Risk appetite and its materialization in risk management practices: a case study in the aerospace industry Martin Carlsson-Wall*, Kalle Kraus*, Anita Meidell^ *Department of Accounting, Stockholm School of Economics ^Department of Accounting, Auditing and Law, Norwegian School of Economics Abstract This paper investigates risk appetite and how it materializes in risk management practices. Studying an engine component manufacturer in the aerospace industry, our findings suggest that the company had neither dedicated risk experts, nor formal risk management tools. Instead, the management of risks happened outside a formal risk management apparatus and was guided by a risk appetite principle denoted “Better safe than sorry”. The study contributes to the accounting literature on risk management by detailing an approach to risk management, which we label effectual risk management, that puts risk appetite at the core of the analysis. By drawing on effectuation theory (Sarasvathy, 2001, 2008), this study uses a notion of risk appetite, i.e., the affordable loss principle, that contrasts with prior research’s notion of considering both the upside and downside of the risks and then trying to maximize expected returns by selecting ‘optimal’ risk strategies. In our case company, the management of risks started with determining what the organization was willing to lose and the pursuing of satisfactory opportunities with a limited downside. Our results also engage with and augment recent research that has stressed the role of partnerships and alliances when analysing risk management. Our findings suggest that interfirm relationships can be important assets for an organisation’s risk management practices; the case company systematically reduced risks through involving their partners. Keywords: risk appetite, risk management, effectuation, case study, interfirm relationships 1 1. Introduction Since the mid-1990s, both private and public sector organisations have increasingly become organised around risk (Baxter et al., 2013; Bhimani, 2009; Palermo, 2014; Power, 2007; Soin & Collier, 2013; Woods 2009). Power (2009, p. 849) even talks about the “near theological belief in enterprise risk management”. The aim with well-known risk frameworks, such as the COSO framework, is to achieve a situation in which organisations adopt a holistic approach where the various types of risks are addressed simultaneously rather than separately (COSO, 2004; Hayne & Free, 2014). Central to these ideas is that risks should be managed “within its (the entity’s) risk appetite” (COSO, 2004) (emphasis added). However, previous accounting research has mainly focused on the formalisation of risk management practices in organisations by studying the emergent role of risk experts, such as chief risk officers, and the implementation of formal risk management tools, such as risk maps and scenario planning (e.g. Arena et al., 2010; Giovanni et al., 2016; Jordan et al., 2013; Meidell & Kaarbøe, 2017; Mikes, 2009, 2011; Hall et al., 2015). Limited attention has been given to the concept of risk appetite, and how an organisation’s interpretation of risk appetite materialises in an organisation’s risk management practices. This neglect is surprising given that in the wake of the global financial crisis of 2007- 2009, the concept of risk appetite has gained prominence among practitioners as one (of many) probable explanations for significant collapses (Gendron et al., 2016). For instance, COSO (2012) has published thought leadership papers on how to understand and communicate risk appetite and, in the financial sector, the Financial Stability Board (FSB) released its Principles for a Risk Appetite Framework in 2013 (FSB, 2013). Despite these efforts, Aven (2013), found when reviewing the literature on risk management that the concept of risk appetite is still perceived as vague. Therefore, our study puts risk appetite at the core of the analysis and draws on Sarasvathy’s (2001, 2008) work on entrepreneurial expertise, which is labelled effectuation theory and uses a notion of risk appetite based on an affordable loss principle rather than expected return, reducing risk by predigesting this downside. We ask the following research question: How does risk appetite materialise in an organisation’s risk management practices? Our paper is based on a case study of AirComp, a producer of components to airplane engines. As the CEO put it: “I am always proud to describe how we work with risk management.” However, AirComp had neither dedicated risk experts, nor formal risk management tools. Instead, the core of their risk management discussions was the notion of risk appetite. 