Home > Risk > The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?

The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?

Whether you are one of those who like the term ‘risk appetite’, prefer ‘risk tolerance’, or advocate (as I do) the ISO 31000:2009 term ‘risk criteria’, this is a tough area. While regulators frequently (including Basel III and multiple nations’ corporate governance codes) require organizations to establish one, I have yet to see something that really works.

While it may be possible to establish acceptable risk levels or criteria for aggregated financial risks, how do you set such standards for reputation, strategic, compliance, political, or IT-related risks? How do you establish and then measure aggregate reputation or compliance risk across the organization? I have seen some companies set a single number, say 3% of capital, as their “risk appetite”, but how can that make sense when you are considering compliance risk? How does it help a procurement manager decide whether to use a sole source vendor of essential components, to use two and allocate each 50% of the supply, or take another approach? Surely, (a) no organization can rely on a single “risk appetite” number: you need several, each covering a different category of risk; and, (b) what counts is the ability to direct risk-takers (frontline managers) in their daily decisions as they run the business.

Attempts to solve the problem have come from:

Although each has value, none have so far met my test, which I have summarized below.

To be effective, an organization needs measures (whatever you want to call them) that allow:

  1. The board and top management to ensure that the risks taken across the organization, individually and in aggregate, are the risks they want taken. This is extraordinarily difficult when you consider the risk decisions that are taken every day as part of running the business and how they interact, with a decision in one area affecting risks and opportunities in a distant part of the organization, plus how they need to be aggregated to provide risk vision across the entire enterprise.
  2. Managers making decisions to understand not only the risks they are taking (and modifying), but whether they are the risks top management and the board want them to take. The issue here is applying top-level “risk appetite statements” to individual decisions. If this bridge cannot be crossed, then the entire exercise has limited value – other than cosmetically.

That’s the key for me. If there is no practical guidance for the frontline manager, this is all a chimera: a look-good, check-the-box practice that does not have any real effect on how risk is being managed across the organization.

What do you think?

  1. Ehtisham Syed
    August 28, 2012 at 4:11 PM

    Norman: Let me present a practical guidance for your consideration.

    Let’s suppose you are in a casino (just an example) and you have the following options:

    1. Gain $100 (100% probability)
    2. Gain $300 (75%) or lose $500 (25%)
    3. Gain $500 (50%) or lose $300 (50%)
    4. Gain $700 (25%) or lose $100 (75%)

    1. Your ability or capacity to take risk depends upon your financial circumstances.
    2. Your attitude or willingness to take risk depends upon your personality profile.

    Your objective is to maximize wealth without going bust.

    Scenario 1: If you have no money to loose or zero appetite for risk, you will select
    • Option 1 (100% gain)

    Scenario 2: If you have $76-125 only, you will play
    • Option 4, if you have high appetite
    • Option 1, if you have low/no appetite

    Scenario 3: If you have $126-150 only, you will play
    • Option 2, if you have high appetite
    • Option 4, if you have medium appetite
    • Option 1, if you have low/no appetite

    Scenario 4: If you have more than $150, you will play
    • Option 3, if you have high appetite
    • Option 2, if you have moderate appetite
    • Option 4, if you have low appetite
    • Option 1, if you have no appetite

    Also, risk appetite and tolerance are two different concepts per COSO, in a paper by Dr. Larry Rittenberg and Frank Martens.


    • Norman Marks
      August 29, 2012 at 7:47 AM

      Thank you Ehtisham for the detailed comment. It helps people understand how an individual’s risk appetite or capacity should influence their risk-taking actions. (They get into trouble when they take on more risk than they should).

      But you have over-simplified the issue. Sorry.

      First, add in all the other risks the individual is taking by visiting the casino: food poisoning, slip and fall safety risk, reputation risk if his boss sees him, major risk if his wife sees him having another lady blow on his dice, compliance risk if he says the wrong thing to that mysterious lady, missing an opportunity at work by being away, and so on.

      How do you write a risk appetite statement to cover all the risks related to being in the casino?

      Now change the scenario from a single individual to one that more closely resembles an organization. Instead of one person, think about a village or, better, the residents of a kibbutz where all the resources are shared. They are all (maybe a thousand folk of all ages) visiting the casino and are engaged in various activities in the halls, dining areas, shops, etc. Because they share resources, the actions of one may affect them all.

      How do you write a risk appetite statement for the village for their day out?

      BTW, I am well aware that COSO has distinguished risk appetite and tolerance, although it uses the latter in a strange way. They are different but related.

  2. Norman Marks
  3. James
    August 30, 2012 at 6:03 AM

    I definitely agree. In most organizations risk management has to be practical or management at all levels will not embrace it. In an environment of competing priorities and packed schedules and to do lists, practical risk management approaches and processes are critical to successful adoption, implementation, and sustained value.

  4. johnlark
    August 30, 2012 at 6:35 AM

    Norman, once again you have helped us all by “calling a spade a spade” and pointing out that these concepts must achieve certain objectives such as the two you have outlined above. Your blogs continue to be thought provoking and allow us all to leverage the “hive/cloud” mind which social media represents. I continue to work with clients to achieve the goals you have identified above but it is often a difficult and perilous path.

  5. John Mogni
    August 30, 2012 at 7:45 PM

    Mr. Marks,

    I would like to propose the notion that many discussions, and at times literature, intended to provide guidance about “risk” usually end up causing people to inadvertantly focus less on the dynamic nature of risk and more on quantifying risk and developing standardized guidelines and definitions. Although measures, guidelines, and terms are useful and necessary management tools, the discussions often overlook or minimize the point that risk is a perspective. As such, risks differ across different organizations and industries and also within the same ones. Managers must actively communicate and address risks regularly together as part of the governance of their organization. Consequently, risk appetite, tolerance, criteria, or whichever is the appropriate terminology, should be formed based on the perspectives that managers bring to the table.

    To be clear, I realize texts acknowledge that risk is dynamic. The point is that the course of many discussions develop a tendency toward calculations and standard approaches as a starting point.

    That being said, before managers can develop measures, guidelines, and terms appropriate for their organizations, they must openly discuss and attain a shared understanding of their different risk perspectives including the implications to their individual business units and the organization as a whole. Such perspectives are formed in large part based on managers’ understanding of their business units, organization, and industry. After a shared vision of risk is attained, it must be calibrated and validated regularly. Consequently, an organization’s “risk appetite” is also dynamic to a certain extent and must be relevant to each enterprise’s strategy and objectives, which also must adapt to meet the ever-changing business landscape.

    Before organizations jump in and attempt to establish tolerance levels or appetites, I think it would be beneficial to first attain an accurate understanding of their risk landscapes – and from whom better than their front line business managers working together to define it.

    • Norman Marks
      August 31, 2012 at 7:43 AM

      John, thank you for the excellent comment. Correct me if I am wrong, but you are making a few points – each of which I agree with:
      1. Don’t get “hung up” on semantics at the expense of getting the job done. It doesn’t really matter what you call things
      2. Reliance on ‘standards’ and ‘risk registers’ can blind you to new or changed risks
      3. Not only are risks and risk levels dynamic and volatile, but so are the levels we are willing to accept. Codifying risk appetite can bind you to what used to be the desired level
      4. Different managers and individuals have different attitudes about risk, different ideas of what are desired levels and the right risks to take. Communication and, if possible, agreement is essential
      5. Because of the inter-relationship of risk, you cannot establish acceptable criteria based on individual risk areas

      Do you agree with my interpretation?


      Norman D. Marks, CPA, CRMA
      OCEG Fellow, Honorary Fellow of the Institute of Risk Management
      Vice President, Evangelist
      Better Run Business

      Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn

      • John Mogni
        August 31, 2012 at 4:53 PM

        Yes, I agree and also like your recap. I hope the main theme that ties these points together came across clearly: Start with a shared vision of what risk means to your organization and how to develop and maintain that vision.

        I find risk to be quite an interesting field because of all the inter- related moving parts, the potential change in perspectives that could result at times from a slight “tilt of the head”, and that there is always so much to learn from it.

        Thank you for your reply.

  6. September 1, 2012 at 9:37 PM

    I agree with you Norman that this is an area that is more problematic than many realise.

    I think this is especially so when we deal with risks that can be quantified less easily.

    At the moment with one of my clients we are working on specific business risks and discussing what will/wont be acceptable, with an intention of ensuring that processes “on the ground” translate this into practical delegations of authority / reporting requirements ~ recognising that whether this is actually translated into practice properly will be an ongoing challenge.

    If you take this approach (which I have validated with a few others) it raises big questions about the conventional risk matrices (impact vs likelihood), since the top right issues will not necessarily be in a “red zone”, as typically presented, because that will depend on the risk appetite for that particular risk..

    I think one of the key things to highlight is the need for more practical examples of what is actually happening “out there” and what the strengths and improvement areas of these approaches are, rather than an over-emphasis on a rather academic / theoretical approach that is written for risk specialists and that most business managers would run a million miles from!!

    • Norman Marks
      September 2, 2012 at 4:21 PM

      James, you make some first class points:
      1. Risk level is less important than whether the risk is a desired risk
      2. Trying to figure out how to determine whether a risk is desired or not is the key, being open to all the criteria and not just P and I

  7. Ehtisham Syed
    September 11, 2012 at 4:20 AM

    Norman, I agree with you that P and I are not the only criteria. See a related poll results here http://lnkd.in/GEiMPh.

  8. September 22, 2017 at 12:31 AM

    Norman, an interesting piece and something I have experience I both as a risk system designer and as an INED of a bank. We at Governor software have come up with an approach that involves setting the structure of the risk appetite statement at the top and then setting individual appetites at any level that makes sense. We then use the appetites themselves to normalise and aggregate the data in a manner that enables senior execs to define ‘combined ‘ appetites. For example
    Liquidity appetite might be a function of LCR, NSFR, number of open audit issues in Liquidity management and an assessment of model risk in liquidity models.
    While this isn’t perfect and is definitely art and science , we have found that it is at least more realistic than many approaches !

  1. June 2, 2014 at 1:50 AM
  2. April 30, 2016 at 3:31 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: