Home > Risk > Revisiting the concept of Risk Appetite

Revisiting the concept of Risk Appetite

October 25, 2021 Leave a comment Go to comments

Carol Williams has written a thoughtful post, Risk Appetite: Bridging The Gap Between Two Extremes that I recommend reading.

Before diving into it, I want to thank her for her comments about this blog and how it sparks useful discussion among practitioners.

Carol is a believer in risk appetite, but I am not.

My primary argument is that leaders of the organization should be managing the business, not a list of potential harms.

Risk appetite focuses only on potential harms absent the context of whether they should be taken on business grounds.

There are other problems with the concept, including:

  • They are of little value if they don’t affect decision-making.
  • They are harmful if they lead to decisions that consider only the downside, not whether risks should be taken.
  • Business conditions are changing all the time, so we need decisions made based on current and future conditions, not some “statement” made in the past that is unchanging.
  • It is impossible to establish a meaningful risk appetite, defined by COSO as the amount (whatever that is) of risk you are willing to accept in the pursuit of objectives, for risks like:
    • The possibility of physical harm, even death, of personnel, or
    • The possibility of non-compliance with applicable laws and regulations
  • Risk appetite statements such as “we are risk averse” are meaningless. If you are risk-averse and want to minimize potential harms as much as possible, you should not be in the business.
  • They don’t help anybody know what risks to take.
  • People aggregate disparate sources of risk to create a meaningless number. That helps nobody.

Carol quotes my good friend, John Fraser. John as usual makes a good point, that these statements can spark a discussion. Anything that gets people talking is, of course, healthy and desirable. But do they lead to informed and intelligent decisions?

I don’t deny that people need to know when there are limits on the risks they should be taking. (I prefer the idea of taking risk to the passive language of accepting it.)

But that can be done through risk limits and other policies that are meaningful, with specific numbers and guidance (such as requiring more senior managers to be involved in the decision) instead of attitude statements. It can also be done by making sure people know how to make decisions that weigh both the positive and negative potential effects of what might happen.

Let’s take a moment to consider Carol’s argument that when people in management have different attitudes about risk-taking, there’s a problem. I don’t see it that way at all!

I don’t want my Sales and Finance leaders to have the same attitude about risk-taking. I want my sales team to be more imaginative and creative than my accounting folk. I am sure you do as well.

What is important is that when there is an important decision to be made, the right people are at the table with reliable information about what might happen. That can mean that the risk-taking EVP Sales and the risk-averse General Counsel are talking and listening to each other. Any risk appetite statement is unlikely to come up in discussion.

Here’s my bottom line:

How can you make sure that people are making informed and intelligent decisions, taking the right level of the right risks, considering all the things that might happen?

If risk appetite factors into your solution to that mission, great. It would not at any of the companies where I worked.

I welcome your thoughts.

  1. John Brown
    October 25, 2021 at 12:23 PM

    I share the view that risk appetite statements are less than useful. Most are subjective and don’t provide meaningful guidance — and the willingness to accept uncertainty is anything but static. I’ve seen words like “Limited tolerance for uncertain outcomes”, “Willing to tolerate uncertain outcomes”, “must be soundly justified” and similar. However, discussions around risk appetite provide insight into what may or may not be acceptable for a specific part of a company — and for that specific moment in time. It’s far better to create a decision framework that includes acknowledgement of uncertainty.

  2. October 25, 2021 at 1:23 PM

    Instead of trying to define (and communicate!) a Risk Appetite statement, it is in my view more helpful to set the company’s overall Risk Capacity and Risk Tolerance. The latter can then be translated into operational monetary limits. An example: “For a customer with credit rating X, the maximum credit exposure is to Y times the gross margin on that customer, and no more than Z million at any time cumulative for all customers. Exceptions to be escalated to…..” Thus, risk is related to the sales opportunities and -objectives and can be communicated clearly. Similar rules can be defined for procurement, financing etc.
    It works also for non-financial areas: Risk tolerance is set to zero for injuries, spills, etc.

    • Norman Marks
      October 25, 2021 at 1:54 PM

      Agree, but those are limits in specific cases.

  3. October 25, 2021 at 2:09 PM

    Norman, are your arguments also valid for the Banks?
    Regulators impose the obligation of the Risk Appetite Statement, which serves as a parameter for assessing the sufficiency of capital and liquidity for the Banks.
    Please, what is your opinion on this?