2 The paper offers the following contributions to the accounting literature on risk management. First, we theoretically elaborate on, and empirically detail, an approach to risk management that puts risk appetite at the core of the analysis, which we label effectual risk management. By drawing on the theory of effectuation (Sarasvathy, 2001, 2008), this study uses a notion of risk appetite (the affordable loss principle) that contrasts with prior research’s notion of considering both the upside and downside of the risks and then trying to maximize expected returns by selecting ‘optimal’ risk strategies (Caldarelli et al., 2016; Gendron et al., 2016, Paape and Speklé, 2012). In AirComp, the management of risks started with determining what the organization was willing to lose and then pursuing satisfactory opportunities with a limited downside. Second, our results engage with and augment recent research that has stressed the role of interfirm relationships in risk management (Dekker et al., 2013; Ding et al., 2013; Krishnan et al., 2011; Jordan et al., 2013, 2016; Miller et al., 2008). Interfirm relationships with suppliers and conditional loan givers were seen as critical assets that could be leveraged to enhance AirComp’s risk management. Whereas, for instance, Jordan et al. (2013, 2016) detailed how risk maps mediated different concerns and interests in interfirm relationships, our findings suggest that interfirm relationships can be important assets for an organisation’s risk management practices even without formal tools such as risk maps. The paper proceeds as follows. In the next section, previous research on risk management is reviewed with a specific emphasis on the concept of risk appetite. This is followed by an outline of the theory of effectuation and how this theory can be used in understanding risk management. Thereafter the research method is discussed, followed by the empirical account of risk management in AirComp. Finally, the empirical findings are discussed and related to prior research and conclusions and opportunities for further research are presented. 2. Theoretical development 2.1 Previous literature Managing risk is a fundamental concern of today’s organizations. There has been a growing recognition of risk and risk management in contemporary societies to which individuals and organizations are expected to adapt in order to manage the risks they face (Beck, 1992; Power, 2007). The series of high-profile business scandals and failures in the 1990s and early in 2000 followed by the global financial crisis in 2007-2009 have increased regulators’ and market participants’ focus on risk management (Hall et al., 2015; Mikes, 2011; Power, 2009; 3 Van der Stede, 2011; Woods, 2009). The trend towards worldwide government regulations can be found, for example, in the Sarbanes-Oxley Act (2002) in the USA, in the UK’s Corporate Governance Code (Financial Reporting Council, 2010), in the Basel banking accords, in the ERM framework by COSO (2004) and in the international risk management standard by ISO31000 (2009). The emerging practices of risk management in organisations have been studied in both public and private sector organisations, demonstrating an increasing formalisation of risk management. Two common themes can be found in previous research. First, that organisations assign responsibility for risk management to dedicated risk experts, such as management accountants, internal auditors, chief risk officers and/or risk managers (Arena et al., 2010; Giovanni et al., 2016; Meidell & Kaarbøe, 2017; Mikes, 2009, 2011; Spira & Page, 2003; Vinnari & Skærbæk, 2014). Second, organisations use formal risk management tools such as risk maps, key risk indicator scorecards, scenario planning, tail-risk assessments, war gaming and risk reporting frameworks. Research shows, for instance, that interactive discussions about risks and their connection to strategic objectives were facilitated by risk maps and scenario planning (Hall et al., 2015; Jordan et al., 2013, 2016; Kaplan & Mikes, 2012). Despite the increasing formalisation of risk management in organisations, the global financial crisis demonstrated that many companies failed to deal with major risks, most visibly among financial institutions but also companies from other sectors. In the wake of the crisis, researchers have started to question the perceived reliability of risk management in handling aberrations (Gendron et al., 2016). Gendron et al. (2016, p. 570) found that several new concepts such as ”compensation risk, black swans, risk appetite and risk culture” (emphasis added) gained prominence in the aftermath of the financial crisis as important explanatory factors for the failures. The risk appetite concept, for instance, was used to explain why tolerance policies did not properly constrain the risk taking activities in the chase for high profit. Consequently, since the financial crisis the concept of risk appetite has emerged as a ‘hot’ topic in practice (EACLN, 2013; EY, 2015; IRM, 2011; KPMG, 2013; PwC, 2014). However, the COSO definition (2012, p. 1) where risk appetite is defined as “the amount of risk on a broad level an organization is willing to accept in pursuit of value” is perceived as offering little guidance to organizations on how to concretely interpret the concept (c.f., Aven, 2013). Relatedly, IRM (2010) noted that ISO 31000 is “silent” regarding the concept of risk appetite. 