Home > Risk > Do risk appetite statements add value?

Do risk appetite statements add value?

September 8, 2019 Leave a comment Go to comments

I like to read Enterprise Risk, the official magazine of the Institute of Risk Management. Not only are its features often of interest, but it includes useful graphics that summarize studies, etc. on a number of useful topics.

In its Summer 2019 issue, the magazine captures the most interesting observations of a study by Baringa Partners (the full report is here).

  • Only about 15% of respondents strongly agreed that “Statements provide a clear link with the firm’s strategy”. About 30% disagreed.
  • About the same number strongly agreed that “Statements provide a forward-looking vies of risk,” while nearly 40% disagreed.
  • Only about 10% strongly agreed that “Statements are embedded into business decision-making”. Again, nearly 40% disagreed.

As Baringa comments:

Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk.

The regulators want to make sure that firms do not put the continued existence of the organization and the investment stakeholders have made in jeopardy as it pursues profit.

Risk appetite statements I have seen can be general in their language or specific, with metrics against which actual levels might be compared.

When they are general, talking about intent, such as “The Group has zero appetite for regulatory risk and a moderate appetite for the risk of litigation”, it is difficult to see how this affects decisions made either by the board or operating management.

When more specific metrics are established, such as “the Loans to Asset Ratio will be no more than 70%”, actual performance can be compared to the limits to confirm that it is line with board-approved guidance.

But does such a comparison do enough to drive behavior in a dynamic environment? It is difficult to see how it is more than an after-the-fact check rather than a driver of management actions.

This is especially true when activity across the organization needs to be aggregated to compare to enterprise-level limits. For example, if I set an enterprise level target of “the Loans to Asset Ratio will be no more than 70%” but I have to aggregate Loans and Assets numbers across multiple business units and countries, how do I guide a Loan Officer in Guyana whether to approve a loan?


Let’s step back and think about what we are trying to achieve.

While the regulators focus on preventing failure through reckless risk-taking, stakeholders should be concerned whether management and the board are taking the right risks for success (i.e., not just avoiding failure).

Success is achieved, and failure avoided, when management and the board make informed and intelligent decisions.

Do risk appetite statements lead people to make informed and intelligent decisions?

If they are not:

  • Linked to the firm’s objectives and strategies for achieving them, and
  • Forward-looking, and
  • Embedded into every important business process, and
  • Measurable and actionable…

…they will have little effect on decision-making or success. Arguably, they have little effect on avoiding failure as well.

I am not persuaded that ISO’s risk criteria are necessarily the answer either!

Rather than providing guidance and limits on risk, I prefer to consider:

  • What decisions have to be made for success?
  • What could go wrong and what needs to go right?
  • What information do decision-makers need?
  • Who needs to make the decisions and who needs to be involved?
  • How I can guide decision-makers to take the right level of the right risks?
  • How do I monitor performance to know when poor decisions are made?

Maybe the answer includes risk appetite statements.

Maybe there are some aspects that you cannot really quantify.

Maybe you will have to rely on after-the-fact detection in some cases.

You certainly have to satisfy the regulators.

But you should also customize what you do to the needs and practices of the organization.

I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.


What do you think?


  1. John Fraser
    September 8, 2019 at 10:22 AM

    Risk appetite statements, which were a regulator’s desperate creation in response to the credit crisis, can have some value IF they are created by the board and/or the executive team as a basis for having conversations about objectives and related uncertainties. If however, they are prepared by consultants or low level staff then they are of little value. In some cases they are locked away as too sensitive for staff to read!
    ISO’s concept of risk criteria is excellent, both as a basis for conversations and as a basis for identifying and prioritizing sources of uncertainties and the allocation of resources. Unfortunately, few organizations appear to do this well.

  2. Anonymous
    September 8, 2019 at 12:05 PM

    I find risk appetite statements near worthless. They are great in concept, nearly impossible to fully implement to match the promises made about them.

  3. Robert Arvanitis
    September 8, 2019 at 5:55 PM

    * An asset is a risk that has been funded. *

    The core risk of any business is in fact why it makes money — by managing that core risk in order to gain the returns for taking the risk. (Suggest any sector you like in the comments and we can review the relevant risks which drive that business.)
    That is why we have this truth: an asset is a risk that has been funded.
    Beyond that core risk in our business plan, there are other unavoidable risks that come with the undertaking. Risks come on a spectrum from physical, to operational, and then financial. Such generic risks are a cost of doing business. Some are quantifiable. These can be insured, hedged or financed away.
    Business must first attend to the CORE risk, which is the reason it exists. IF a business can find better/cheaper/more effective ways to manage the other unavoidable risks, then it lowers its expenses, just like finding cheaper suppliers, getting lower cost financing, or paying less in taxes. Nice, but not the primary goal.

    • Grant Purdy
      September 8, 2019 at 7:49 PM


      Your response is a perfect illustration of why the word ‘risk’ is nonsense. I’ve been involved in the risk management belief system for over 40 years and I can’t really understand what you are saying, and I am sure most normal people won’t be able to either.

      This is not your fault, you just reflect one of the vast number of paradigms that fall under the label of ‘risk management’.

      I’m delighted that you think that “unavoidable risks” can be “insured, hedged or financed away”. However, I’ve yet to find evidence that that is really the case. But then, I suppose it all comes down to what you mean by ‘risk’!

      • Robert Arvanitis
        September 9, 2019 at 6:41 AM

        Disappointed your response fails to address serious matters and instead drips with condescension. Forty years seem to have left you world weary and no longer able to deal with necessarily imperfect solutions.
        As our understanding and technology improve, we reduce the area within which black swans may dwell. Powerful new analytics clarify the risk spectrum: from physical to operational to financial. Glad to share selections from my own work; perhaps that might rekindle the fire within you.
        Simply put, we no longer sacrifice virgins, we study volcanology. (Thus conserving precious resources.)

        • Grant Purdy
          September 9, 2019 at 8:55 PM


          Do you really think normal people will understand what “reduce the area where black swans may dwell” or “clarify the risk spectrum” mean?

          As I said, this is just confected jargon manifesting as real knowledge.

          Unlike say medicine, chemistry, engineering, accountancy or even the rules of language, there is no settled, academically-supported or proven global body of, for example, ‘risk management’ knowledge.

          The uncomfortable truth about risk management is that:
          – There is no agreement to the problem it is (ostensibly) solving
          – Even among those who advocate its adoption and practice (often to earn their living) it has no settled meaning, nor even clarity of purpose
          – Its clumsy and ever-changing constructs and confected jargon complicates rather than improves decision making and, therefore, organisational performance.

          You may think that is condescension or world weariness but if you talk to normal people you will find it is true.

          • Robert Arvanitis
            September 10, 2019 at 5:26 AM

            Hey Grant. Talk about clarity of writing!
            You assailed me about methods.
            Now you switch and claim “No, your tools are fine, you don’t write clearly!”
            Let’s dispense with this new nonsense. Actuary and CFA, my business is figuring things out and getting things done.
            When I write for business folks, operating managers, and especially CEOs, it’s crystal clear and filled with analogies and metaphors to make it easy. Check out my style at Quora: https://www.quora.com/
            And if you have any more quibbles or condescension to offer, feel free.

  4. Grant Purdy
    September 8, 2019 at 6:59 PM

    I’ve yet to find an organisation that uses these on a day to day basis to help with decision making. This is hardly surprising as they are just the latest ‘confection’ promoted by the consultants and then picked up by regulators – when neither really knew what they are and what they could be used for in the real world.

    Of course, the major problem is that a risk appetite statement is based on two words that have no sensible meaning.

    ‘Risk’ has many meanings in both formal and informal common use. It is an artificial and difficult concept to grasp and few do. There is widespread confusion between ‘risk’ and ‘risks’ is common as are meaningless – yet popular – expressions such as ‘take a risk’ ‘if a risk eventuates’, ‘potential risk’, and ‘inherent risk’ to mention but a few.

    Even ISO, that is supposed to provide standardisation has over 40 definition of ‘risk’!

    Similarly with appetite. A word most normal people associate with being hungry – for more, not less!

    When you try and find out what the confected term ‘risk appetite’ means then you can become equally confused.

    COSO defines risk appetite as:
    “the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals”

    and also as:

    “the amount of risk an entity is willing to accept in pursuit of value”

    However it is not at all clear why these definitions are different or even what they mean in practice: COSO does not tell us what a ‘degree of risk’ is and how this is different to an ‘amount of risk’; it also does not explain why one term is concerned with the pursuit of goals and the other the pursuit of value and what that value is.

    The third revision of the South African King Report on Corporate Governance contains many requirements for risk management. Clause 4.2 specifies that the Board should determine the levels of risk tolerance and the code says under a subordinate clause (4.2.2) that this can involve the board “setting limits for the risk appetite”. This suggests that the authors of King III see risk appetite as some subordinate property of risk tolerance.

    The UK based Institute for Risk Management has produced complex guidance in 2011 in the form of a consultation document that aimed to enable companies to determine their risk appetite so that they can satisfy the recent UK Corporate Governance Code . However, the code does not explicitly require the establishment of ‘risk appetite’. It only says that:
    “The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.”

    The Basel Committee on Banking Supervision “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches” defines risk appetite as:
    “a high level determination of how much risk a firm is willing to accept taking into account the risk/return attributes; it is often taken as a forward looking view of risk acceptance”

    However, this does not seem at all clear because ‘high level determination’ and ‘forward looking view of risk acceptance’ are not further explained.

    The Basel Committee document then goes on to define risk tolerance as:
    “a more specific determination of the level of variation a bank is willing to accept around business objectives that is often considered to be the amount of risk a bank is prepared to accept.”

    Again, this definition is not clear and both definitions are further compromised when the report says, in relation to risk appetite and risk tolerance, that:
    “In this document the terms are used synonymously”!!

    All this is typical of concepts an phrases used in belief systems like ‘risk management’. That:
    – has apparently laudable (feel good) goals, yet no clear definition of the problem
    – is an unnatural approach, usually conflicting with reality
    – is based on unvalidated assertions and concepts
    – is dependent on confected jargon manifesting as real knowledge
    – is defined by the label rather than what it means or involves
    – is promoted with evangelical enthusiasm – as if the name alone is an indispensable and fundamental truth and
    – attract enthusiastic disciples (all of whom either make money out of it or gain power).

    Risk appetite statements, like risk registers are a good waste of trees. They only benefit is to the people who paid to write them or require them as regulators.

  5. Gregory Sosbee
    September 15, 2019 at 8:34 AM

    Norman you are on the right path. Perhaps the issue is some people do not know how to correctly utilize Risk Appiete (and Risk Tolerance) statements. These are boundary (early warning) statements, not day-to-day operating instructions.

    Boundry statements provide just that – operating parameters for the ERM program. When an issue exceeds the boundary by an agreed margin, management and the Board have to be alerted. After the issue is discussed appropriate remedial action (if necessary) can be taken under the authority provided by the Board.

    This all should be covered in the Chief Risk Executives brief.

    • Norman Marks
      September 15, 2019 at 9:17 AM

      I agree that there can be boundaries, like when you visit a casino you should not go with more than you can afford to lose.

      Trouble is:
      1. It only enables an after-the-fact identification of putting too much at risk, and
      2. It should be only a small part of managing risk. The greater part is enabling informed and intelligent decisions that lead to taking the right risk

  1. September 10, 2019 at 1:48 AM
  2. September 12, 2019 at 5:00 AM
  3. May 24, 2020 at 10:20 AM
  4. May 24, 2020 at 10:41 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: