Can you imagine what driving would be like without marked lanes and guardrails?
It is entirely reasonable to expect not just chaos, but up to and including life-threatening danger.
Guardrails, lanes, minimum and maximum speed limits, you name it (yes, slow pokes can be dangerous too!)–all of these are there to ensure both order and safety on the road. Without them, drivers would act according to their own preferences. Some would go slower, some extremely fast, and some would swerve into other people’s lanes while playing with their phones. (Wait, that happens now!) But others may even miss a curve and drive off the road and into a ditch or someone’s front yard.
This part of everyday life is a near-perfect analogy of a topic many companies and ERM practitioners struggle with – risk appetite.
It’s easy to see why when reading different thought leaders and resources on the subject. Not only are there strong disagreements on the value of risk appetite, but there are also wildly different definitions of it.
Therefore, this article is meant to provide you, the risk practitioner, with a basic understanding of risk appetite, so you can help your company leaders and managers harness it for decision-making.
My goal is to show that risk appetite doesn’t have to be complicated and that, when used properly, it can be a valuable tool for ensuring everyone is staying within acceptable bounds and working from the same page.
Continue reading 7 questions to understand the fundamentals of risk appetite, including one approach that can be tailored to your organization.
Question #1: What is the best way to define risk appetite?
Part of what makes risk appetite such a challenge is that there are so many different definitions of it. Even the two primary risk management standards, ISO 31000 and COSO, define it differently according to now retired risk leader Hans Læssøe.
It’s not that either definition is bad. Rather, the challenge lies in practical application.
However, we have to start somewhere. For the purposes of our article, the most succinct definition comes from Basil Aldagen via Tim Leech who explains risk appetite as
“…how much risk can be taken in pursuit of objectives.”
Expanding on this further, and in keeping with my traffic analogy from the intro, Gartner explains how risk appetite:
…creates a set of guardrails for managers to operate within when making strategic decisions. It also provides a tool for communicating the role of guardrails in the decision-making process and for confirming that individual parts of the business are independently and collectively operating within those guardrails.
These guardrails, or guiding principles if you will, enables how company leaders and business managers make decisions about tradeoffs.
This concept is not about a single point for a single risk, but about establishing an overall or overarching risk appetite for broad categories and objectives.
It’s a bird’s-eye, 33,000-foot view that sets the tone and culture around risk taking.
Individual risks and associated metrics are handled under what is known as risk tolerance, but that will be covered in a separate article.
Question #2: How does risk appetite help company leaders and middle managers improve decisions?
Without guiding principles or guardrails set forth as risk appetite, decisions for everything from strategic goals to initiatives would be scattered and chaotic.
Everyone in the organization has their own personal perspectives about risk. Some are willing to take more risks in pursuit of a goal, while others are more risk averse.
Either extreme can be dangerous in a variety of ways.
And neither are focused on what is right for the company.
When developed and communicated properly, risk appetite helps clear the bias that will quickly set in without agreed-upon guardrails.
Risk appetite also helps managers and employees know what is acceptable, what is not, and when something needs to be escalated.
By extension, it also helps foster a risk-aware culture in the organization, or as explained in the book Strategic Risk Management – New Tools for Competitive Advantage in an Uncertain Age:
A clear of notion of risk appetite often contained in a formal statement nurtures a healthy appreciation of and respect for incorporating risk into decision-making.
Similar to a road with no lanes, guardrails, or speed limits, decision-making without a well-formulated risk appetite will only create chaos and even the demise of the company in some cases.
Question #3: How does risk appetite help a company create a competitive advantage?
The benefits mentioned in the previous question could easily apply to this one as well. Addressing biases and building a risk-aware culture around decisions throughout the organization are half the battle.
However, it’s not the statements themselves that are valuable, but the conversation that it prompts among leaders.
When company leaders come together to discuss risk appetite, it forces alignment that would otherwise not be there. It ensures everyone, meaning leaders, are working from the same playbook, something that is critical when charting the company’s long-term strategy.
Also, think of the meetings that are avoided because of the guardrails. Instead of constantly putting out fires after a decision outside of those guardrails, leaders can focus on the value-add discussions that move the company forward.
When meetings are not needed for decision-making, because leaders already know what is acceptable and unacceptable for the company, progress is made faster, smoother, and with less re-work.
In the end, hope is not a strategy for creating competitive advantage in a turbulent, uncertain world.
Risk appetite is one tool that enables sound strategic decisions and balances them against scarce resources.
Question #4: How has the concept of risk appetite changed over time?
Like so many things, including ERM, the concept of risk appetite has changed tremendously over the years.
One huge change is the focus or primary motivation.
In past years, risk appetite was very risk-centric. Like ERM in general, the main thrust of establishing risk appetite was to ensure the company did not take too much risk.
In short, any ‘statements’ were either based around vague risk lists with the main goal being failure prevention OR were attempted to be a single statement of risk preference for the company. Talk about not being helpful! There is necessary nuance within decision-making that could never be captured in a 1-2 sentence statement on risk.
In some industries, mostly financial, some elements of risk appetite have and are still defined by regulators, lenders, banks, and other external bodies.
Over time, but especially in the last five years, there’s been an increasing number of thought leaders like Tim Leech and me 🙂 urging companies to connect risk appetite with top strategic and business objectives.
Instead of a static statement that’s updated once a year, there’s an ever-growing consensus that an objective-centric approach is the key to making risk appetite a valuable tool and is the glue that holds strategy and risk together!
Another difference is where risk appetite lies within the ERM process. Before, it would be a component of analyzing individual risks.
While ERM can help company leaders create and disseminate risk appetite, it should no longer be considered a part of the ERM process, but rather a tool for guiding high-level decisions.
The last key difference has to do with how we define risk appetite. In this article by Hans Læssøe, risk appetite focused on levels of risk being a limit of what was inconsequential.
However, as I explain in question #1, a more workable definition of risk appetite is that it’s a collection of statements for a broad range of categories and/or objectives.
Question #5: Why is there such an array of perspectives on risk appetite?
If you browse different commentary on risk appetite, it won’t take long for you to discover the range of opinions out there.
These various perspectives range from risk appetite being useless and even dangerous all the way to it being an invaluable resource for leaders…but this wide range contributes to confusion around the subject.
In my experience, one of the main reasons some say it’s useless is because they’ve only seen it badly executed.
If the purpose is poorly communicated or poorly facilitated, people will simply apply their own preferences (i.e., risk averse, risk-taking, and everything in between). Chaos will ensue, resulting in either bad decisions or the “bad” risk appetite not being used, thus contributing to the negative perception many have about it.
Also, simply having risk appetite statements based on generic high/low statements with no connection to objectives / company performance contributes to the perception that it’s more of a “check the box” activity rather than a valuable tool for guiding decision-making.
After all, our perspectives about a given subject will be based on our personal experience and knowledge of the subject at hand.
Risk appetite is no different.
To learn more about the differing perspectives on this subject, check out a previously published article Risk Appetite: Bridging the Gap Between the Two Extremes.
Question #6: What are some of the challenges to making risk appetite useful?
There are many reasons I could cite for why companies struggle with risk appetite.
One of the main reasons – if it’s a static statement that’s only updated once a year with a top-risk list, it certainly won’t be useful for much outside of ticking a box. Only having a single, corporate-wide statement is way too high-level for it to be useful for decision-making.
Relying on risk terminology is another major reason companies struggle with risk appetite.
Executives and business managers are focused on running the company. They know the industry, the business, and the main drivers of value (i.e., what keeps the lights on). Throwing new nomenclature into their lap turns the effective use of risk appetite into a challenge.
As a consequence, communication is another challenge frequently faced by companies.
Without clear communication from top leaders as to the intent of risk appetite and how managers and even employees can and should use it, risk appetite will mean nothing and will therefore amount to nothing.
The last reason is a common trap for companies. I’ve mentioned in the past how ERM is very organization-specific, and risk appetite is no different. Trying to copy/paste what other organizations do, even if they’re in the same industry, will not yield any risk appetite statements that are useful.
When it’s all said and done though, the reason why many companies fail to benefit from risk appetite is because they make it way more complicated than it needs to be.
Question #7: How can my company set up and use risk appetite?
Where the rubber meets the road, as the saying goes.
Conceptualizing risk appetite is straightforward. It’s basically a set of guardrails or guiding principles on which risks are acceptable and which ones are not acceptable to take in pursuit of objectives (see question #1 for more).
The real challenge lies in execution.
We’ve all heard the saying “making a mountain out of a mole hill.” Many companies unfortunately do this with risk appetite, with the result being frustration on the part of executives and business managers.
Below is one ‘structure’ for risk appetite many companies have found workable and usable.
Let’s use a cake to visualize how this will work.
Why?
Because while the fundamentals of the cake may stay the same, the contents will vary from one company to the next, even if they’re in the same industry!
A real cake will have the same structure, but its filling will vary. Is it chocolate, vanilla, or something else? What kind of frosting—buttercream (yum) or fondant? Any other add-ons like pecans, chocolate chips, or blueberries?
Below is a visual representation of this two-layer cake approach to risk appetite.
As you can see, the foundation or 1st layer is all about strategic or business objectives. Some companies may refer to these as priorities or goals, or there may be some other terminology that fits your organization.
Regardless of the terms you use, the important thing to remember is that objectives are the foundation or well-spring from which risk appetite flows. Achieving objectives is what company leaders care about, so anything that doesn’t help them do this will be seen as a nuisance at best.
These objectives, especially strategic objectives, can change over time.
The 2nd layer of the cake is smaller, tighter, getting more specific.
This is where different risk categories come into play. Examples include financial, operational, legal and compliance, and more.
These categories are part of the ERM practices and should be used in other places, such as analysis and reporting. There can be some changes to the risk categories over time, but they tend to remain static until the business of the company changes dramatically.
Each of these categories is where company leaders can specify what is acceptable, what is non-acceptable, and what is non-negotiable.
If there’s a goal of expanding a market into a new territory, a risk appetite statement around ‘financial’ could look something like: “We are willing to take 1-year of losses in pursuit of our goal to expand into a new territory. Any losses beyond one year should be escalated to upper management.”
A statement like this provides a concrete guardrail or guiding principle for the business to work within as they pursue this goal.
Risk appetite is one of those ERM components that should be simple but it’s not easy.
In fact, I would say that it’s easy to make risk appetite more complicated than it needs to be.
An approach like this one can keep things simple while providing useful insights for business managers and support staff to work with.
The key is to keep your audience in mind. Clearly articulate the purpose of risk appetite and how they are supposed to use it.
It’s entirely possible to have the best structure and statements, but if managers and staff are not clear on what they’re supposed to do, it won’t be effective.
Whew! There’s so much more I could get into for this topic, but the above questions should provide you and leaders with a clear idea of how risk appetite can be harnessed to better ensure the company achieves its objectives.
With that said, if risk appetite has been a struggle for your company, I encourage you to keep trying. Run a pilot around a specific objective to iron out any hiccups and always be thinking about your client (the business leaders) instead of focusing on “I need to get this ERM thing done no matter what it takes”…
Motive and intent matter.
How does your company develop and harness risk appetite? Is it a valuable decision-making tool or is it simply about checking a box?
I’m interested in hearing your thoughts on this dynamic subject, so please join the conversation on LinkedIn.
