What's Your Appetite for Risk?
Risk appetite is a key part of business development, but it's often difficult to define. Author and risk management expert Paul Hopkin outlines his thoughts on risk appetite and attitude and sets out some guidelines.
Defining Risk Appetite and Attitude
Risk appetite is a vitally important concept in the practice of risk management. However, it is a very difficult concept to precisely define and apply in practice. Risk appetite is sometimes considered to be defined by the risk criteria established by the organization. This is the next phase of the risk management process after the risks have been rated in terms of likelihood and impact.
Risk appetite is the immediate or short-term willingness of an organization to undertake an activity that involves risk.
Risk attitude and the risk criteria represent a longer term view of risk
This is much the same as the way in which a person will have an immediate appetite for food and a longer-term attitude towards food.
One of the fundamental difficulties with the concept of risk appetite is that, generally speaking, organizations will have an appetite to continue a particular operation, embark on a project or embrace a strategy, rather than a direct appetite for the risk itself.
In other words, risk appetite and risk exposure should be considered as a consequence of business decisions rather than a driver of those decisions. The decision on risk appetite is normally taken within the context of other business decisions, rather than as a stand-alone decision.
Taking Managed Risks
The typical advice in most risk management standards is that risk should not be managed out of context, so questions about the risk appetite can only be answered within the context of the strategy, tactics, operations and compliance activities being considered.
Many commercial organizations make adequate profits but take too much risk or make inappropriate use of the risk capacity of the organization. Risk capacity, or the capability of the organization to take risk, is not the same as the cumulative total of all of the individual values at risk associated with the risks facing the organization.
By contrast, risk appetite is the total value of the corporate resources that the board of the organization is willing to put at risk. Most organizations have not determined the value they should risk (risk appetite), nor calculated how much value is actually at risk (risk exposure), nor the capacity of the organization to take risk (risk capacity).
An organization should be able to decide how much it wishes to put at risk, based on the organization’s attitude to risk. Agreeing the risk appetite will ensure that the organization does not put too much (or too little) value at risk. Risk-taking needs to be at the optimal level and deliver maximum benefit. Similarly, the organization should not put more value at risk than is appropriate, given the sector in which it operates and prevailing market conditions.
The portion of risk appetite that is associated with opportunities can be considered as the opportunity investment that the organization is willing to embrace. They will be willing to invest resources in opportunities that potentially lead to positive gain. However, the organization should recognize that more value can be destroyed by incorrect strategic decisions than by hazard, control or even compliance risks. Careful identification of the nature of the risks and calculation of the actual risk exposure associated with the opportunity should be undertaken.