Can you imagine what driving would be like without marked lanes and guardrails?
It is entirely reasonable to expect not just chaos, but up to and including life-threatening danger.
Guardrails, lanes, minimum and maximum speed limits, you name it (yes, slow pokes can be dangerous too!)–all of these are there to ensure both order and safety on the road. Without them, drivers would act according to their own preferences. Some would go slower, some extremely fast, and some would swerve into other people’s lanes while playing with their phones. (Wait, that happens now!) But others may even miss a curve and drive off the road and into a ditch or someone’s front yard.
This part of everyday life is a near-perfect analogy of a topic many companies and ERM practitioners struggle with – risk appetite.
It’s easy to see why when reading different thought leaders and resources on the subject. Not only are there strong disagreements on the value of risk appetite, but there are also wildly different definitions of it.
Therefore, this article is meant to provide you, the risk practitioner, with a basic understanding of risk appetite, so you can help your company leaders and managers harness it for decision-making.
My goal is to show that risk appetite doesn’t have to be complicated and that, when used properly, it can be a valuable tool for ensuring everyone is staying within acceptable bounds and working from the same page.
Continue reading 7 questions to understand the fundamentals of risk appetite. (Note: Due to the depth of this subject, I decided to break the topic into two separate parts. Therefore, today you will get answers to questions 1-4 and next week will add questions 5-7.)
Question #1: What is the best way to define risk appetite?
Part of what makes risk appetite such a challenge is that there are so many different definitions of it. Even the two primary risk management standards, ISO 31000 and COSO, define it differently according to now retired risk leader Hans Læssøe.
It’s not that either definition is bad. Rather, the challenge lies in practical application.
However, we have to start somewhere. For the purposes of our article, the most succinct definition comes from Basil Aldagen via Tim Leech who explains risk appetite as
“…how much risk can be taken in pursuit of objectives.”
Expanding on this further, and in keeping with my traffic analogy from the intro, Gartner explains how risk appetite:
…creates a set of guardrails for managers to operate within when making strategic decisions. It also provides a tool for communicating the role of guardrails in the decision-making process and for confirming that individual parts of the business are independently and collectively operating within those guardrails.
These guardrails, or guiding principles if you will, enables how company leaders and business managers make decisions about tradeoffs.
This concept is not about a single point for a single risk, but about establishing an overall or overarching risk appetite for broad categories and objectives.
It’s a bird’s-eye, 33,000-foot view that sets the tone and culture around risk taking.
Individual risks and associated metrics are handled under what is known as risk tolerance, but that will be covered in a separate article.
Question #2: How does risk appetite help company leaders and middle managers improve decisions?
Without guiding principles or guardrails set forth as risk appetite, decisions for everything from strategic goals to initiatives would be scattered and chaotic.
Everyone in the organization has their own personal perspectives about risk. Some are willing to take more risks in pursuit of a goal, while others are more risk averse.
Either extreme can be dangerous in a variety of ways.
And neither are focused on what is right for the company.
When developed and communicated properly, risk appetite helps clear the bias that will quickly set in without agreed-upon guardrails.
Risk appetite also helps managers and employees know what is acceptable, what is not, and when something needs to be escalated.
By extension, it also helps foster a risk-aware culture in the organization, or as explained in the book Strategic Risk Management – New Tools for Competitive Advantage in an Uncertain Age:
A clear of notion of risk appetite often contained in a formal statement nurtures a healthy appreciation of and respect for incorporating risk into decision-making.
Similar to a road with no lanes, guardrails, or speed limits, decision-making without a well-formulated risk appetite will only create chaos and even the demise of the company in some cases.
Question #3: How does risk appetite help a company create a competitive advantage?
The benefits mentioned in the previous question could easily apply to this one as well. Addressing biases and building a risk-aware culture around decisions throughout the organization are half the battle.
However, it’s not the statements themselves that are valuable, but the conversation that it prompts among leaders.
When company leaders come together to discuss risk appetite, it forces alignment that would otherwise not be there. It ensures everyone, meaning leaders, are working from the same playbook, something that is critical when charting the company’s long-term strategy.
Also, think of the meetings that are avoided because of the guardrails. Instead of constantly putting out fires after a decision outside of those guardrails, leaders can focus on the value-add discussions that move the company forward.
When meetings are not needed for decision-making, because leaders already know what is acceptable and unacceptable for the company, progress is made faster, smoother, and with less re-work.
In the end, hope is not a strategy for creating competitive advantage in a turbulent, uncertain world.
Risk appetite is one tool that enables sound strategic decisions and balances them against scarce resources.
Question #4: How has the concept of risk appetite changed over time?
Like so many things, including ERM, the concept of risk appetite has changed tremendously over the years.
One huge change is the focus or primary motivation.
In past years, risk appetite was very risk-centric. Like ERM in general, the main thrust of establishing risk appetite was to ensure the company did not take too much risk.
In short, any ‘statements’ were either based around vague risk lists with the main goal being failure prevention OR were attempted to be a single statement of risk preference for the company. Talk about not being helpful! There is necessary nuance within decision-making that could never be captured in a 1-2 sentence statement on risk.
In some industries, mostly financial, some elements of risk appetite have and are still defined by regulators, lenders, banks, and other external bodies.
Over time, but especially in the last five years, there’s been an increasing number of thought leaders like Tim Leech and me 🙂 urging companies to connect risk appetite with top strategic and business objectives.
Instead of a static statement that’s updated once a year, there’s an ever-growing consensus that an objective-centric approach is the key to making risk appetite a valuable tool and is the glue that holds strategy and risk together!
Another difference is where risk appetite lies within the ERM process. Before, it would be a component of analyzing individual risks.
While ERM can help company leaders create and disseminate risk appetite, it should no longer be considered a part of the ERM process, but rather a tool for guiding high-level decisions.
The last key difference has to do with how we define risk appetite. In this article by Hans Læssøe, risk appetite focused on levels of risk being a limit of what was inconsequential.
However, as I explain in question #1, a more workable definition of risk appetite is that it’s a collection of statements for a broad range of categories and/or objectives.
On that note, I am going to pause, let you absorb this information, before I add more to the table. Check back again next week as I answer questions 5-7, where I will discuss the common challenges with risk appetite (beyond what has already been examined above), why risk appetite is so controversial, and practically speaking, ways your company can develop risk appetite statements for guiding decision-making.
Until then…
How does your company develop and harness risk appetite? Is it a valuable decision-making tool or is it simply about checking a box?
I’m interested in hearing your thoughts on this dynamic subject, so please join the conversation on LinkedIn.