4 Bromiley et al. (2015, p. 268) argued that academic scholars have “been slow to address many of the core practitioner concepts” and that risk appetite is one of these concepts. Prior accounting research on risk management is no exception, although some scholars briefly discuss risk appetite. Gendron et al. (2016), using data primarily from financial institutions, found increasing importance in the risk appetite concept. Similarly, Caldarelli et al. (2016) studying a cooperative bank found that the bank used a risk appetite framework to guide strategic discussions and risk-taking activities. The use of risk appetite was expressed by a risk controller in the bank as follows: “We define risk appetite as the amount and type of risk we are willing to accept in the pursuit of our objectives, both economic and social” (Caldarelli et al., 2016, p. 8). When considering new investment projects in the bank, risks were first verified with the risk appetite statement and further evaluated for economic profitability in terms of risk-return ratios. In a more critical vein, Paape and Speklé (2012, p. 560) argued that the formulation of risk appetite and risk tolerance does not contribute to “perceived risk management effectiveness”, while Power (2009, p. 850) argued that the way COSO (2004) had applied risk appetite “impoverishes” risk appetite as an organizational process. One of the main problems according to Power is the assumption of a “singular organizational risk appetite”, which can be rationally determined by senior management of an organization. He further argued that despite the intentions of COSO (2004) to define risk appetite both quantitatively and qualitatively, “COSO-style ERM principles limit the concept of risk appetite within a capital measurement discourse” (Power, 2009, p. 851). Based on the literature review we conclude that although prior accounting research has provided us with valuable knowledge of risk management implementation the concept of risk appetite has not been at the core of the analysis theoretically or empirically. We still know little about how risk appetite materializes in an organisation’s risk management practices. The lens we use to advance our knowledge on this issue is a theory of entrepreneurial expertise called effectuation (Sarasvathy, 2001, 2008). Central to this theory is the notion of risk appetite. 2.2 Effectuation theory The founder of effectuation theory, Saras D. Sarasvathy, positions effectuation as a specific approach under the larger umbrella of decision-making during uncertainty (Sarasvathy, 2001, 2008). In her study of expert entrepreneurs, she found that these entrepreneurs systematically based their decisions concerning building new ventures on a specific notion of risk appetite: 5 namely the affordable loss principle. Since it was not clear at the early stages of the venture what the ‘pie’ will be, or how much each piece of the pie will be worth down the road, they could not effectively use expected return as their immediate criterion for selecting ventures. Instead the principle of affordable loss guided expenditures, where the key concern for the entrepreneurs was to keep the expenses as low as possible. As such, the entrepreneurs committed in advance to what they were willing to lose rather than investing in projects based on calculations about expected returns to these projects. They had to reconcile whether they could live with the potential loss. This notion of risk appetite was also reinforced by two additional principles: a focus on means, and pre-committed partners. For the entrepreneurs in Sarasvathy’s study, goals were not the primary focus and the challenge was not in identifying and collecting the means needed to achieve these goals. Instead, the entrepreneurs placed their emphasis on working with existing means rather than discovering new ways of working. They began with various means such as: identity (who am I) and knowledge (what do I know), and attention then centered on creating and choosing between the possible effects that those means could create. In addition, pre-committed partners played an essential role because they expanded the means of the effort for the entrepreneurs. They therefore negotiated with all stakeholders who were willing to make actual commitments to the project, without worrying about opportunity costs or carrying out elaborate competitive analyses. There were many examples of entrepreneurs choosing to work with customers because they were willing to provide pre-commitments to the venture, even though a different potential customer was expected to provide a larger long- term benefit (Wiltbank et al., 2009). All in all, Sarasvathy (2001, 2008) found the entrepreneurs were flexible enough to work with any and all partners who were willing to pre-commit, and to embrace strategies that were affordable rather than optimal. Through making affordable rather than optimal expenditures, the effectuation approach tended to minimise losses per stakeholder in case of failure. As such, the expert entrepreneurs acted based on the premise that success cannot be predicted, but the occurrence of failure can be controlled. By taking action based on affordable loss rather than maximizing expected return, the risk involved in any one action cannot put an entire project in jeopardy (c.f., Read et al., 2009). They acknowledged that this tactic might have unintended consequences, such as underinvesting in attractive options, but they found it more important that the tactic provided a means of achieving some control over the occurrence of failure. The entrepreneurial experts thereby allowed failure to happen earlier 6 and at lower levels of investment, while keeping open the upside option of making larger investments when early successes began to accumulate (Brettel et al., 2012). We can see that effectuation puts risk appetite (in the form of the affordable loss principle) at the core of the analysis. Therefore, in the following, we seek to clarify and connect the key themes from effectuation to contribute to the ideas and practice of risk management. We argue that effectuation theory is particularly suitable for forming a conceptual basis for risk management, since both entrepreneurs and people engaged in risk management face high levels of uncertainty. Sarasvathy (2008, p. 227) also highlighted that effectuation should be seen as a “general theory of decision-making in uncertain situations”. As Sarasvathy (2008, p. 48) rhetorically asked: “Are expert entrepreneurs the only group of human beings who use effectual logic? My guess here is no.” 2.3 Effectual risk management – risk appetite at the core of the analysis Applying effectuation theory to risk management would involve considering the previously discussed specific notion of risk appetite (i.e., affordable loss rather than expected return), as well as the two other principles that are linked to risk appetite: a means-driven approach rather than a goals-driven approach, and partnerships rather than exogenous environment. First, prior accounting research on risk management found that organisations invested in tools and dedicated experts, such as risk officers, to better manage risks (Arena et al., 2010; Giovanni et al., 2016; Meidell & Kaarbøe, 2017; Mikes, 2009, 2011; Hall et al., 2015). Both the upside and downside of the risks are carefully considered and the organisation then tries to maximize returns by selecting ‘optimal’ risk strategies. For instance, Jordan et al. (2013, 2016) showed how specific risk expectations were derived from a risk map or a risk scenario analysis. In contrast, what we label effectual risk management is guided by a notion of risk appetite based on the affordable loss principle. The potential downside will be in focus and risk management efforts will be directed to predigesting this downside. Organisations would invest in projects based on what they are willing to lose rather than investing in calculations about expected returns. Thus, instead of focusing on tools and dedicated experts, organisations using effectual risk management would design their whole way of doing business in a manner to predigest the potential downside. For instance when thinking of business risks and financial risks, managers would begin with a determination of how much they are willing to lose, thereby pursuing satisfactory, rather than optimal, business opportunities with a limited downside. 7 Second, previous research normally begins with an effect to be created. Given the particular goals we want to achieve what ought we to do in terms of risk management? Which particular paths should we take? Organisations seek to either select between the means to achieve those effects or to create new means to achieve those effects (e.g., hiring a risk manager, using a risk management tool). In contrast, instead of starting with a predetermined vision of risk management, effectual risk management emphasis would be based on working with risks with existing means, and the starting point would be: given who we are and what we know, what can we do in terms of risk management? What types of effects can we create? As such, effectual risk management would build on the organisation’s previous experience, using individual preferences, knowledge and networks as the starting point. Third, prior research is mainly about positioning within an environment that is mostly perceived as exogenous to the efforts of the organisation. Under the assumption of exogeny, positioning would be a logical way for organisations to seek control over their risks and successfully reposition the future. The organisation needs to develop its own capacities of identifying and mitigating risks. With an effectual risk management approach, the environment would be seen as endogenous to the actions of the organisation, which therefore attempts to seek control over risks by making alliances with other stakeholders. This means that forming partnerships and getting pre-commitments from other organisations will be an important part of managing risks (c.f., Jordan et al., 2013, 2016; Krishnan et al., 2011; Miller et al., 2008; Power, 2009). The nature of risk management will depend on the stakeholders that come on board and the contingencies that occur along the way. Organisations would thereby reduce risks through involving others. This ties into the discussions by Power (2009) who argued that formal risk management systems are flawed at the level of design, especially when it comes to the deep-seated commitment to the discrete entityhood of organisations. As he put it (Power, 2009, p. 852): “ERM operates with a limited conception of embeddedness”. He stressed the need to get beyond risk management prescriptions for single organisations acting in isolation from one another (see also, Soin & Collier, 2013; Jordan et al., 2013; Miller et al., 2008). To summarise, effectual risk management puts the notion of risk appetite at the core of the analysis and suggests that much of the risk management occurs through effectual principles that reside beyond the formal risk management systems. This reinforces and augments the argument put forward by Miller et al. (2008), who