Skip to content

Risk Appetite Driven Decision Making

"Would you rather?" is a party game that poses dilemmas by asking questions starting with "would you rather?". As an example:

Would you rather be 10 minutes late or 20 minutes early?

This simple game illustrates the principles of risk appetite and risk/reward decision-making.

A commonly used decision-making technique poses the questions:

  1. Can I?
  2. Should I?

Can I?

This is the first decision-making “gate”. It involves making an assessment as to the level of risk involved in each alternative choice and comparing those to your personal risk appetite. This requires the identification of the risks and related impacts for each alternative. For example:

  • one risk of being 10 minutes late might be the risk of upsetting whoever you are meeting, leading to your reputation being damaged.
  • one risk of being 20 minutes early may be the lost opportunity of being able to do something else in that time.

Applying your personal risk appetite, you need to ask:

Is that risk outside, or within, my risk appetite?

Personally, the risk relating to being late is outside of my risk appetite while the risk relating to being early is within my risk appetite. The choice for me is therefore easy as I “can’t” do the one that is outside of appetite (being 10 minutes late), but I can accept being 20 minutes early. Related article: Risk Appetite - Inherent and Residual?

Should I?

Where both alternatives are within appetite, you need to move to decision gate two – Should I?

The “Should I?” test involves weighing up the benefits/costs with the level of risk. Where the net benefits/costs outweigh the risk, you should do it, where they do not, you should not.

For example, if both alternatives are within appetite, you would then bring in the time cost. Being 20 minutes early costs you 20 minutes of your time, 10 minutes late, provides you with an extra 10 minutes. You then compare these different time costs/benefits against your assessment of the related risks and select the one which has the best benefit/cost to risk ratio.

Where the game becomes interesting is where both alternatives are outside of appetite. The resulting stress and discomfort of the person being forced to select is obvious. In business, we should be rejecting both alternatives!

The role of risk appetite

Risk appetite plays a crucial role in the correct governance and operations of a successful organisation. In addition to Risk Appetite being used for decision making as outlined above, it should also be used to provide assurance (or lack thereof) to executive management and boards regarding the level of risk within the organisation. 

Risk appetite explicitly sets the boundaries within which our people have freedom to:

  • Take risks
  • Undertake activities
  • Fail
  • Make decisions

Often these boundaries have developed over time from the bottom up, driven by the personal risk appetites of the various staff who have passed through the role. This is dangerous as it may not reflect the desired risk appetite of the organisation.

It is therefore critical that risk appetite is set from the top-down. It should be set by the executive and board but be specifically “owned” by the board.

A well-articulated and operationalised risk appetite is a critical component of a robust enterprise risk management framework. Do you have one?

Want to learn more?

Risk appetite is an enabler, providing a "pool" of risk to be used to create value. It helps identify excessive risk-taking and also where not enough risk is being taken. Watch the webinar recording on this important topic.



About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.