Many risk management professionals conflate risk appetite with risk tolerance. In reality, risk appetite should be the result of an extensive risk management analysis conducted within a framework for risk management.
An effective risk appetite allows companies to identify risks that threaten strategic objectives, and decide on measures necessary to mitigate them down to acceptable levels.
What is Risk Appetite?
Risk appetite refers to the acceptable level of risk an organization is willing to accept while pursuing objectives. It represents a balance between potential rewards of innovation and threats associated with change, according to ISO 31000 standard risk appetite definition, which states: "Risk appetite refers to both the amount and type of risks an organization is willing to pursue, retain, or accept."
Organizations developing risk appetite frameworks should begin by identifying risks relevant to their strategy and operations, using an evaluation method that compares failure costs with potential rewards of success. Once this evaluation is complete, its results should be plotted on what's known as a "risk tolerance heat map."
Each department in an organization may have its own risk appetite that reflects factors like job responsibilities and incentives; however, the overall risk appetite of an organization should be determined by senior management based on strategic goals and objectives set for them - to ensure that risks taken will help achieve business goals rather than hinder them.
Factors of Risk Appetite
Risk appetite can be affected by many different external and internal influences, with external influences having more of an effect than internal ones. A company's financial goals can have a major influence on its risk tolerance - this is especially true of organizations operating in highly competitive industries where taking more risk can provide an edge against rival firms.
Culture can have a significant effect on risk appetite within companies. Employees encouraged to take risks may increase risk-taking tendencies, which in turn allows the business to achieve strategic goals more easily.
Company leaders should regularly assess their risk appetite to ensure their company is taking on sufficient risk to meet its goals and avoid taking on unnecessary ones or misusing resources inefficiently. By developing a risk appetite statement, businesses can ensure all their employees, the Board of Directors, and investors agree on how much risk they're willing to accept.
How is Risk Appetite Determined?
Risk appetite is typically determined by the board and often depends on factors like the nature of work and goals being pursued. For instance, an organization may have low health and safety risk tolerance while having higher risk tolerance when searching for innovative methods of product development.
Risk appetite determination differs from risk assessment as it takes into account both impact and likelihood when considering potential risk, rather than simply quantifying them. Furthermore, it takes into account any negative side-effects a negative outcome may bring - such as losing market share or becoming technically bankrupt - into consideration.
Once the risk appetite is set, it is imperative that it reflects how an organization operates, with tolerances aligning with the overall risk appetite and strategic goals of the business. Workshops that encourage business units to consider the risks they are taking daily are one effective way of doing this.
Is Risk Appetite Subjective?
There is much confusion in risk management about the definitions of various terms; thus, some essential distinctions such as between risk appetite and tolerance may go overlooked.
Consider that your company is currently developing a product it anticipates will meet consumer demand and generate revenue, but supply chain issues have caused delays that push back its launch date, decreasing consumer enthusiasm for it and market demand. Your business must then decide based on its risk tolerance whether to release it on to consumers.
An organization's risk appetite can vary significantly. A business may opt for high risks or prefer taking low ones; regardless, each organization must determine its own risk appetite in accordance with its goals and objectives.
Does Risk Appetite Depend upon Risk Capacity?
Organizations can establish risk appetite based on both internal and external considerations, enabling them to determine acceptable levels of risk. For instance, one company might decide it's okay to take on some financial risks in order to expand their business while another might prioritize stability or compliance with regulations (like HIPAA).
Risk-taking and risk tolerance vary between departments depending on their goals and objectives; for instance, marketing teams might have a higher tolerance than legal or HR departments because they tend to prioritize opportunities for growth and rewards.
Although many professionals use the terms risk appetite and capacity interchangeably, it is essential to differentiate them when creating your risk management framework. Looking closer at risk tolerance vs capacity can help with better understanding the terms.
Doing so helps demystify this concept and protects your organization from misalignments between their risk appetite and actual results - for instance, if only driving at speeds compliant with traffic regulations it will be almost impossible to reach their goals.
What is an Example of Risk Appetite?
Risk appetite is an expression of tolerance levels for companies and organizations in alignment with their overall strategic and business objectives. An organization with a higher risk appetite may take more risks for potential growth and profits; however, it will still need a governance model in place to ensure they operate within acceptable levels of inherent risk.
Contrarily, an organization with a low-risk appetite may take more cautious approaches when making decisions and avoid taking any risks that could cause loss to customers or the company itself. Such decision-making could also be affected by regulations for banks and insurance providers.
Boards of directors are charged with creating and implementing an efficient enterprise risk management (ERM) framework to guide their organization and decision-making processes. One method of doing so is creating a risk appetite statement which can be utilized across the organization or for individual initiatives.
Is High-Risk Appetite a Bad Thing?
As your business expands, so must its risk appetite. Assess, monitor, and manage risks associated with each strategic objective and key performance indicator as part of managing them effectively. Furthermore, there must be an easy method for communicating this appetite as well as associated risk tolerances throughout your organization.
Establishing a clear risk appetite is an integral step toward stronger cybersecurity, but monitoring and reporting on how well security measures are working is just as essential. Otherwise, too much time could be spent reducing risks that already fall below your appetite while too little focus would be placed on those that require extra focus.
Risk Appetite Vs. Risk Tolerance
While there remains considerable debate in the risk management industry regarding these concepts, most agree they're helpful at least in setting a baseline and prioritizing mitigation efforts. For example, an organization could decide that any financial or reputational losses greater than necessary are unacceptable to meet its objectives; setting an appetite of zero would mean all decisions would be evaluated against this objective when making decisions.
An analogy with highway speed limits might be useful in clarifying this difference: State transportation authorities establish speed limits that represent their beliefs regarding an ideal balance among traffic flow, wear-and-tear costs, public safety, and user comfort. Unfortunately, users of roadways will often exceed or fall below the speeds set forth by transportation authorities.
At its core, risk appetite and risk tolerance must be defined with actionable parameters that reflect an organization's goals. Our ERM tool, UC RADAR, features the functionality to create these scales which can then be implemented into an ERM risk assessment process.
Risk appetite and tolerance are determined by various stakeholders of a business, including institutional investors, individual investors, the board of directors, management, employees, and customers.
Risk appetite sets the threshold of how much risk a company is willing to assume for strategic objectives, while tolerance provides more detailed assessments of specific risks based on how they could impact those objectives.
A healthcare company might, for example, have an appetite for innovation but a low tolerance for risks related to patient safety or customer service. Therefore, the organization would seek to limit risk by avoiding those that exceed its tolerance limits; and minimize financial loss by only accepting manageable risks at reasonable costs. Ultimately, the goal should be achieving strategic objectives without jeopardizing financial security by connecting risk appetite with frontline processes via robust monitoring tools.
Risk appetite and tolerance both play integral roles in an effective risk management framework, with appetite setting the overall strategic direction and tolerance setting acceptable operational limits. Together they help improve decision-making and resource allocation and foster a preventative approach to risk management.
Consider, for example, a company expanding into new territories. Their risk appetite will determine how aggressively they pursue this expansion while considering potential losses, competition, and market conditions. A high-risk appetite could prompt more daring approaches in new territories while having low risks will allow more cautious expansion strategies to emerge.
An effective risk tolerance statement provides clear and consistent guidelines that connect frontline processes to an overall enterprise risk management framework. Furthermore, companies can evaluate and monitor risk tolerance through intuitive dashboards; by setting acceptable risks at set ranges, they can quickly identify those that exceed tolerance and focus mitigation efforts accordingly.
Risk appetite and tolerance concepts are integral components of an effective risk management process. Without them, it's possible to misdirect the focus of your organization's efforts at risk mitigation, miscalculate risk exposures, or overspend on cybersecurity tools and resources.
Residual risk definition provides an important way of measuring whether or not you operate within your risk appetite and the effectiveness of risk management activities. For instance, setting a low tolerance level for customer PII loss requires that all risk mitigation activities reduce its likelihood.
How to Approach Risk Appetite Development
Establishing an agency-wide risk appetite framework does not provide all the answers, but it can assist with accountable decision-making and assist management in exercising more informed professional judgment. Furthermore, such a framework serves as an excellent means of tracking whether an agency is on track with meeting its strategic objectives or drifting off course.
As part of its development process, when creating an appetite framework, it is vitally important that it is used across your business - it must not just be seen as an exercise conducted by the risk team or simply to tick a box - otherwise, its full impact and purpose might never be realized.
An ideal approach is a structured and facilitated process involving business leaders, stakeholders, and senior executives. This will give everyone involved an in-depth view of all risks associated with pursuing objectives, along with potential rewards or downsides from taking certain risks. By sharing this understanding among all members of an organization's risk appetite and preferences with company goals.
Will Lower Risk Appetite Lower Cyber Threat Risk?
Cyber threat risk should be an integral component of every company's overall risk profile, particularly for businesses in industries that impose compliance standards such as healthcare with regulations such as HIPAA that require them to adhere to regulatory standards. Failure to do so could incur fines by regulators; thus it's crucial for every business to understand their cybersecurity risk appetite importance so as to properly implement measures designed to manage this threat.
Cybercriminals often target companies with inadequate security measures, so accurately measuring cyber risk appetite is vital in developing an effective cybersecurity strategy. Utilizing accurate data allows security leaders to prioritize efforts effectively and reduce incidents as well as resource waste.
Due to this reason, it's critical for organizations to establish and communicate an explicit risk appetite framework, including third-party risk management teams. By asking relevant questions, companies can assess their appetite for risk and set forth a playbook to effectively manage operational risks before regularly alerting the board about them.
Determining Your Risk Appetite Scale
Establishing risk appetite is one of the primary steps in creating an effective risk management framework. Although some professionals use terms such as risk appetite and tolerance interchangeably, there are distinct differences between them that need to be taken into consideration when making this distinction.
Risk appetite refers to the amount of risk an organization is willing to accept in pursuit of its goals. Since risk appetite can be an emotional and subjective decision, it is wise to periodically evaluate it through discussion among your leadership team. A great way to do so would be to hold annual discussions regarding it.
Risk appetite requires identifying potential impacts of risks, and setting thresholds to establish what types of risks your organization can accept - for instance, life loss risks might not be acceptable, while data breaches might.
To establish your risk appetite, a risk appetite table can help define it. However, it's important to keep in mind that this tool should only serve as one part of an overall assessment and management of potential risk events.
How Risk Appetite Affects Decisions
Many boards of directors have an inherent desire to increase transparency regarding the risk-taking behavior of their entity. Doing so can assist with aligning business decisions with strategy, enhancing risk appetite across different parts of the business, and moving away from seeing risk management as simply another box-ticking exercise.
An effective risk appetite statement provides the ideal way to accomplish this. It outlines an acceptable level of risk within a specific context, setting expectations for day-to-day decisions. Furthermore, it can serve to highlight any risks outside the accepted range and initiate an action plan if they occur.
However, some common misperceptions that could undermine the efficacy of a risk appetite statement should be noted here. Some notable ones include:
Can Risk Appetite Change?
An effective risk management framework must include clearly delineated terms like "risk appetite" and "risk tolerance", otherwise professionals could misinterpret what these concepts mean in practice and misunderstand their effect on business operations.
Establishing risk appetite is crucial for all companies, regardless of industry or size. All businesses take risks to achieve their goals, so having an established definition of risk appetite will help ensure they do not become excessive.
Risk appetite can be determined at various levels within an organization, from executive leadership to individual departments. Each department's risk appetite is affected by factors like company culture and its willingness to take risks in pursuit of its strategic objectives.
A robust risk management system also enables businesses to easily link frontline processes with overall risk appetite through intuitive dashboards allowing them to quickly recognize when they fall outside their acceptable risk threshold range and make necessary adjustments quickly.
Does Risk Appetite Depend upon Risk Capacity?
Many risk management professionals misuse the terms "risk appetite" and "risk tolerance", but these two concepts should not be confused with each other. Risk appetite refers to an organization's willingness to assume an acceptable level of risk when pursuing objectives considered valuable by its members, while risk capacity refers to how much residual risk it can tolerate once controls and other risk mitigation measures have been put in place.
the process of creating and communicating risk appetites can be intricate and time-consuming, requiring an in-depth knowledge of an organization's risks and opportunities, along with their implications on its stakeholders. Furthermore, maintaining and refining the risk appetite framework is an ongoing commitment in an ever-evolving business environment.
Stakeholders of an organization often hold very diverse opinions when determining its risk appetite and this should be taken into account when formulating its framework. For instance, shareholders might prefer that an organization limit risk in ways consistent with earnings and stock price stability goals while lenders might require that it focus on mitigating bankruptcy risks as a priority.
Safest Models to Use to Avoid Risk
There can be much confusion surrounding the terms "risk appetite" and "risk tolerance". While many risk professionals use them interchangeably, there are key distinctions that impact how your risk management framework is constructed.
Johannes Swanepoel from Standard Model Partners states that risk appetite refers to how an organization accepts risk in pursuit of its goals, rather than risk tolerance, which refers more specifically. According to Swanepoel, risk appetite refers to how much of a risk an organization is willing to assume to meet its objectives.
Understanding these distinctions is critical since a successful enterprise risk management (ERM) framework relies on consistent use of risk terminology across an organization. Establishing a risk taxonomy is one way of ensuring employees understand and apply these terms consistently.
USAID's new Risk Appetite Statement will assist Agency staff in making informed decisions regarding balancing risks and opportunities, and enhance existing ERM tools. It also supports our efforts to meet OMB's requirement that Federal agencies integrate their internal control systems with ERM practices. For more information about using UC RADAR please visit our ERM Help Desk.
How to Write a Risk Appetite Statement
An effective risk appetite statement outlines desired levels of risk-taking that align with strategic goals, providing a guide for decision-making and playing an integral part in an enterprise risk management framework.
Start by conducting an in-depth analysis of your industry to identify the major risks facing your business, along with their impacts, likelihood, and severity. Use this data to create a risk appetite statement so business leaders and project managers can make well-informed decisions.
Finally, it's essential that organizations find an information security champion who can act as their spokesperson on this issue. This person will provide more in-depth explanation of risks to the organization while helping other employees understand how to assess risk in their roles.
It is essential that any risk appetite statement be easily understood by all members of an organization, regardless of experience levels. A clear risk appetite statement will prevent miscommunication and confusion that could otherwise lead to poor decision-making.
What are the Best Practices for Strengthening Cyber Security?
Businesses can follow various best practices to enhance cyber security, including zero-tolerance firewalls, intrusion detection/protection and anti-virus protection, VPNs and encryptions, password hygiene, and dual authentication access control systems. Furthermore, businesses can create threat intelligence or even a Security Operations Center to assist them with this effort.
Maintaining software and systems updates is another must for maximum safety, as updates can fix security flaws that hackers use to access systems. Furthermore, regular backup checks should ensure they function effectively.
Education of employees regarding cybersecurity best practices is also of critical importance, including warning them not to click on suspicious links or emails and teaching them how to recognize phishing attacks that try to gain their credentials or introduce malware into the system.
Although these tips will help keep your business secure, even with all due care taken to protect it, even the most diligent business will likely experience attacks at some point. The key is quickly detecting them and reacting appropriately.