The setting of an organisation's risk ‘appetite' is a critical component of a robust risk management framework.
This article addresses:
- What does risk appetite mean and who should set it?
- How should risk appetite be articulated and how can it be set?
The appetite should be the articulation of the board's desire or willingness to take on or retain risk using measurable factors. It should directly assist in the risk and control self assessment and key risk indicator processes to group risks into zones, such as red, amber and green which then leads to either risk acceptance or action required.
Many organisations however, have not formally articulated their risk appetite and many of those that have, phrase their appetite in vague subjective ways, such as low or medium, that do not lend themselves to practical use in risk evaluation. Learn more about Protecht's Enterprise Risk Management System.
What does risk appetite mean and who should set it?
There are a number of definitions of risk appetite. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". In a literal sense, defining your appetite means defining how "hungry" you are for risk.
Applying this concept to risks that provide a direct upside opportunity, such as market risk (the risk of profit or loss from a movement in market rates such as interest rates or foreign exchange rates), makes sense. You may be hungry to pursue, retain or take market risk with the objective of profiting directly from that risk. In this instance, the setting of an appetite can be articulated by setting a maximum risk limit such as interest rate sensitivity or value at risk.
However, for risks that only possess a direct downside such as operational risk (the risk of loss through failed systems, failed or inadequate processes or external events) the literal interpretation of "appetite" makes little sense. If you ask someone if they are "hungry" for operational risks, such as human error, they will say "no", implying a zero appetite.
Unfortunately, these downside risks are a part of doing business and we realise that in order to pursue business, we need to be able to tolerate a certain level of risk as the cost of elimination maybe uneconomic. As a result, we tend to use the term "appetite" for risks that have a direct upside, such as market risk and "tolerance" for risks that only have a direct downside.
The Board of Directors are responsible for setting an organisation's risk appetite. The FRC - Guidance on Board Effectiveness Paper states that "the Board determines the nature, and extent, of the significant risks the company is willing to embrace." In practice, the process is usually collaboration between Board and management but it is essential that the Board owns, and has responsibility for, the risk appetite.
How should risk appetite be articulated and set?
There is no one method to articulate and set risk appetite. The method used should however be owned by the Board and reflect the collective informed views of the Board.
The risk appetite should be articulated in measurable terms. The use of subjective measures such as High, Medium and Low are not adequate as these measures mean different things to different people. We suggest that firstly an overall appetite/tolerance for total risk should be articulated in terms of acceptable variance in the organisation's objectives/budgets.
For example, this might say that the company is willing to tolerate a minimum return on capital of 4% against a budget of 10%. The next step is to determine the risk categories for which an appetite will be set. This should cover all material risks.
A separate risk category will be required when either.
- The measurement factor(s) for each risk is different; or
- The level of appetite for each risk is different.
The next step is to determine the measurement factors for each risk that will be used to articulate the appetite. Each risk may require multiple measurement factors in order to adequately cover the risk.
For example, if we were a financial institution setting the risk appetite for credit risk, the measurement factors may be:
- The maximum level of lending concentration in any one industry
- The level of arrears
- The level of lending concentration in any geographic location
As another example, for many operational risks we would ordinarily use a combination of the risk and control assessment and key risk indicators to measure risks.
This would lead to the measurement factors being the likelihood and consequence scales used in the risk assessment as well as the key risk indicators used to track that risk.
The results of the risk appetite process should be documented in the Risk Appetite Statement (RAS), covering each risk category for which an appetite is set, together with the measurement factors used to monitor the appetite. The appetite should then be reflected in the risk management policies, used in risk evaluation and form the basis of Board reporting.
Risk Appetite - how hungry are you for risk?