concluded based on field work in both public and private sector organisations that (p. 944): “The management of uncertainty does not only happen through the now obligatory and increasingly elaborate apparatuses of risk 8 management systems and assurance frameworks.” The core risk appetite principle – affordable loss – and the two related principles – a means-driven approach and partnerships – form the structure for what we label effectual risk management. Table 1 summarises the main differences between traditional risk management, based on prior accounting research, and effectual risk management. In the following, an in-depth case study of AirComp, a producer of components to airplane engines, is analysed to explore effectual risk management in practice. But first, the research methods are presented. Effectual risk management Traditional risk management (based on prior accounting literature) The risk appetite • Risk appetite at the core of the • Risk appetite either not mentioned at concept analysis: conceptualized as the all or briefly mentioned affordable loss principle • Risk management approach guided • Risk management approach by maximising the potential returns guided by the potential downside. with careful considerations of both Start with determining what the the upside and downside of risks. organisation is willing to lose and then pursuing satisfactory opportunities with a limited downside. Means vs. goals • Risk management approach • Risk management approach driven driven by given means: given by given goals: given the particular who we are and what we know, goals we want to achieve what ought what can we do in terms of risk we to do in terms of risk management? management? Partnerships vs. • Environment seen as endogenous • Environment exogenous to the exogenous to the actions of the organisation. efforts of the organisation. The environment Try to reduce risks through organisation mainly develops its involving others, e.g., forming own capacities of identifying and partnerships and alliances. mitigating risks. 3. Method To explore effectual risk management, we conducted a single interpretive case study (Dyer & Wilkins, 1991; Siggelkow, 2007). This is a suitable research design when the aim is to study a complex phenomenon in a real-world setting and when one has the ambition to develop new theory (Edmondson & McManus, 2007). The main source of empirical material was interviews. In total, 41 interviews were conducted with 34 individuals. All interviews were recorded and transcribed and were complemented with a large number of internal and external documents. In terms of overall methodology, we have taken an abductive approach (Dubois & 9 Gadde, 2002; Lukka, 2014; Lukka & Modell, 2010) in how we relate our empirical case to theory and method. As a consequence, we structured our method after the three phases in our research process. 3.1 Understanding the aerospace industry The overall aim with the project was to study the role of accounting practices in contexts characterized by uncertainty and ambiguity. AirComp, an engine component manufacturer for the aerospace engine industry, provided such a context because product innovation, interfirm relationships and risk management play a significant role in how business was conducted in this industry. For example, the development of a new technology usually takes between 10-20 years due to very high safety standards and complex customer relationships with firms such as General Electric or Rolls-Royce, which often last several decades. Furthermore, in addition to granting generous data access, AirComp is of manageable size. The company has an annual turnover of 800 Million Euros and about 1300 employees around the world. To understand AirComp’s context, we started by conducting eight interviews with key actors in the aerospace industry. For example, we spoke with people from academia, research financers, companies and the government. 3.2 Investigating risk management in AirComp In the second phase, we focused our attention on AirComp and their risk management practices. We conducted 12 interviews with 13 different individuals in this second research phase. We interviewed the R&D director, an R&D manager, two senior vice presidents, a commercial director, a procurement manager, two project managers, the head of key accounts, two key account managers, a corporate controller and a business controller. The interviewees were selected based on their experience from product innovation and risk management and because they represented different roles in AirComp. We soon became aware of two important risks that the interviewees repeatedly came back to when explaining risk management: volume/market risk and technology risk. The volume/market risk was related to the number of airplane engines of a particular model that eventually will be sold, and when the sales will happen in time. As previously mentioned, since it takes between 10-20 years to develop a new engine, the uncertainty in the predictions of volume is considered to be extremely high. The technology risk concerns which technologies will be seen as leading edge in 10-20 years and the uncertainty regarding this is also considered very high. This meant, according to the interviewees, that risk management was a continuous concern among the top 10
Description: