported by the board. In an effective risk-aware culture, organization members are aware of the extent of risks acceptable in pursuing the objectives, and what is not acceptable in wrong objectives. Even though the management cannot rely on individual’s responsibility in implementing risks management within the appropriate risk appetite. Therefore, organizations have to review the application of risk appetite through a series of monitoring activities. The management should also observe the organization’s activities for consistency with risk appetite through the specifics identified with risk tolerances. Many organizations have key performance risk metrics that they use to measure performance, in which it possible to integrate risk tolerances into the monitoring process used to evaluate performance, and internal auditing can provide independent insight on the effectiveness of such processes.

Risk appetite it is an integral part of an organization’s strategies for achieving objectives. The concept of risk appetite permeates all organizations from charities and governments to small businesses and publicly traded corporations. A statement of risk appetite is an effective way to communicate across an organization a sense of acceptable risks. In addition, it provides a basis for evaluating and monitoring the amount of risk an organization faces to determine whether the risk has risen above an acceptable range. An organization’s risk appetite must come before its strategy process, in order for its management to be able to set a strategy that is consistent with its risk appetite. Therefore, risk appetite should be reflected in the organization’s strategy and objectives, which in turn guides resource allocation across the different units in the organization. Through strategy implementation, management keeps the organization aligned with its risk appetite.

References    

Apple Inc, (2015)., Form 10-K. For the Fiscal Year Ended September 26, 2015. [online]. Available from: http://investor.apple.com/secfiling.cfm?filingid=1193125-15-356351&cik=. [Accessed 29December 2016].

Baunan H and Berge J, 2016., Understanding Risk Appetite What is it, what pressures shape it and how is it institutionalized. Master’s thesis in Business Analysis and Performance Management Economics and Business Administration. NORWEGIAN SCHOOL OF ECONOMICS.

Bromiley, P., McShane, M., Nair, A., &Rustambekov, E. (2015). Enterprise Risk Management: Review, Critique, and Research Directions. Long Range Planning, 48(6).

Caldarelli, A., Fiondella, C., Maffei, M., &Zagaria, C. (2015). Managing Risk in Credit Cooperative Banks: Lessons From a Case Study. Management Accounting Research.

COSO. (2004). Enterprise Risk Management – Intergrated Framework. Framework. Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Finkle, T.A. &Mallin, M.L. 2010, “Steve Jobs and Apple, Inc”, Journal of the International Academy for Case Studies, vol. 16, no. 7, pp. 31.

FSB. (2013). Principles for An Effective Risk Appetite Framework. Financial Stability Board. [online]. Available from: http://www.fsb.org/wp-content/uploads/r_131118.pdf. [Accessed 31 December 2016].

Hansson, S. O. (2010). Risk: objective or subjective, facts or values. Journal of Risk Research, 231-238.

IRM. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. London, UK: Institute of Risk Management (IRM). [Online]. Available from: https://www.theirm.org/media/886062/ISO3100_doc.pdf. [Accessed 10 January 2016].

ISO. (2009). ISO 31000:2009 Risk Management – Principles and Guidelines. Geneva, Switzerland: International Organization of Standardization.

Rittenberg, L & Martens, F,. 2012.Understanding and Communicating Risk Appetite.Committee of Sponsoring Organizations of the Treadway Commission (COSO).https://www.coso.org/Documents/ERM-Understanding-and-Communicating-Risk-Appetite.pdf. [Accessed 7 January 2017].

Rosa, E. A. (1998). Metatheoretical Foundations for Post-Normal Risk. Journal of Risk Research, 15-44.

Mikes, A. (2009). Risk management and calculative cultures. Management Accounting Research, 20(1), 18-40.

Paape, L., &Speklé, R. (2012). The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study. European Accounting Review, 21(3).

Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 849-855.

PwC. (2009). Risk appetite – How hungry are you? PwC. [online]. Available from: https://www.pwc.com/gx/en/banking-capital-markets/pdf/risk_appetite.pdf. [Accessed 7January 2016].

Scott, R. W. (2014). Institutions and organizations. Ideas, interests, and identities. Thousand Oaks, CA: SAGE Publications.

SEMPLE, B., 2007. Risk Appetite: How Hungry Are You? Accountancy Ireland, 39(3), pp. 24-27.

Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control. Management Accounting Research, 24(2), 82-87.

Spira, L. F., & Page, M. (2003). Risk management. The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661.

Woods, M. (2011). Risk Management in Organizations: An Integrated Case Study Approach. Abingdon, UK: Routledge.