Where do you draw the line between risk and reward?

Written By Rick Funston

By Rick Funston, CEO Funston Advisory Services (FAS) LLC and Board Smart LLC

I recently got asked about risk appetite “Does Funston Advisory Services offer a framework for engaging leaders in an internal risk appetite survey — not investment-specific, but enterprise-wide (really, enterprise-deep)? The goal is to help leadership better understand the organization’s risk appetite in a truly integrated way, as they balance multiple dimensions of risk, including: 

  • Compliance 

  • Customer/stakeholder expectations 

  • Brand and reputation 

  • Resources and staffing 

  • Financial 

  • Operational.” 

The short answer is “yes, we can.” Here’s how. 

What is risk? 

Before we discuss risk appetite, let’s define what we mean by risk. At its core, risk is the potential for unacceptable performance regardless of cause. Simply put: It’s the potential gap between what’s expected and what actually happens.  The question becomes: “What’s acceptable?”  

Risk appetite is typically qualitative – the type and level of risk an organization is willing to take to achieve its objectives. If you are willing to be in the business, there are certain risks that go with it. They vary depending on whether you are an astronaut, race driver, mountaineer, law enforcement officer, fire fighter or a public retirement system.  Certain risks just go with the territory.  

What is risk appetite? 

How much risk you are willing to take?  Tom Cruise, the Mission Impossible actor who does all his own incredible stunts, said “Don’t’ be careful – be competent.”  If you are willing to the take the risk, how much risk are you actually capable of taking? Cruise goes to great lengths to prepare himself, as does every professional who puts their life on the line.1 Compare this with the red neck who says “Hold my beer and watch this!”  Unfortunately, too many risk appetite statements end up sounding like “do good and avoid evil.” 

Risk Appetite: Public retirement systems are typically patient, long-term investors. A retirement system might state it has a moderate risk appetite, accepting medium market volatility to achieve long-term investment returns. But it has no appetite for unrewarded risks like non-compliance with laws and policies.  

All risks are not created equal. Some are killers while others are like “paper cuts” – unpleasant and to be avoided but bearable.  They are all important, but some are more important than others.  

Putting risk in context  

The level of risk an organization is willing to accept varies widely depending on the type of risk being considered. In the realm of investments, the core question is: How much can we afford to lose? This involves not just the size of the risk—or "how big a bet"—but also the nature of the potential return.   

Organizations must consider two kinds of ROI: return on investment, which reflects the gain, and return of investment, which reflects the ability to recover capital. Both relative losses (compared to peer institutions) and absolute losses (and how long it takes to recover from them) must be factored into any investment risk appetite. 

In contrast, when dealing with reputational risk, most organizations have a very low appetite. Even small missteps can cause outsized harm, and recovery can be long and uncertain. 

Cybersecurity is another area where traditional notions of risk tolerance are evolving. In today’s cloud-based, interconnected world, there is no such thing as being completely invulnerable. More digital exposure inevitably brings more vulnerability. The key question becomes: How much cyber risk are we willing to accept in exchange for the benefits of digital transformation?   

In the area of compliance, especially concerning issues like harassment or discrimination, expectations have shifted dramatically. Where some organizations may have once tolerated certain behaviors or lapses, the emerging standard is zero tolerance. The appetite here is increasingly aligned with strict adherence and proactive mitigation. 

In each of these domains—whether financial, operational, reputational, cyber, or regulatory—understanding risk appetite isn’t about eliminating risk, but about making informed, intelligent choices regarding which risks to accept, which to mitigate, and which to try to avoid altogether. 

You should ask yourself four questions about risk:  

  1. How bad can it get? 

  2. How fast can it get that bad?  

  3. How prepared do we need to be?  

  4. How prepared are we really? 

What is risk tolerance? 

The same retirement system might say that it can tolerate up to 10% variability in its actual asset allocation vs. planned or a certain drawdown in its portfolio value without changing investment strategies. 

Risk tolerance is typically quantitative. How much variability or deviation from expectations is acceptable? Subjective biases will always creep in (Nobel prize winners Kahneman & Tversky remind us of that),2 so our approach tries to stay grounded in quantitative and objective measures wherever possible. Importantly, we differentiate between the risk itself (the potential outcome – the loss or gain) and its causes — something many confuse and end up going down the rabbit hole of trying to guessimate the subjective probability of possible causes. 

Our simple, practical approach: 

Risk Intelligence = smart risk-taking and derisking. To adapt to high uncertainty and rate of change, boards need a disciplined approach to take calculated, rewarded risks and avoid unrewarded risks like non-compliance and operational breakdowns. It’s a five-step cycle: 

Detect signals (KPIs) vs. noise (qualitative assessments are too often noise). 

  1. Track and monitor when performance begins to approach or exceed your tolerances to quickly recognize patterns (threats or opportunities) and report exceptional performance. Use exception-based reporting (find about our Risk Intelligence Portal). 

  2. Be ready to respond with a range of options and escalate policy implications of exceptional performance with insights about whether to stay, adjust or change course.  

  3. Identify lessons learned (about what worked and didn’t work). 

  4. Continuously rinse, repeat and adapt. 

 

Where will you draw the line?  Defining risk tolerances 

It starts with defining expected performance in every vital function from primary functions like investment and benefits to enterprise functions such as HR, legal, finance, compliance etc. 

  1. Begins by setting performance expectations across functions (KPIs). 

  2. Next is to “draw the line” by establishing acceptable performance ranges (risk thresholds). 

 

It’s an important dialogue for leadership and the Board. 

How FAS can help: 

We can support this dialogue with: 

  • Design and administer surveys to identify risk appetite and tolerances. 

  • Benchmarking: integrated compliance framework (ask about our National Survey 2024) 

  • Facilitation: helping leadership engage in candid dialogue to arrive at a consensus. 

  • Education and coaching: targeted Board Smart® online and in-person learning to build shared understanding. 

Want to learn more? Contact us at www.funstonadv.com  

About Funston Advisory Services (FAS) 

In the past 15 years, we have completed over 60 governance reviews for public retirement systems and institutional investors with nearly $3 trillion in assets under management (AUM) across a wide range of sizes and circumstances,  

Before founding FAS in 2010, Rick Funston was Deloitte’s National Practice Leader for Governance and Risk Oversight and advised Fortune 500 companies across 20 different industries. In 2001, he created the concept of Risk Intelligence. He is the principal author of 4 books, including most recently “Adapt or Fail” for both for-profit and not-for-profit organizations and “Transforming the Dialogue” specifically for public retirement systems and multi-employer plans. 

Rick Funston
Next

Summary: NC Treasurer Wins Governance Reform to Revive $127B Pension