Determining the risk appetite for your business is critical to organizational success. Risk appetite is what gives senior management the necessary guardrails in managing risk exposure from the top-down.
The challenge, however, is that the definition of “risk appetite” is much debated among company leaders. Vague and often conflicting definitions make it extremely difficult to come to a consensus to even begin to assess an organization’s risk appetite, let alone communicate it.
To help quell this confusion, here is a clear-cut definition of risk appetite and how to connect it with your organization’s strategy.
What Is Risk Appetite?
Risk appetite is the amount of risk an organization is willing to accept in pursuit of strategic objectives. In simpler terms, it’s the amount of risk you’re willing to live with and how much risk you will need to manage while going after your company goals.
An organization with a higher risk appetite is willing to take on greater uncertainty in exchange for the potential for greater growth. An organization with a lower risk appetite, on the other hand, is willing to sacrifice some growth for more stability.
Regulatory and legal requirements can also factor into an organization’s risk appetite. Financial services organizations, for instance, must stay within the risk boundaries set by regulators. Healthcare organizations must consider regulations, as well as patient-safety priorities, when determining their risk appetite.
A good analogy is to think of two people in a canoe rowing down a river. One rower may row faster while the other rows slower. One may want to avoid a rapid while the other may want to go full speed ahead. Without proper planning and communication, the rowers may find themselves moving in circles or, worse, heading straight towards a disaster.
Risk appetite allows organizations to function less like two amateur rowers and more like a highly focused rowing team. In this scenario, everyone is perfectly coordinated and understands their goal and what they are willing to do to accomplish it.
Why Is It Important to Define Risk Appetite?
Every organization is made up of people, and every individual has their own way of evaluating and responding to risk. These different perceptions vary by function as well. The senior management in one department may be very risk-averse, while those in other departments may be highly risk-tolerant.
With a well-defined risk-appetite statement, you can provide clear guardrails for all functional areas, so everyone is on the same page. This results in:
- Better management and understanding of risk exposure
- More informed, risk-based decisions
- Smarter allocation of resources based on risk/benefit trade-offs
- Improved transparency for stakeholders, investors, regulators, and credit-rating agencies
In short, every decision-maker knows what actions they need to take to accomplish an objective while remaining within the risk-appetite limit. For example, if a brand’s contact center notices a spike in employee absences, the manager will know when to shift schedules and teams around to prevent a hit to performance metrics. Another example is if a technology system fails, IT will know how many hours they have to fix it before the outage begins severely affecting customer or revenue.
How to Connect Risk Appetite with Strategy
The development of risk appetite should match strategy and business plans; otherwise, opinions on strategy and risk appetite may conflict. To be successful, organizations need to take a strategy-driven approach to risk appetite.
What this means is that you need to define risk appetite relative to your organization’s mission, vision, values, and strategic objectives. Consider:
- The possibility of an objective not aligning to mission and vision
- Implications from the strategy chosen
- Risk strategy and performance
Work with senior leadership and board members to drill deep into the drivers of your risk appetite relative to your objectives. Ask questions like:
- What is the nature of the objective? Is the objective about avoidance or acceptance of risk?
- What is our tolerance for volatility? How would we react if key performance indicators related to the objective frequently jumped around?
- What is the priority of the objective? How does it rank in importance to achieving our mission and vision?
- What are we willing to trade off against other objectives? If the objective is in direct conflict with different goals, how do we want decision-makers to behave?
- Do we accept the possibility of failure? If we fail to meet the objective, how can we turn it into a success (lessons learned, innovation, other progress, etc.)
From there, you can connect your risk appetite to specific risks, objectives, and strategies.
Include any risks that jeopardize the organization’s ability to achieve its objectives, as well as strategies for dealing with them. A qualitative view of tolerance gives teams a measurable way to approach these objectives. One way to start the discussion is through a matrix similar to this: