Home > Audit, COSO, Governance, GRC, IIA, ISO, Risk > Risk appetite in practice

Risk appetite in practice

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.

The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.

Margins in that business were not high, so the effective management of cost was very important indeed.

[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:

  • Procure critical materials at the lowest possible cost to optimize margins
  • Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
  • Minimize supply chain disruption risk
  • Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]

But, there were additional issues or ‘risks’ to consider:

  • The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
  • If we were dependent on a single vendor, that vendor could demand price increases.
  • If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
  • If the decision was made to select two vendors, the total cost would be likely to increase.
  • If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
  • If only two vendors were selected, there would still be significant supply-chain disruption risk.
  • If more than two vendors were selected, additional agility would be obtained, but at a cost.
  • If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.

Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.

The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.

They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.

The decision involved taking a higher level of some risks and lower levels of others.

Basing the decision on whether one risk was too high would not have led to the optimal overall result.

Now, how would a risk appetite statement have helped the VP of procurement?

I believe the answer is “not at all”.

What do you think?

I welcome your comments.

  1. April 29, 2017 at 12:35 PM

    Norman, my first point would be that you have identified risks without clearly stating the objectives. There are two possibilities:

    Primary objective: maximise security of supply. Secondary objective: minimise cost.
    Primary objective: minimise cost. Secondary objective: maximise security of supply.

    The first option is applicable if supplies cannot be sourced immediately should your vendor fail. The second is applicable where your supplies are immediately available, for example a readily available raw material.

    The first option applied in Maxtor’s case. This option already forms your risk appetite: it’s the dividing line between an acceptable security of supply and an unacceptable one. You state above, ‘They considered all the options…’ Thus they used a risk appetite (implied if not defined by them) to distinguish between an acceptable solution (three vendors) and unacceptable solutions. They could even have scored the various options to assist them in coming to a conclusion!

    While I would agree that a simple risk appetite statement applied to any one risk would not help the VP of Procurement, he/she (and the others involved) have had to use a risk appetite statement in coming to a conclusion, even if it is the rather broad, ‘risk appetite is the dividing line between the residual risks we consider acceptable to achieve our objectives and the residual risks we don’t consider acceptable’.

    • Norman Marks
      April 29, 2017 at 2:01 PM

      Thanks for pointing this out, David. I have added the objectives.

  2. April 29, 2017 at 1:55 PM

    Reblogged this on RISK-ACADEMY Blog and commented:
    I keep saying, most of the things created by modern day risk managers are artificial. There is a better way to integrate risk thinking into decision making.

  3. PR
    April 29, 2017 at 3:26 PM

    A contemporary risk appetite statement would possibly say that the organisation has limited appetite for concentration risk with suppliers in a way that could prevent the business from being able to supply. In other words management isn’t able to bet the company while going after short term profit goals.

    This would have helped the managers to not have to work this out by themselves on an ad hoc basis.

    Btw is Maxtor still in business?

    • Norman Marks
      April 29, 2017 at 5:59 PM

      PR, Maxtor was acquired by Seagate in 2006.

      Please see my comment on risk appetite below

  4. April 29, 2017 at 4:18 PM

    Norman, a risk appetite statement (RAS) will most definitely have helped the VP of Procurement as vendor management is key to actualising the financial and business strategy of the company .

    Often, we tend not to understand the purpose of the RAS and thereby make it seem more complicated than it really is – a quote of Dejan Stojanović readily comes to mind – “the most complicated skill is to be simple”.

    As the IRM puts it, “a properly communicated, appropriate risk appetite statement can actively help organisations achieve goals and support sustainability.”

    Put simply, risk appetite for any company is the declaration of the amount or type of risk the company is willing to take whilst pursuing its strategic and financial objectives.The RAS operationalises the risk appetite. Decisions would thereafter be taken by the company management in light of the RAS guide. To make the operationalisation of the risk appetite “simple”, the RAS will be split into different “dimensions” that may be qualitative or quantitative.

    Using Maxtor as the example and keeping it simple, I will take one of the dimensions as “Supply Chain Delays and/or Disruptions” . The definition of this dimension can be:

    We will aggressively pursue a balance between cost management (or minimisation) and the selection of vendors in ensuring the following:
    1. the probability of an incident associated with delays and/or disruptions to our inbound supplies is minimised and maintained within the defined risk segment; and
    2. an event of delay or disruption is effectively managed within the defined response times.

    The risk appetite trigger and tolerance limits will be defined for 1 and 2 in the RAS.

    The beauty of this exercise early-on in a business ensures that decision making is guided in line with company strategy and a methodology is in place even for exceptions.

    • Norman Marks
      April 29, 2017 at 6:00 PM

      Please see my comment on risk appetite, below

  5. Glenn Daly
    April 29, 2017 at 5:17 PM

    I maybe wrong, but the take away I get from Norman’s post is this. Risk considerations need to be factored in when making decisions and these considerations need to occur at a transaction level. ie the specific circumstances of each transaction. Blanket risk appetite statements (which is the level they are normally developed at) are too general to be effective and could even lead to the wrong decision – formal development of statements for specific transactions? Suppose you could, but is this practical?. Or indeed needed?, Is it not better to gather together all the relevant players, understand the context including the specific objectives of the particular transaction, and then make a decision accordingly that factors in risk (upside and downside). Those making the decision have been empowered to make such decisions by board via the tried and trusted authority limits (in effect a broad risk appetite statement but shock horror, the word “risk” does not appear! ). Those gathered together to make the decision on this transaction are aware through training, procurement policies and procedures…that they need to consider risk aspects via applying the risk mgt pricess ie understanding transaction objectives, and identifying and evaluating risks carefully. Is this a better way to integrate risk? Or to have some generalised risk appetite statement which may not cover all situations or if it does, it is so generalised to be worthless and not even used? But there again, you can say you have a robust framework, and thats what counts right? (perception over substance which unfortunately is where formal risk mgt is at the moment). Rgs

    • Norman Marks
      April 29, 2017 at 6:00 PM


    • April 30, 2017 at 9:44 AM

      I fully agree with the statement on “blanket risk appetite statements” as their application will tend to be ineffective.

      An organisation in developing its risk appetite statements should apply the required rigour that will make this a useful tool and not just a “tick”. This can only be done with proper understanding of the business and the RAS process.

  6. Norman Marks
    April 29, 2017 at 6:05 PM

    Risk appetite would not help.


    Because this decision affects multiple objectives, and therefore multiple risks.

    There is an objective to optimize margins. But focusing on whether too much is paid for materials can lead to a greater level of other risks.

    Focusing on supply chain disruption may mean that you contract with a dozen vendors, but then the level of quality risk and margin risk will increase

    In REAL LIFE, we have to make compromises.

    In business, we have to make compromises when we decide to take risks in our decision-making.

    In this example, the team is working to see which is the best combination of risk-taking that is available. They took a higher level of margin and quality risk so that they could keep supply chain disruption down.

    RAS look at everything out of context. Its not real life and doesn’t help when compromises need to be made.

  7. Kaya Kwinana
    April 29, 2017 at 6:53 PM

    ‘Now, how would a risk appetite statement have helped the VP of procurement?

    I believe the answer is “not at all”.’

    A meaningless answer to a meaningless question. There is no need for a risk appetite statement at all, at any time, at any level.

    You have the “head of procurement for the region, a vice president, and his director”. But whose objectives are being considered, really?

    The suggestion seems to be that they belong to the VP of procurement, in which case it is mind boggling that the other party in the considerations is the VP’s subordinate rather than his boss.

    The objectives should have been set by the appropriate boss, who would specify, as part of the objective setting process, the success criteria the subordinate is expected to achieve.

    After risk identification and inherent risk assessment processed carried out by the subordinate, the boss would, during the risk response process, assess risk appetite and follow that up by specifying what risk treatment strategy should be adopted by the subordinate.

    The risk appetite is the view of the boss as to the amount of risk which is acceptable to the organisation and is expressed in the same format as used in the inherent risk assessment.

    Comparison of the risk appetite with the inherent risk assessment determines the appropriate risk treatment strategy the subordinate will be directed to implement.

    The boss will not necessarily make final decisions based solely on individual risk appetite assessments but will consider inter-relationships of any proposed risk treatment strategy on the success criteria of the objective, sometimes modifying the success criteria themselves and sometimes approaching his/her boss for possible modification/validation of the risk appetite. The risk response process is iterative until there is an acceptable match between the success criteria and the risk treatment strategies adopted for the objective.

    The risk management activity referred to is therefore miserably inadequate, far from being best risk management practice or even acceptable risk management practice. The concept of a risk appetite statement referred to is a flawed distraction which makes absolutely no positive contribution to appropriate risk management processes.

  8. April 29, 2017 at 8:40 PM

    What about a risk appetite statement such as ” Procure critical materials from source(s) such that cost is within budgeted guidelines and supplier actions can not result in production disruption or unacceptable price increases”?

    • April 30, 2017 at 3:10 AM

      Totally agree…

    • Norman Marks
      April 30, 2017 at 5:59 AM

      Jay, I think you have hit on a key point.

