This posting has been written as a precursor to a white paper, Embedding risk appetite within the strategy process that is currently under development which sets out a Risk Appetite Framework (RAF) providing an approach for embedding Risk Appetite into strategic and operational decision-making.
Defining Risk Appetite
The definition of risk appetite has been established via a number of risk related standards, starting with the COSO Enterprise Risk Management – an Integrated Framework, which defines risk appetite as the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. COSO goes on to two very important points related to appetite. Firstly, it states that it [risk appetite] reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Secondly, COSO establishes the link between appetite and strategy, stating explicitly; risk appetite is directly related to an entity’s strategy.
More recently, the Risk Management code of practice from the British Standards institution, BS31100:2008 defines risk appetite as the amount and type of risk that an organization is prepared to seek, accept or tolerate. This standard also relates appetite to strategy and governance stating; considering and setting a risk appetite enables an organization to increase its rewards by optimizing risk taking and accepting calculated risks within an appropriate level of authority.
So the definitions are clear, so let’s move onto the actual application of risk appetite within the strategy and operational decision-making process.
Risk Appetite is a multidimensional construct
When applying risk appetite, one of the first considerations must be that it is that risk appetite is its multidimensional nature.
Risk Appetite and the Strategy Process
Another key consideration when applying risk appetite is where does it actually fit in the overall organizational strategic and operational process.
Risk Appetite Framework
The Risk Appetite Framework (RAF) shows how risk appetite can be applied in strategic and operational decision-making, and drives value.
The Risk Appetite Framework is based on business drivers, the small number of critical factors that enable business objectives to be achieved and value delivered. All business have a few vital factors that disproportionally influence the success or otherwise of the business. It is these factors that shape the definition of strategic objectives and must also influence the organizations approach to risk management.
Therefore to embed risk appetite into strategic and operational decision-making, the organizational business drivers must be clearly understood and defined at the board and executive level. Based on the defined business drivers, strategic objectives and key risks are defined. They set out what the organization is aiming to achieve (objectives) and the threats and opportunities (risks) associated with those ambitions.
Risk dimensions are drawn from the business drivers and enable organizations to be explicit about how they will think about risk. Risk appetite will be defined and made measurable by defining levels of risk based on dimensions.