    • Norman Marks
      October 25, 2021 at 2:12 PM

      Jose, I believe so. There is always value in satisfying the regulators, but I believe the banks use limits to drive decisions in specific circumstances rather than a high level risk appetite statement.

  4. October 26, 2021 at 3:02 AM

    Norman, I agree with you in part, and I am reasonably certain, that you agree with my position as well.

    Generic risk appetite statement do not make sense as risk management ALWAYS must be linked to meeting some specific objective. I mean, if you don’t know what you are aiming for, how can you know that you have succeeded/failed, and how do you evaluate risks and uncertainties?. Hence, the level of risk taking (your risk appetite) is linked to the meeting the objective.

    As an example. You may opt to play lotto in the hope of winning a gazillion, well aware the likelihood is minuscule. Doing that, you accept the risk of loosing the money you pay for lottery tickets. You may, on that very same day opt to buy product A instead of product B because it is 50 cents cheaper. Just having spent 5 dollars on lottery tickets, this may seem inconsequential.

    Companies take, and must take, significant risks to grow/develop and prosper in an ever-changing world. They do this fully aware of the possibility that their e.g. new development may never become a profitable product. At the same time, they scrutinize manufacturing processes to save money where possible (without jeopardizing quality or other measures below acceptabel limits).

    Risk appetite in its proper application is a matter of deciding, be it based on science, analytics, Monte Carlo simulation or mere gut feeling, whether or not we opt to go ahead or to reduce risk taking further before moving ahead (or decide not to move at all). This is implicitly or explicitly (I personally prefer the latter as a means of communication) your risk appetite (of risk tolerance in ISO 31000 terminology).

    • Norman Marks
      October 26, 2021 at 4:30 AM

      Hans, thank you for your comment.

      I agree with your discussion.

      However, I see a huge difference between risk limits or criteria and the idea of a higher-level risk appetite.

      Guidance on specific sources of risk or uncertainty makes good business sense.

      But a risk appetite “amount” of risk does not when it attempts to aggregate disparate sources of risk.

      Risk tolerance is another term that has its difficulties as there is no accepted definition. If it translates to a limit or policy, then fine.

      Frankly, I still like the idea that people are instructed to escalate decision-making when there is a possibility of loss greater than their approval level. (This is an approach taken by SAP when I was there.)

  5. October 26, 2021 at 3:06 AM

    In general terms, decisions are about, “What is the best option? “. Choosing the best option involves comparing the benefits with the threats involved for each option. Risk appetite is where the difference between the two becomes unacceptable, that is the threats aren’t justified by the benefits.
    So if you are a pack of hungry wolves chasing a bear, the benefits are a good meal, the threats are death or serious injury. The decision to attack depends on the risk appetite of the pack and that will depend on their hunger, pack size, strength of the bear.
    Thus I would argue that risk appetite is part of every decision but it can’t be summarised into a formula. In a business, risk appetite will vary with the economic circumstances, rate of return required, the people making the decision and the quality of the lunch they have just eaten.
    How can you make sure people are making the right decisions? Train them, monitor the actual results from the decision against the hoped for and learn from the difference.

    • Norman Marks
      October 26, 2021 at 4:36 AM

      David, I agree that a wolf pack will decide whether it is safe to go out and seek food. But does it have a “risk appetite”? Does the pack leader consider some aggregate of the various sources of harm? Does he add the possibility of an attack by a rival to the possibility of encountering humans with guns?

      There’s a difference between risk appetite and lower level risk criteria or tolerances (however you define them).

      Risk limits and policies for specific situations make good business sense….but risk appetite?

      • October 26, 2021 at 8:38 AM

        I believe the pack leader would aggregate all the possible sources of harm, including a rival attack and humans with guns. In these cases the ability to take into account all risks and then make a decision based on benefits vs threats (i.e set a risk appetite) could be literally a life and death decision.
        In this case however there is no “specific situation”, every one is different.

        • Norman Marks
          October 26, 2021 at 8:42 AM

          David, the risks you are aggregating are related – arise from the decision to go out for food. I threw in other that are not related to that decision. Would you aggregate those and compare to a risk appetite statement?