      Your risk appetite statement talks about achieving objectives that involves a combination of risks. However, risk appetite is typically defined as the amount of risk an organization is prepared to take in the pursuit of objectives. As such, it is talking about an amount of adverse risk, an aggregate across different sources of risk perhaps, but not how to make compromises between this risk and that risk, or how to determine when it is appropriate to expose yourself to the downside because of the potential for gain.

      I think the answer is not a risk appetite statement and maybe not a risk criterion, but guidance specifically on how to weigh the potential effects of a decision on the achievement of all the enterprise objectives.

      It should recognize that sometimes the achievement of one objective is a priority compared to others.

      • April 30, 2017 at 9:39 AM

        If one looks at an “aggregate” across different sources of risk, then it may be a challenge o have a robust application. I began seeing the value of the risk appetite statement after I worked with an international financial organisation that breaks down the RAS into dimensions which makes application easier and provides the needed guidance.

        I remain a proponent for the RAS as I have first hand experience and know that with the right understanding and interpretation, it works.

        In addition, having the right understanding and interpretation makes allowances for possible variations like one will have when prioritizing the achievement of objectives.

        • Norman Marks
          April 30, 2017 at 9:47 AM

          But when the potential effects are a combination of positive and negative?

          You are led to a decision based only on the potential downside.

          • April 30, 2017 at 10:41 AM

            Not necessarily Norman. When the potential effects are a combination of positive and negative, the process adopted will be similar to the one observed at Maxtor.

  9. May 2, 2017 at 1:39 PM

    In my opinion, a RAS allows for seamless implementation of ERM for middle management. When ERM is initially rolled out, we give middle management the tools they need to make autonomous, risk informed decisions on behalf of the company, and feel comfortable and confident in their decision making. Without a RAS, that level of confidence and comfort is never achieved because management would not know at what threshold to say “No”.

    For a class of employee who may not be as well versed in ERM as senior management, asking employees to conduct a risk assessment without any thresholds or guidelines on when they should not engage in a particular risk is pointless. You will have some managers so risk averse they never do anything exciting or new, and some that are so risk hungry they are going down the rabbit hole every chance they get.

    Either scenario can put the company at risk.

    • Norman Marks
      May 2, 2017 at 2:33 PM

      So you net them off and ignore the possibility that one side may be unacceptable?

      I don’t think that is how we all make decisions in our personal lives

  10. Norman Marks
    May 2, 2017 at 2:47 PM


    How do you make decisions on your personal life?

    How do you decide which house or car to buy, when to leave for work, whether to take a cruise or a road trip?

    Did you only list all the things that could go wrong?

  11. Hans Læssøe
    May 3, 2017 at 3:25 AM

    Maybe it is just me; but I see the Maxtor case as a very good example of a carefully, risk addressed decision where multiple risks and options are weighed against each other. The outcome was to deliver the optimal balance between probable “safety” and certain “costs”.

    The team did not use, nor need, an explicit risk appetite statement to make the decision, and hence, as a “case” of practical use of a risk appetite, I find the example rather poor; but still a good example of a deliberately made risk based decision.

    From my corporate past; I have an example of use of risk appetite (or rather risk tolerance, but let us not dive into that).

    We acknowledged that the purpose of risk management was to provide the Board of Directors with a “reasonable assurance that we would meet our targets with the activities put in motion”, rather closely linked to the COSO definition. We also had a defined risk tolerance that stated that the company must (based on Monte Carlo simulation) be more than 97% certain to deliver minimum a defined level of profit as well as some other statements. The company operates with a set of key targets to be met simultaneously, cf. a balanced scorecard approach.

    Now one year, in my role as strategic risk manager, I was looking at the performance development, and found that we were increasingly likely to miss (at least) one of the defined targets. Yet, at the same time, I could document that we were utilizing only a fraction (less than 50%) of the risk tolerance provided by the Board.

    So … as a strategic risk manager, I wrote to the exec’s that. “Hey guys. It appears that we are on the brink of missing out on this target, yet we are not utilizing our risk tolerance. This is like being late for the wedding, and still cruise at 40 Mph on the highway. To deliver on the purpose of risk management, I suggest that we do “…” to take a chance and increase our likelihood to meeting the targets. These actions may be less effective than normal processing; but I am certain that if done right, they will still add value”.

    Our CEO replied back quickly (as always on such notes) stating, that “it was not that simple”, and was supported by the CFO who gave a number of reasons, this was not “that simple”. I agreed to the complexity and admitted, my suggestions were those of a layman, but also that I had complete faith in the relevant corporate leaders/specialists to define a value creating approach. The CMO (Marketing) within who’s area the target and the suggested solution was placed, simply wrote me back stating “I love, it – keep it coming”.

    By the end of the day, the company did not do anything further, and still, the target was met, albeit by the very last draw.

    At a later discussion, several of the executives expressed their surprise,, that I (of all people) recommended taking on more risks – but also that they fully agreed with my approach, and urged me to “keep it coming” – it was a clear part of my job do so.

    To me – this is an example of actively using the risk tolerance (or appetite) statement as a lever for actions. Hence, reverting back to Normans opening statement, I submit the story.

    Best regards

    • Norman Marks
      May 3, 2017 at 6:29 AM

      Hans, thank you for sharing your excellent story.

      I like be that you were measuring the likelihood of achieving objectives, the approach I propose in my book.

      You were not focused on limiting adverse exposure, but on taking the right level of the right risk.

      Your definitions and use of risk appetite and tolerance are non-traditional and I applaud you.

    • May 3, 2017 at 10:37 AM

      Hans, what was great way to depict using risk appetite and risk tolerance in practical terms! Risk management should be focused on achieving objectives, goals, targets (whatever your organization calls them) while taking on the right amount of appropriate risk to support that objective. That’s why the discipline is called risk *management* and not “risk reduction.”

      Shouldn’t risk appetite and risk tolerance be used as tools to provide employees, not just management, with information to make decisions that are appropriate for the organization? Otherwise, how will non-management know what is acceptable or appropriate?

      Norman, I always appreciate how you make us think. Thank you!

      Carol Williams

    • Alvin C.
      May 3, 2017 at 11:52 PM

      Totally agree with you Hans. I see it as a practical approach to understanding risk appetite, which is to weigh options and consider all constraints before arriving at a decision that best represents where as a collective the team would like to go. I reckon the issue here is that many assume a single risk appetite statement is able to drive business decisions. I think the reality is decisions require the consideration of several (and often opposing appetite statements). That is when the collective wisdom of the team comes into play; and leadership needs to make a call and set direction.

  12. Steven Dando
    May 3, 2017 at 6:42 AM

    Thank for posting Norman, I found this very interesting. In my view, this is an excellent example of risk management being integrated into the business. This decision was clearly made with the help of a risk assessment (by gathering the data and discussing with appropriate stakeholders) and they took the course of action which was within their appetite. I would suspect that the risk culture of the organisation helps with this and in fact encourages it.

  13. Ian Ng
    May 3, 2017 at 5:05 PM

    The statements serve as overarching objectives and guiding principles, which should not be confused with strategy. What the VP procurement did was correct by getting all stakeholders together to develop a workable or implementable procurement strategy. Importantly, balanced risk mitigation is required because you can’t eradicate risks involved. Understand risk impact and respective causality analysis will be helpful.

  14. May 7, 2017 at 2:00 AM

    Looking at the above comment, I have come to two conclusions:

    A decision can only be made if the objectives are clearly stated, since these objectives will form the basis on how risks are to be prioritised (security of supply against cost, for example). I would say that Jay’s comment is as much an objective as a risk appetite statement. Your comment, Norman, reflects this connection between risk appetite and objectives.

    A decision is effectively a control. In the Maxtor example, the decision to use three vendors is a control which manages the principal risk (security of supply) to an acceptable level. Thinking back to my role as a manager, every decision either maximises an opportunity or brings a risk down to an acceptable level.

  15. Stuart Keenan
    May 16, 2017 at 1:18 PM

    Sounds like the building of a rationale and consideration of the impacts and outcomes of each category has essentially resulted in the formulation of risk appetite for each, had it been in place initially the decision could be made faster and replicated in the future with different stakeholders

  16. May 19, 2017 at 2:54 AM

    Quite some pharisees, it seems. Missing the point that ‘risk appetite’ is so sloppily defined, for practical use… Would anyone have a *proper* definition / method to establish, other than case-by-case (risk by risk) handling, by way of accepting or rejecting additional risks to the portfolio ..?

    • Hans Læssøe
      May 24, 2017 at 3:53 AM


      I actually believe I do have a practically applicable “proper” definition option. At the very least, I have applied this earlier – and based on that driven a discussion of the acceptabel level of risk taking.

      First, on the vocabulary. Based on my reading of the ISO 31.000 standard/dictionary, I use risk tolerance for the level of exposure, one is prepared to accept after mitigation (i.e. can “live with”), whereas I use risk appetite for the exposure one is willing to take (i.e. will not bother to mitigate further). Hence – target exposure should be somewhere between the two.

      With a consolidation of the exposure level of a portfolio, using Monte Carlo simulation, you may define that your strategy or endeavour must be 97% certain to deliver a profit. Hence – your 3% worst case combination of risks materializing must add up to a loss which is smaller than your planned profit.

      Assuming your data are reasonably valid – this is easily calculated/simulated and hence, you can accept or decline the next risk – or define to which level this must be mitigated to be acceptable.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: