Determining the risk appetite for your business is critical to organizational success. Risk appetite is what gives senior management the necessary guardrails in managing risk exposure from the top-down.

The challenge, however, is that the definition of “risk appetite” is much debated among company leaders. Vague and often conflicting definitions make it extremely difficult to come to a consensus to even begin to assess an organization’s risk appetite, let alone communicate it.

To help quell this confusion, here is a clear-cut definition and an explanation of how to connect it with your organization’s enterprise risk management program and overall strategy.

What Is Risk Appetite?

Risk appetite is the amount of risk an organization is willing to accept in pursuit of strategic objectives. In simpler terms, it’s the amount of risk you’re willing to live with and how much risk you will need to manage while going after your company goals.

An organization with a higher risk appetite is willing to take on greater uncertainty in exchange for the potential for greater growth. An organization with a lower risk appetite, on the other hand, is willing to sacrifice some growth for more stability.

Regulatory and legal requirements can also become a factor. Financial services organizations, for instance, must stay within the risk boundaries set by regulators. Healthcare organizations must consider regulations, as well as patient-safety priorities, when determining their risk appetite.

Risk appetite answers the question, “What risks are we willing to take, and what are the benefits of taking these risks?

As an analogy, imagine two people in a canoe rowing down a river. One rower may row faster while the other rows slower. One may want to avoid a rapid while the other may want to go full speed ahead. Without proper planning and communication, the rowers may find themselves moving in circles or, worse, heading straight towards a disaster.

Risk appetite allows organizations to function less like two amateur rowers and more like a highly focused rowing team. In this scenario, everyone is perfectly coordinated and understands their goal and what they are willing to do to accomplish it.

Why Is It Important to Define Risk Appetite?

Every organization is made up of people, and every individual has their own way of evaluating and responding to risk. These different perceptions vary by function as well. The senior management in one department may be very risk-averse, while those in other departments may be highly risk-tolerant.

With a well-defined risk-appetite statement, you can provide clear guardrails for all functional areas, so everyone is on the same page. This results in:

  • Better management and understanding of risk exposure
  • More informed, risk-based decisions
  • Smarter allocation of resources based on risk/benefit trade-offs
  • Improved transparency for stakeholders, investors, regulators, and credit-rating agencies

In short, every decision-maker knows what actions they need to take to accomplish an objective while remaining within the established risk tolerances. For example, if a brand’s contact center notices a spike in employee absences, the manager will know when to shift schedules and teams around to prevent a hit to performance metrics. Another example is if a technology system fails, IT will know how many hours they have to fix it before the outage begins severely affecting customer or revenue.

How to Connect Risk Appetite with Strategy

The development of risk appetite should match strategy and business plans; otherwise, opinions on strategy and risk appetite may conflict. To be successful, organizations need to take a strategy-driven approach to risk appetite, defining it relative to your organization’s mission, vision, values, and strategic objectives. Consider:

  • The possibility of an objective not aligning to mission and vision
  • Implications from the strategy chosen
  • Risk strategy and performance

Work with senior leadership and board members to drill deep into the drivers of your risk appetite relative to your objectives. Ask questions like:

  • What is the nature of the objective? Is the objective about avoidance or acceptance of risk?
  • What is our tolerance for volatility? How would we react if key performance indicators related to the objective frequently jumped around?
  • What is the priority of the objective? How does it rank in importance to achieving our mission and vision?
  • What are we willing to trade off against other objectives? If the objective is in direct conflict with different goals, how do we want decision-makers to behave?
  • Do we accept the possibility of failure? If we fail to meet the objective, how can we turn it into a success (lessons learned, innovation, other progress, etc.)

From there, you can connect your risk appetite to specific risks, objectives, and strategies.

Include any risks that jeopardize the organization’s ability to achieve its objectives, as well as strategies for dealing with them. A qualitative view of tolerance gives teams a measurable way to approach these objectives. One way to start the discussion is through a matrix similar to this:

Name Philosophy Tolerance for
Uncertainty
Choice Trade-Off
5 Open Will take justified risks Fully anticipated Will choose option with highest return; accept possibility of failure Willing
4 Flexible Will take strongly justified risks Expect some Will choose to put at risk but will manage impact Willing under right conditions
3 Cautious Preference for safe delivery Limited Will accept limited and heavily outweighed by benefits Prefer to avoid
2 Minimalist Extremely conservative Low Will accept only if essential and limited to possibility/extent of failure With extreme reluctance
1 Averse “Sacred” — Avoidance of risk is core objective Extremely low Lowest risk option always Never

One of the most significant benefits of this approach is the transparency that comes out of communicating risk appetite. By provoking a strategic discussion and communication among stakeholders and management, the company culture can begin to shift, and you can start closing the gaps between your leadership’s target behavior and actions.

Where Technology Can Help

Where Technology Can HelpEven after your initial risk appetite statement is defined, you aren’t finished. Risk appetite is not static; it varies over time. Organizations should continue to evaluate risk appetite against current circumstances, resources, skills, and technologies, or systems. To be effective, risk appetite must be more than a policy statement. It must be fully integrated into the process of managing risk exposure – and that takes the right technology.

Advanced risk management software can make documenting and monitoring risk appetite easier, faster, and more cost-effective. Integrated risk management software collects all risk-related information in one place, which gives leaders and risk professionals one source of truth to see risk impacts and evaluate actions in terms of the organization’s overall risk appetite.

With today’s integrated risk management technology, risk managers can assign ownership to risks, which keeps decision-makers accountable. When risk appetite has been exceeded, the system can anticipate and address issues that drive behavioral change and communication across the organization.

And with a 360-degree view, you can visualize where risks intersect and their collective impact on the organization.

Organizations need to take risks to succeed. But risk can’t go unchecked. Setting up risk appetite is a critical element of decision-making, strategic planning, and corporate governance. Determining appetite requires a strategy-driven approach that involves deep discussions with management, board members, and stakeholders. The right technology can help you find and maintain the right balance between risk and reward. You’ll be able to satisfy your risk appetite without the fear of overindulging.

For more on how integrated technology can help apply risk appetite, download our e-book, Conquering the New World of Risk with Integrated Risk Management, and check out Riskonnect’s Integrated Risk Management solutions.