The concept of risk appetite is probably the most confusing and controversial part of the enterprise risk management process.
If you do a search for risk appetite, you will find a wide variety of perspectives on how to develop and use it.
While there may be an implied risk appetite or a generic statement on file somewhere in the organization, it is too often not a useful tool for knowing the right type and amount of risk decision-makers should take in pursuit of strategic objectives.
I find that an analogy is a great way for understanding subjects I’m not familiar with…
Imagine two or more people in a canoe traveling down a river…
Without any sort of coordination or planning, one person will paddle faster than another or on the wrong side of the boat, leading to a collision into the bank or at least stalled, choppy progress down the river.
This analogy illustrates what life can be like in an organization without a useful risk appetite statement. Each of us have our own personal risk appetite, so when left to our own devices, some of us will take less risk and others more risk.
On the other hand, imagine a highly focused rowing team…
Everyone on the boat is well coordinated in the speed and angle of their strokes. The boat glides across the water smoothly since everyone on board is on the same page in terms of their goal and what they need to do to accomplish it.
After some brainstorming on the topic, I determined this was the best analogy for illustrating how a risk appetite should work. As explained in this executive report from RIMS (login required), risk appetite can be a powerful tool for not just managing risk, but maintaining the right balance between risk and opportunity.
The result is a smoother journey to achieve those goals set out by executives.
Before getting more into what risk appetite is and how it is expressed, I want to stress that there is no particular risk appetite that applies to all organizations, so this article will only touch on certain areas that are very organization-specific. Just like the ERM process and practice, risk appetite has to be tailored to fit the organization.
Question 1: What is risk appetite?
At its most fundamental level, risk appetite is “the level of exposure an organization is willing to take” in pursuit of strategic objectives, according to the ISO 31000:2018 ERM standard.
Risk appetite should be used continuously, but it especially becomes important during the risk assessment and analysis phases of the process when decisions have to be made on how to handle a particular risk or opportunity.
Executives express the level of risk they’re will to take in a specific area through a risk appetite statement.
CEB/Gartner explains that a well-defined and properly communicated risk appetite statement:
…creates a set of guardrails for managers to operate within when making strategic decisions. It also provides a tool for communicating the role of guardrails in the decision-making process and for confirming that individual parts of the business are independently and collectively operating within those guardrails.
One mistake organizations commonly make is that they consider the risk appetite statement as a static policy statement or an end to itself.
However, you don’t need me to tell you the speed at which change occurs in today’s business world, which is why identifying and updating risk appetite must be ongoing.
As explained in the RIMS report listed above, it’s the conversations and commitment around risk appetite that produces value for the organization, not so much the statement itself.
Question 2: Why is having a risk appetite statement important?
Although I briefly mention the importance of the risk appetite statement earlier, let’s dive deeper into this topic now.
First off, not only do individual people have their own way of evaluating risk and rewards and taking action, but different functions within an organization will have their own perspective around risks. Some are very cautious, while others very risk taking. Without the guardrails set out in a risk appetite statement, it can be very easy for one area of the organization to be too cautions and others too aggressive.
One example of this can be found in a story shared by Hans Læssoe…
In his former role as strategic risk manager at LEGO, Hans found that the company was being way too cautious, and as a result, was at risk (no pun intended) of missing its growth targets.
Another example comes from Colleen Larson of Emergent BioSolutions, Inc.
In the interview below, Colleen explains that there was this perception that the company was risk averse, which was true in some areas like safety, but not so much in areas like market growth and mergers/acquisitions.
The end goal of developing risk appetite statements in certain areas was to encourage risk taking, or as Colleen explains it, to “…move the needle from more controlled to more creative in some areas.”
Therefore, developing a risk appetite statement in a given area ensures that decisions not only align with the company’s strategy, but also the organization’s capacity to manage risk and opportunities.
Risk appetite statements that are adaptable to changing business conditions enhance the organization’s ability to create, preserve, and realize value.
Question 3: What factors influence the risk appetite statement?
There are many factors both internally and externally that can affect an organization’s risk appetite.
Before discussing these factors though, it’s important to understand that there is no universal standard. One factor may have a tremendous influence on one organization’s risk appetite, while another has a minimal influence, and vice versa.
With that said, below are a few general examples of both internal and external factors.
- History of risk taking
- Long-term organizational objectives
- Stage in the organizational lifecycle (startup, growth, mature, declining)
- Financial stability
- Risk capacity (amount of total risk the company can absorb without failing altogether)
- Management’s willingness to take risks, or risk culture
- Market maturity
- Competition/market share
- Public image/brand
- Attitudes of stakeholders (i.e. owners, creditors, regulators, etc.)
- Possibilities for innovative or technological breakthroughs
In the end, risk appetite is a judgement call by executives and board members based on individual circumstances and goals for the organization.
Question 4: What does a risk appetite statement cover?
So far, we have been looking at the risk appetite statement as a singular unit.
While an organization can have a general risk appetite statement covering all risks at a high level, a useful risk appetite statement will focus on several areas on an individual basis. In addition to strategy, a risk appetite statement can also cover safety, compliance, operational, reputational, and other types of risk your organization deems appropriate.
As Norman Marks explains in his book World-Class Risk Management, you can establish risk appetite for each risk you want to manage individually. Combining risks should only be done when it makes sense. For example, any risks associated with a specific source can be grouped together and reviewed in totality.
The risk appetite statement for a particular area should also focus on more than impact, but also expand out to include the likelihood and other criteria like velocity, persistence, and others where appropriate.
And as Matthew Shrinkman explains in this article in Risk Management Magazine, a common problem is risk appetite statements too often use generalizations and language that do not provide managers and employees a clear understanding of how to consider risks in their roles. He goes on to explain that discussions should not focus on the level of risks executives are comfortable taking but rather on where the organization wants to go and what it needs to do to get there. After all, taking the right amount of risk of the right kind and at the right time means stepping outside of your comfort zone.
Question 5: How is a risk appetite statement expressed?
A risk appetite statement can be expressed in a variety of ways…
The most basic approach involves using general terms like “high appetite” or “low appetite.” Organizations that are just embarking on their ERM journey may opt for this to keep things simple. However, as a word of caution – most employees and management will not truly understand what those words mean. Therefore, I suggest using words that the business uses instead of “risk” terminology.
I am working with a public transit client to get them started with enterprise risk management. Below is an example of this type of risk appetite statement focusing on safety for them. (NOTE: The actual name of the organization was changed to protect its privacy.)
ABC Transit will take every reasonable step to maximize safety related to preventable risks, not taking unnecessary risks or compromising safety.
Here’s another risk appetite statement for the same organization, this time focusing on its reputation:
ABC Transit’s reputation is crucial to the success of our initiatives and services. Balancing risk with innovation, risk will be closely scrutinized to ensure minimal negative impact while maximizing the achievement of our objectives.
As an organization matures its process, these types of statements should be refined to become more precise.
Other organizations may opt to use more quantitative terms in the form of targets, ranges, ceilings, or floors.
For example, a technology company with aggressive growth goals determines that it should have a minimum of 25% of its operating budget allocated to innovation. This minimum is a great example of a “floor.”
A credit union with a lower risk appetite for loan losses may set a loss “target” of 0.50% of the overall loan portfolio.
Many organizations will express risk appetite as a single point or break it down by risk category. Organizations with a more mature ERM process may express their risk appetite statement using a continuum (lower to higher risk appetite), especially if they are communicating one risk appetite throughout the entire organization.
One organization mentioned earlier, Emergent BioSolutions, Inc., aggregates criteria together instead of corralling each appetite or area up. What they ended up with was a continuum that in essence showed the areas where the organization was risk averse (safety, ethics, integrity) and where they were more risk taking (market growth, mergers and acquisitions). By expressing their risk appetite this way, Emergent was able to create a framework for different functions to talk about risks and see which ones can be managed within the appetite while still accomplishing objectives.
Although there wasn’t a visual example given in the interview with Colleen Larson, a risk appetite statement expressed as a continuum could look like this…
The key thing to remember when expressing risk appetite is to be consistent and use language the business units will understand.
Question 6: Why is there so much debate around risk appetite?
If you have spent much time researching risk appetite, it is likely you have encountered a variety of perspectives on the matter.
Take this story on Norman Marks’ blog as an example…
In this article, he tells the story of a hard drive manufacturing company who was evaluating bids for supplying its Singapore plant with critical materials. Decision-makers had to determine the best way for procuring the highest quality materials at the lowest possible cost. Timely delivery and the ability to respond to disruptions were also important considerations.
After considering both the positive and negative consequences of each option with all affected parties, the company settled on three vendors, plus backup supply contracts with an additional two.
At the conclusion of the article, Norman asks how a risk appetite statement would have helped in this situation. He feels the answer is “none at all” since the decision affected multiple objectives and therefore multiple risks.
The ensuing discussion around this article revealed a wide range of perspectives on risk appetite.
Some believe a risk appetite statement would have helped the procurement team while others believe it to be unnecessary. Some even go as far to say that there is no need for a risk appetite statement “…at all, at any time, at any level.”
Others felt that the team making this decision had an implied risk appetite even if there was nothing formal in writing.
Experts like Hans Læssoe explain how risk appetite, even expressed informally, can be a valuable tool for taking action.
In a story he shared in the comment thread of Norman’s article, Hans had concerns about his company’s performance and how it was at risk of missing at least one, if not two, of its targets. When comparing the company’s efforts against its risk appetite, he was able to determine they were operating with a more risk averse mindset than they needed to. The company could take more risks and still be within the parameters set out in the applicable risk appetite statement.
The analogy he used to describe this situation to executives was someone running late to their wedding but only going 40 mph on the highway.
By the time it was all said and done, this story by Norman received 32 in-depth comments, which is why I highly suggest his blog for learning about the variety of perspectives out there on risk management.
The reality on the debate is risk professionals have worked in and with such a wide variety of organizations, across sectors, industries, geographies, and cultures, that we have different perspectives on the usefulness of risk appetite. My personal opinion is that risk appetite can be extremely useful as long as it is done well and avoids the four points mentioned below…
Question 7: Why do so many organizations struggle with risk appetite?
I think many organizations struggle with articulating a usable risk appetite statement for a variety of reasons, some of which I’ve already mentioned.
- Do not use language the business units understand. Managers and employees are unable to use the information to understand risks in the context of their role in the organization.
- View risk appetite as a static policy statement rather than an ongoing process. The truth is factors like market dynamics, changes in the supply chain, regulations, leadership, long-term vision, and business objectives change over time. Risk appetite must adapt to these changes to remain relevant.
- Thought to be a “check the box” activity to be able to say “done” to satisfy auditors and regulators. Once done, it gets put on a shelf (either literally or figurately) and never used again. Instead the statement itself is meant to prompt discussions and commitment that leads to value creation for the organization.
- Creating a risk appetite statement that is too formal or requires too many hoops or steps will be cast aside.
Perhaps the biggest key to having a usable risk appetite is tone at the top, which is a commonly seen problem among risk managers. If executive leadership does not take the time to clearly articulate risk appetite and disseminate it down to lower levels of the organization, it will not be a helpful tool for decision making.
In the end, there is no right or wrong way to develop risk appetite. The process is very organization-specific, which is why this article did not include any tips on how you should go about developing it. Of the two most popular risk management standards, COSO discusses risk appetite to an extent, while ISO 31000 mentions it very minimally.
The approach you take on developing risk appetite is less important than any discussions that ultimately take place.
The end goal of the risk appetite statement is to provide greater clarity to executives, the board, managers, and employees on the risks the organization wants to take on in pursuit of its objectives.
Risk appetite though isn’t the end of this road…
Specific circumstances or objectives will need boundaries set around the risk appetite that provides more detail on minimum and maximum boundaries around the risk appetite that the board is willing to accept. These boundaries give mid-level managers and other subordinates with a sense of ownership in the risk management process. (Will discuss in more detail in a future article…)
How does your organization use risk appetite to guide decisions? Have you found it to be a useful tool, or is it a static policy statement that gets cast aside?
I’m interested to hear your thoughts and experience on this complex topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
And if you are struggling to develop a usable risk appetite statement for a particular area of your organization, an outside perspective can help you get unstuck. To jumpstart your progress in this or any other area of the ERM process, visit StrategicDecisionSolutions.com for more information on how I help organizations overcome challenges and achieve success.
Featured image courtesy of Virginia State Parks via Wikimedia Commons
Receive our Weekly Blog Updates
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.