          • October 26, 2021 at 1:21 PM

            Norman, risks would only be included if they were related to the objective (get food). Since every situation is different there would be no point in a risk appetite statement other than a very general one, such as “get food without being killed”.

  6. October 26, 2021 at 6:47 AM

    Instead of trying to define some type of Risk Appetite statement, it is in my view more helpful to define risk capacity and risk tolerance, which should translate into operational monetary limits. An example: “The company accepts credit exposure to a customer rated X up to Y times the gross margin on that customer and no more than Z million at any time cumulative for all customers. Exceptions to be escalated to…..”
    Thus, risk is related to the sales opportunities and -objectives. Similar rules can be defined for procurement, financing etc.
    Risk tolerance could be set to zero for injuries, spills, etc.

    • Norman Marks
      October 26, 2021 at 6:50 AM

      I like the concept of risk capacity, which can change as the company is more or less successful, or builds capabilities such as new systems, personnel, etc.

  7. October 26, 2021 at 12:18 PM

    I agree in principle with the concept of risk appetite, but not in its current form, expressed simply as static statements.

    In my first CISO job I was hauled before the board to explain why minor security breaches such as viruses etc. were being allowed to happen. I told them that 100% security wasn’t a practical option (particularly as I had zero budget for anything) and then asked them how many and what loss value from incidents was acceptable, therefore. Predictably, the answer was “none”. Clearly, there was work to be done in setting the board’s expectations to something approaching reality. So in my view ‘risk appetite’ starts with an honest conversation at board level as to what is achievable and what is not and what cost. The second part of that conversation is getting them to prioritize the types of impact that the board considers most and least unacceptable. In my company’s case, their 150 years reputation was right at the top, followed closely by data integrity (it was a global news organization). Financial losses were oddly right at the bottom due to the company’s enormous cash mountain.

  8. Davaa
    October 26, 2021 at 6:59 PM

    Your insights on risk appetite are always helpful. Would you agree that if there needs to be a risk appetite statement as required by either regulators or the board, it should be about how a decision should be made about specific situations (or who should make them) rather than what decisions should be made?

  9. Norman Marks
    October 26, 2021 at 7:33 PM

    I would talk to them and explain the policies and limits, etc we have that make sure we take the right level of risk. I would summarize them in a “risk appetite statement” even if there was no single “risk appetite amount”.

  10. John Fraser
    October 28, 2021 at 9:22 AM

    It may be of interest to understand some of the history of these terms. Before 2004, the terms risk appetite and risk tolerance were used synonymously. In 2004 COSO came up with separate and errant definitions, suggesting that an organization would have a single risk appetite. This caused massive confusion. Then after the 2008 financial crisis the Financial Stability Board, that drives regulations in the financial industry, felt they had to do something to try and address the weaknesses that had been shown in risk management. So they came up with the idea of a risk appetite statement. This was a boon for consultants who were hired by the banks in order to comply but achieved very little. It is mainly a compliance exercise. In our recently published book on ERM are two chapters demonstrating practical methods of using risk appetite for prioritization of objectives, risks and resources.

  11. October 31, 2021 at 8:03 PM

    Hi Norman – thank you for your kind compliment regarding my post…I hope your readers find it helpful.

    I’m not sure I would call myself a “believer” in risk appetite. I certainly don’t try to make a square peg fit in a round hole. It can be a useful tool in certain cases, but it’s not for everyone. It really depends on company culture and needs. It can be helpful, as you acknowledge in your reply to Sjoerd’s comment, for various financial or operational concerns. When it comes to strategy though…a different approach is needed.

    When speaking with companies, I work to understand where they want their focus to be. If they want to focus more on strategy and opportunities, then I ask “what does success mean to you?” and “what are you willing to put on the table to achieve that goal or opportunity?” Notice I never use the word “risk” in these circumstances.

    I agree that the concept of risk appetite is flawed with some people placing too much emphasis or importance on it. I just want to be careful that we don’t “throw the baby out with the bath water.”

    • Norman Marks
      November 1, 2021 at 6:35 AM

      Carol, thank you for the comment.

      Risk limits and policies that guide decision-making make a lot of business sense. Its the idea of risk appetite that I believe is a problem. Not only does it do little (beyond, perhaps, sparking a discussion of risk attitudes), but is a distraction from effective risk management.

  1. October 25, 2021 at 10:51 AM
  2. October 25, 2021 at 10:11 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: