Risk appetite is a critical component of your Enterprise Risk Management Framework. From supporting the ability to provide management and boards with assurance, to helping make better decisions, risk appetite should be a tool used every day, not a document that collects dust on the boardroom shelf.
"Would you rather?" is a party game that poses dilemmas by asking questions starting with "would you rather?". As an example:
Would you rather be 10 minutes late or 20 minutes early?
This simple game illustrates the principles of risk appetite and risk/reward decision-making.
A commonly used decision-making technique poses the questions:
This is the first decision-making “gate”. It involves making an assessment as to the level of risk involved in each alternative choice and comparing those to your personal risk appetite. This requires the identification of the risks and related impacts for each alternative. For example:
Applying your personal risk appetite, you need to ask:
Is that risk outside, or within, my risk appetite?
Personally, the risk relating to being late is outside of my risk appetite while the risk relating to being early is within my risk appetite. The choice for me is therefore easy as I “can’t” do the one that is outside of appetite (being 10 minutes late), but I can accept being 20 minutes early. Related article: Risk Appetite - Inherent and Residual?
Where both alternatives are within appetite, you need to move to decision gate two – Should I?
The “Should I?” test involves weighing up the benefits/costs with the level of risk. Where the net benefits/costs outweigh the risk, you should do it, where they do not, you should not.
For example, if both alternatives are within appetite, you would then bring in the time cost. Being 20 minutes early costs you 20 minutes of your time, 10 minutes late, provides you with an extra 10 minutes. You then compare these different time costs/benefits against your assessment of the related risks and select the one which has the best benefit/cost to risk ratio.
Where the game becomes interesting is where both alternatives are outside of appetite. The resulting stress and discomfort of the person being forced to select is obvious. In business, we should be rejecting both alternatives!
Risk appetite plays a crucial role in the correct governance and operations of a successful organisation. In addition to Risk Appetite being used for decision making as outlined above, it should also be used to provide assurance (or lack thereof) to executive management and boards regarding the level of risk within the organisation.
Risk appetite explicitly sets the boundaries within which our people have freedom to:
Often these boundaries have developed over time from the bottom up, driven by the personal risk appetites of the various staff who have passed through the role. This is dangerous as it may not reflect the desired risk appetite of the organisation.
It is therefore critical that risk appetite is set from the top-down. It should be set by the executive and board but be specifically “owned” by the board.
A well-articulated and operationalised risk appetite is a critical component of a robust enterprise risk management framework. Do you have one?
Risk appetite is an enabler, providing a "pool" of risk to be used to create value. It helps identify excessive risk-taking and also where not enough risk is being taken. Watch the webinar recording on this important topic.
Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.
