What is your risk appetite?
The regulators and others around the world are asking organizations, especially those in financial services, to establish a risk appetite. This is typically in the form of a risk appetite statement or framework.
Let’s look at a couple of definitions of risk appetite.
COSO says:
“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value” (Understanding and Communicating Risk Appetite)
They continue:
“To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.)”
[You may have seen my review of the COSO publication, which includes links to other thoughts on risk appetite.]
A similar view is expressed by a global financial services authority:
“Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives” – Institute of International Finance (http://www.iif.com/regulatory/article+968.php)
But, there are a number of people who believe that risk appetite is a flawed concept. I recommend a read of a paper by Grant Purdy, Demystifying Risk Appetite. When risk practitioners from around the world convened to develop a global risk management standard, ISO 31000:2009, they preferred to discuss risk criteria – a preference I share.
Is risk appetite a useful concept?
Let’s approach this by asking, as individuals, “What is your risk appetite?”
Perhaps you are saying that you are not a business, agency, or enterprise. But you still have objectives you want to achieve and you are more likely to succeed in achieving or surpassing them if you understand and treat/manage/address the risks and opportunities in your path towards those objectives.
Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.
You will take risks in accomplishing these objectives. There is no “may” about it; you will take risks. With respect to your drive to work, your arrival time might be affected by weather (both good and bad), the volume of traffic (less traffic meaning you will surpass your objective), dangerous drivers, the possibility that you will fail to see another car when you change lanes, a request from your spouse to take the kids to school on your way, and so on. As you decide to leave, these are all uncertain events or situations that might or might not happen.
What is your risk appetite when you are deciding whether to change lanes because the traffic in front of you is too slow?
What is your risk appetite when you are deciding whether to agree to take the kids to school or ask your spouse to do it?
You have to decide whether to take these risks. You will certainly have a number of criteria that will help you decide, such as the potential for reward (arriving earlier or avoiding a delay in arrival) and the potential for loss (an angry spouse or manager, or physical injury in a car hits you). You will consider the magnitude or the potential loss or reward, the likelihood of each happening, and your ability or capacity to sustain any loss.
Can you put a number, a monetary value, on it? Is it a percentage of your net wealth?
No.
When you decide whether to take a risk, you will be influenced by the likelihood and size of reward against the likelihood and size of loss. Will you decide to change lanes when there is an 80% chance of arriving on time if you do vs. 15 minutes late if you don’t, when you assess the risk of a car hitting you at less than 1%? How about if the chances of a crash are 5%, because there’s a lot of traffic, or 15% because visibility is low?
You will try to make an informed, management decision. You will use your judgment, and you will not even think about anything like risk appetite. “Criteria” is a concept that makes sense, but not “appetite”.
Isn’t running a business similar to driving a car, in that you want to make informed management decisions using your best judgment?
Will you decide whether to expand operations into a new country using your judgment about the likelihood of success (at various levels) and the likelihood of failure (also at various levels)? Failure could mean loss of funds as you abandon new offices, lay off newly-hired staff, and write off assets; it could also mean loss of customer confidence, reputation damage, and even loss of life (depending on where you expand).
Can you put a risk appetite value on this and say, as COSO says “how much risk is acceptable”?
I can understand that it may be important to know that management is not putting the survival of the company at risk, or that the company has not put on the casino table of business more than it can afford to lose.
But is that how you make decisions? Is that how you decide whether or not to take a risk?
What is most important is that:
- Managers and executives recognize that when they make decisions they have to consider what might happen, and the effect of that is what we call risk
- If a manager is to be successful, he has to recognize risk, assess it (upside and downside), and if it is at an unacceptable level act to modify it – because that increases his chances of being successful and the level of success he will achieve
- Decisions-makers should use their best and informed judgment to take risks. When the potential effect is outside their authority level, they should escalate the decision to more senior management – in the same way they make purchasing decisions
- The consideration of risk is an integral and essential element of decision-making and management in general. It is not a separate discipline
What is your appetite for risk appetite? Should we limit the concept to situations where it makes sense, like how much money to put at risk in the financial market? Mind you, we used to call those trading or position limits rather than risk appetite.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Nice Explanation.. for the Risk Appetite
Indeed, the most thought provoking article on Risk Appetite. Thanks, Norman.
Considering most Americans would not improve their car accident survival odds 50% by donning a seat belt were it not for the even less likely financial fine there is little doubt the consequences of a lane change ever cross their minds–let alone the consequences of bundling and selling high risk home mortgages to supposedly unsuspecting investors and insurers. American corporate economic history clearly shows a disdain for proactive fiscal decisions beyond the three month crystal ball of quarterly reports. Our appetite for risk is only dwarfed by our irresponsibility and disdain for accountability when the card dealer collects the bets. Anything less than estimating potential financial losses to assets from likely (frequent) threats to establish risk is akin to fraud at worst and dereliction of basic human behavior (e.g., fight or flight) at best.
Risk acceptance and risk appetite are terms that can be useful in some, but not all discussions of risk management. They imply a high level of control over a well defined risk vs. reward equation. And, while this equation may even apply to a decision to get out of bed in the morning, it is not very useful in that context. Moreover, it is not very useful in the realm of operational risk management where risks to accomplishing goals abound, whether they are consciously accepted or not. All responsibilities carry the burden of risks. Any belief in the omniscience of this controllable equation can do harm by blinding management to other risks. Just ask Merrill Lynch, AIG or Lehman Brothers.
Norman. Helpful thoughts. I agree risk appetite has a scientific feel to it that real managers do not use. Not sure it matters too much though as the concept is valid, not matter what label it is given. Perhaps the thing that is most important is that the thought process is followed.
Hi Norman,
I think of risk appetite in terms of logic: CAPACITY……. and instinct: TOLERANCE.
Logical analysis of my own ability to take risk will take into account my current CAPACITY.
Here’s a true story to illustrate this; yesterday I was gardening and needed to trim the top of the hedge, which meant using the hedge trimmer whilst I was up a ladder. I asked my husband to help me (don’t ask why I was doing it and not him – that’s another story) by holding the ladder and passing up the various tools needed, such as the heavy loppers for the thicker branches and the electric hedge trimmer for the simpler tasks. I wore appropriate protective equipment, and all was well, albeit, the hedge is not as straight as I would like it. My CAPACITY for risk is low, I’m getting old enough to recognise that any tumble from a ladder will hurt for a long time if not threaten the things that are important to me. Plus, having tools around, could mean that a fall might be fatal. So I was going no-where near that one. Hence the need for someone to hold the ladder and the other precautions.
Whilst he popped into the house to make the tea during a break, I decided to get some apples down from our heavily laden apple tree. Having patted myself on the back for being so judicious in my risk management, I decided to listen to my instinctive risk TOLERANCE instead of my capacity. I propped the ladder against a branch of a tree and proceeded to take apples from the branches. There was one rather large and juicy apple just at the limit of my reach and as I stretched for it, the ladder slipped sideways on the damp and slippery bark, and I found myself hanging by my fingertips from that slippery branch for a moment, before I fell to the ground.
I didn’t fall far, and it was onto grass, plus I had no dangerous tools near me. So my instinctive risk tolerance was tested but I went no-where near my capacity for risk. I was a bit bruised, and my pride was hurt, but my life was not under threat.
So I think in terms of RISK CAPACITY as being something which is logical, entirely provable and founded on evidence and calculation. Whereas RISK TOLERANCE is something that we feel, and is mostly very much lower than capacity (unless we are stupid).
Cheers
Liz Taylor
Many seem to relate risk appetite to a calculable number or hard facts. This is barely possible, which is one major reason why Operational Risk Management is not considered helpful by many executives.
I suggest that the term risk appetite is used more as an soft factor to describe the decision culture of an enterprise than as a configuration element of a rule set.
A person’s character could frequently be described as risk averse or risk hungry – though the words used would rather be reluctant, anxious, timid or daring, courageous, venturous.
In the same way, the “risk appetite” of an organization is a description of its decision culture. The more difficult it is to get a decision by top management within an organization, the more risk averse it behaves. A big risk appetite would then signify that decisions tend to be taken based on more limited information, while a small risk appetite indicates that management would usually require complete and compelling background information before relevant decisions are taken.
This way of using “risk appetite” is much closer to “appetite” – which actually is a human sensation that is fairly hard to quantify. It’s also closer to executive reality. For many decisions, the consideration of soft factors is just as important as numbers and “facts”. In fact, in most executive decisions, the bulk of information available is soft (i.e. hard to quantify), and most managers take decisions considered in line with the organizations risk appetite.
I agree with Liz on this. Risk appetite is about capacity. Tolerance is the next level and appetite is the last and most narrow level. The Institute of Risk Management has published a paper on this topic, and you can read it here: http://theirm.org/publications/risk_appetite.html
Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.