Risk appetite can vary wildly depending on the organization: At its core, it represents the amount of risk an organization is willing to take to achieve strategic objections. Personal risk appetite can also vary wildly, which is why determining a generalized risk appetite for your organization is vital for risk management decisions.
There’s no universal standard for risk appetite, which is why determining your organization’s risk appetite starts with executives and board members weighing up individual circumstances and overall goals for the company.
What is your risk appetite?
Risk appetite stems from enterprise risk management or ERM, a framework defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “as a way to handle uncertainty and associated risk to create opportunities that enhance value.”
A vital step in the ERM process is risk assessment and monitoring, all of which are influenced by agreed-upon risk appetite.
ISO 31000 has its own ERM framework, with a strong focus on enhancing value in reference to risk management. According to the revised ISO 31000, the new framework focuses on upper leadership, ensuring that, “risk management is integrated into all organizational activities, starting with the governance of the organization.”
Many factors are usually at play when making decisions about risk appetite, including internal factors and external factors.
Internal factors:
- Long-term objectives
- Stage in the organizational life cycle
- Financial stability
- Risk capacity
- The management’s willingness for risk, also known as risk culture
External factors:
- Market maturity
- Competition
- Public image
- Attitudes of stakeholders
What is risk appetite, and what are examples?
Risk appetite represents an organization’s consensus for the threshold or acceptable level at which strategic objectives are worth the risk. Risk tolerance should be determined for virtually all sectors of an organization’s functions, from information security to health and safety and financial objectives.
For example, a company with a conservative financial risk appetite might shy away from investing in new technology to advance its growth objectives. On the other hand, a health care organization with a high level of risk appetite might be willing to run trials on new medical procedures with unknown outcomes.
It’s important for an organization’s executives to establish its risk-taking appetite for all aspects of the business and create a risk appetite framework that can be used for reference and planning.
What does a risk appetite statement look like?
A risk appetite statement works best with a layered approach: While a high-level risk statement is ideal for general reference, being able to articulate risk appetites for different areas of your organization is more comprehensive.
Risk appetite statements can cover areas including safety, compliance, operational risk, and reputation. When developing statements for different risk areas, consider the impact, likelihood, and severity of outcome for each risk. An internal risk manager can then gauge risk exposure against the risk appetite statement when working with leadership on business decisions.
Aim to include risk appetite statements so various project managers can easily consider risks in their roles. Avoid generalizations and jargon—the clearer your risk appetite statement, the less likely there will be mismatched objectives across your organization.
How do you set up a risk appetite statement?
To develop your organization’s risk appetite statement, take advantage of annual discussions about strategy and growth to discuss risk thresholds. Executives on your team will be able to weigh up the importance of growth objectives with potential risk, allowing for your organization to reach a consensus for risk appetite.
As suggested in a 2017 Risk Management Magazine article, creating a flexible or active risk appetite is one way to enable some wiggle room should a compelling opportunity to arise.
For example, if an exciting opportunity means a deviation from established risk appetite, risk managers should have the ability to move quickly and evaluate whether the opportunity is worth its perceived risk.
While developing a comprehensive risk appetite statement will take time, it will strongly position your company to make informed decisions when it comes to new business objectives. Consider both internal and external factors as you create your risk appetite statement, and work with various project leaders to ensure your management team is able to manage risk while balancing growth opportunities.