The setting of an organisation's risk ‘appetite' is a critical component of a robust risk management framework.
The appetite should be the articulation of the board's desire or willingness to take on or retain risk using measurable factors. It should directly assist in the risk and control self assessment and key risk indicator processes to group risks into zones, such as red, amber and green which then leads to either risk acceptance or action required.
Many organisations however, have not formally articulated their risk appetite and many of those that have, phrase their appetite in vague subjective ways, such as low or medium, that do not lend themselves to practical use in risk evaluation. Learn more about Protecht's Enterprise Risk Management System.
There are a number of definitions of risk appetite. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organisation is prepared to pursue, retain or take". In a literal sense, defining your appetite means defining how "hungry" you are for risk.
Applying this concept to risks that provide a direct upside opportunity, such as market risk (the risk of profit or loss from a movement in market rates such as interest rates or foreign exchange rates), makes sense. You may be hungry to pursue, retain or take market risk with the objective of profiting directly from that risk. In this instance, the setting of an appetite can be articulated by setting a maximum risk limit such as interest rate sensitivity or value at risk.
However, for risks that only possess a direct downside such as operational risk (the risk of loss through failed systems, failed or inadequate processes or external events) the literal interpretation of "appetite" makes little sense. If you ask someone if they are "hungry" for operational risks, such as human error, they will say "no", implying a zero appetite.
Unfortunately, these downside risks are a part of doing business and we realise that in order to pursue business, we need to be able to tolerate a certain level of risk as the cost of elimination maybe uneconomic. As a result, we tend to use the term "appetite" for risks that have a direct upside, such as market risk and "tolerance" for risks that only have a direct downside.
The Board of Directors are responsible for setting an organisation's risk appetite. The FRC - Guidance on Board Effectiveness Paper states that "the Board determines the nature, and extent, of the significant risks the company is willing to embrace." In practice, the process is usually collaboration between Board and management but it is essential that the Board owns, and has responsibility for, the risk appetite.
"The degree of Risk that the organisation is prepared to accept in pursuit of its strategic objetives and business plan"
APRA: CPS 220, Risk Management Standard
There is no one method to articulate and set risk appetite. The method used should however be owned by the Board and reflect the collective informed views of the Board.
The risk appetite should be articulated in measurable terms. The use of subjective measures such as High, Medium and Low are not adequate as these measures mean different things to different people. We suggest that firstly an overall appetite/tolerance for total risk should be articulated in terms of acceptable variance in the organisation's objectives/budgets.
For example, this might say that the company is willing to tolerate a minimum return on capital of 4% against a budget of 10%. The next step is to determine the risk categories for which an appetite will be set. This should cover all material risks.
A separate risk category will be required when either.
The next step is to determine the measurement factors for each risk that will be used to articulate the appetite. Each risk may require multiple measurement factors in order to adequately cover the risk.
For example, if we were a financial institution setting the risk appetite for credit risk, the measurement factors may be:
As another example, for many operational risks we would ordinarily use a combination of the risk and control assessment and key risk indicators to measure risks.
This would lead to the measurement factors being the likelihood and consequence scales used in the risk assessment as well as the key risk indicators used to track that risk.
The results of the risk appetite process should be documented in the Risk Appetite Statement (RAS), covering each risk category for which an appetite is set, together with the measurement factors used to monitor the appetite. The appetite should then be reflected in the risk management policies, used in risk evaluation and form the basis of Board reporting.
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.