Published on August 26, 2024
Risk management is not a one-size-fits-all practice. Multiple factors could affect a business's operations, and so we need to understand the language used in discussion of them.
Risk appetite is one such expression often used in enterprise risk management that needs to be understood throughout the business. While risk officers will fully understand this term, other executives and employees should also familiarise themselves with this and others.
ISO 31073 defines risk appetite as the:
amount and type of risk that an organisation is willing to pursue or retain
Every business will have its own level of risk that they deem to be acceptable. This can be decided by a number of different factors. Some industries are considered to be more risk-friendly than others, while others will prefer a more stable and risk-averse strategy. This might not just be an industry-specific factor too.
Research shows that countries like the USA that promote a greater sense of individualism also tend to take more corporate risks. We also have to consider other factors, such as global supply chains, natural disasters, and more. There is no single factor that creates an organisation's risk appetite or wider risk management framework. Due to this, defining risk appetite for an individual organisation should be handled by handled internally so that strategic objectives and key risk indicators can be considered and appropriate thresholds are created.
Risk appetite and risk tolerance are often mentioned together, and on paper they might look very similar since they both do deal with the amount of risk a company can handle. However, they are fundamentally different.
Risk appetite involves setting the overall approach to risk that a company may wish to follow. Risk tolerance narrows that view and sets specific barriers that dictate how much risk a company is willing to accept. Risk appetite should provide clear boundaries, while risk tolerance offers a little more flexibility and freedom.
Let's bring some examples in to make things clearer:
A financial institution may decide that it is willing to accept a certain level of risk in its investment portfolio to achieve higher returns. This might include investing in high-risk, high-reward assets up to a certain percentage of the total portfolio. For instance, the bank might decide that it is comfortable with up to 10% of its portfolio being invested in emerging markets, even though these markets are more volatile.
That same financial organisation may have an appetite for high returns, but its tolerance for losses might be much lower. The bank might set a tolerance level that states it will not accept a loss greater than 5% in any given quarter from its high-risk investments. This means that if losses approach this threshold, corrective actions must be taken to mitigate further risk.
A risk appetite statement is a document created where a company lays out their understanding of how much risk the company is willing to take on. It may also detail unacceptable risks and the behaviours or protocols that might lead to encountering these risks. Completing this exercise is important for several reasons:
Employees are more aligned with the overall risk strategy of the organisation. This then helps to inform important decision-making throughout the company. An organisation more comfortable with risk will be more inclined to choose business objectives that carry a high level of risk, while those who are more risk-averse can focus on maintaining what they already have.
Enterprise risk management implementation only works if it is consistent across all departments. A risk appetite statement works to standardise risk-taking across all staff. If one department wants to push ahead with an action that might expose the company to risk that would affect everyone, it can cause an imbalance and risks that other departments are not prepared to deal with.
By clearly defining an acceptable level of risk, the company will have a clear boundary regarding their risk framework and what they can handle. The organisation at large can then avoid taking on too much risk which could negatively affect business outcomes, lead to significant losses, or potentially even threaten the survival of the company.
Effective risk management can take repeated analysis and adjustment. Since risk varies so much even between two companies operating within the same industry, it can be difficult to dictate the steps to take to adequately set an appetite and reduce overall risk exposure.
The Institute of Risk Management has created guidance to help ensure a company correctly defines risk tolerance and appetite, but this must be an internal operation as officers and executives in the company are the ones best positioned to see the full extent of the company's needs.
In summary, the risk appetite statement should cover these key phases:
Designing a risk appetite will often be established in the context of the existing risk capacity of the organisation. This can extend beyond financial strength, and can also include factors such as organisational reputation, political climate, and more.
The company's wider risk management framework should also be included here to ensure that it fits within the newly defined risk appetite. It is also important to remember that a company might have multiple risk appetites they need to define. If a company operates internationally, they may have a risk appetite for one market that is very different from another. They may also have to work alongside a third party, creating risks that wouldn't be present within their usual operations.
Constructing a risk appetite can be described as stretching across three levels: strategic, tactical, and project/operational. At a strategic level, focus is placed on those risks which a company has comparative advantage in managing compared to others. The organisation will also need to decide the types of risk it wishes to actively protect itself from.
Tactical risk management sees a balance created between exercising restraint and control and risk-taking behaviours. Every individual department needs to also have its own project or operational level of risk. Some departments inherently take more risks, and the company's overall risk appetite needs to give them the flexibility to do so.
Implementing a risk appetite statement requires a revision and analysis of all the work done thus far, followed by sign-off by the board and any relevant external stakeholders. Implementation will most likely be the stage that takes the most time, as it not only has to be rolled out to all staff but extra care needs to be taken to ensure they fully understand it.
Once established, the risk appetite statement needs to be continually governed, revisited, and reassessed. If you feel like the current process requires revision, or if new guidance comes out that requires you to change the organisation's risk appetite, the change process must begin as soon as possible.
Risk management keeps organisations in business. With a good strategy in place, a business should be able to navigate any risks that come their way. C2 Meridian is one comprehensive software that places all risk management documentation and strategy in one location.
Set up customisable risk frameworks and streamline your overall approach to risk management. This is a critical area of business that companies must be vigilant about at every level.
Streamline your approach to risk management and always stay compliant with C2 Meridian. Book a demo with us today and get ready to overhaul risk strategy in your organisation.
Chief Operating Officer at Continuity2
As a proud COO of Continuity2, Lisa strives to provide intuitive and innovative solutions for the Business Resilience market and reshape the industry as we know it today. Lisa has been in the industry for over 10+ years, helping clients achieve their Business Continuity and Resilience objectives for continuous growth and success.
Chief Operating Officer at Continuity2
As a proud COO of Continuity2, Lisa strives to provide intuitive and innovative solutions for the Business Resilience market and reshape the industry as we know it today. Lisa has been in the industry for over 10+ years, helping clients achieve their Business Continuity and Resilience objectives for continuous growth and success.