Risk Appetite

Organizations need to take risks to achieve their objectives. But if they take too many risks, they're likely to lose more than they can afford to. So the question is: what degrees and types of risks are an organization willing to accept if doing so gets the organization to where it wants to be? This question, stated another way, is the concept of risk appetite.

‍

So what is risk appetite? Why should businesses have an explicit policy on it? And how do they go about crafting this policy? Those are the issues we’ll discuss below.

‍

‍

Risk appetite is a general outline of the types and amounts of risk an organization is willing to accept in operating towards its goals. In other words, accepting these risks has a less adverse effect on the organization’s ability to achieve its objectives than trying to mitigate these risks.

‍

Essentially, risk appetite is an organization’s acknowledgement of needing a balance between taking risks to innovate and grow, and being prepared for when things change or don’t go as planned.

‍

Related to the concept of risk appetite is risk tolerance. The difference between risk tolerance and risk appetite is that risk appetite is the average level of risk a company is willing to accept. Risk tolerance, meanwhile, is how far outside its risk appetite an organization is willing to go before it begins actively mitigating risk.

‍

A common analogy is driving. The posted speed limit reflects risk appetite, while how far a driver exceeds it represents risk tolerance. Some drivers stay close to the limit, while others push it further, but the farther they go, the higher the chance of penalties or accidents.

‍

‍

Both risk appetite and risk tolerance can change depending on circumstances. Just as emergency vehicles operate under different rules, organizations may temporarily adjust risk thresholds during periods of disruption, growth, or crisis. These shifts should be intentional, documented, and supported by strong risk controls. 

‍

So, if an organization has to adjust its risk appetite and tolerance regularly, why should a company even build an explicit risk appetite framework? There are several reasons, including:

‍

• Identifying risks: In evaluating how much risk it’s willing to take on, an organization must become aware of the specific risks it faces.
• Setting realistic goals: It can be good for an organization to be ambitious, but not if the path to its objectives is so risky that those goals are unlikely to be achieved. Determining risk appetite helps an organization identify targets that can be reasonably achieved while maintaining a comfortable level of risk.
• Making informed risk-based decisions: When an organization has a baseline for what kinds of risks it is or isn’t willing to take, it gives senior management a set of guidelines within which to steer the company’s direction while maintaining appropriate risk levels.
• Properly allocating resources: By identifying where it faces risks and the level of risk in each area, an organization can reallocate resources from areas where risk mitigation isn’t as critical to those where it poses a greater threat.
• Increasing organizational transparency: Having a codified model for risk appetite helps an organization establish standards for employee conduct in day-to-day affairs. It also helps to inform expectations and decision-making for stakeholders, regulators, lenders, and others who interact with the organization.

‍

Now that we’ve discussed why organizations should define their risk appetite, we’ll talk more about how to assess risk appetite.

Unfortunately, there is no universal framework for risk appetite levels. Every organization is different, and so types and amounts of risk are relative. That means an organization has to decide for itself what constitutes high-risk or low-risk behavior.

‍

However, a model for risk appetite might look something like this:

‍

1. Averse: The lowest level of risk appetite. At this level, an organization is making risk avoidance one of its top priorities. It will always choose the least risky actions, and invest in controls to curb risks wherever possible. For actions where controlling risk is not possible, the organization may refuse to move forward with an action altogether.
2. Minimalist: A low risk appetite. An organization will try to avoid risk and uncertainty where possible, even if this means minimizing potential rewards. The organization will generally stick to actions that are necessary for its fundamental operation, and those that have a low chance and impact of failure.
3. Cautious: A moderate risk appetite. An organization prefers actions where controls can limit residual risk, even if this also limits potential rewards. The organization may take some riskier actions, but only if it can minimize the chance and impact of failure, and only if these actions have much bigger upsides if they succeed than downsides if they fail.
4. Flexible: A high risk appetite. An organization is willing to consider riskier actions and objectives that may provide greater rewards. It may even pursue them if there is strong enough justification for doing so. At this level, there is much greater focus on controlling the impacts of failures than on avoiding risk and uncertainty altogether.‍
5. Open: The highest level of risk appetite. An organization will pursue actions and objectives that provide the highest potential rewards, if there is ample justification for doing so. The organization fully expects the road ahead to be uncertain, and accepts the possibility that some of its ventures may fail.

‍

So, in light of the framework above, how does an organization determine its risk appetite? A basic roadmap looks like this:

‍

‍

1. Understand the Risks Your Company Faces

Brainstorm the types of risks the organization faces. Consider both internal and external factors, and consult with all necessary stakeholders (e.g. senior management, frontline employees, risk team, regulators, and major partners). Also consider potential risks associated with any future opportunities the organization is looking to pursue.

‍

‍

2. Identify the Top Risk Types

Determine which areas of risk are the most important for the organization to focus on. Usually, these will be areas where there is overlap in the identification of risks between stakeholders during brainstorming.

‍

‍

3. Prioritize Risk Management Efforts

Prioritize risks by considering how threatening each one is. Consider factors such as the rough likelihood of the risk to cause an adverse event, the general impact the adverse event would have, and approximately how prepared the organization is (or can be) to react to that adverse event. Also remember that risks can have impacts in more than one area at once, such as on finances AND reputation.

‍

‍

4. Determine & Establish Procedures

Articulate what actions will be taken to manage risk, and when. Sometimes, a risk will be expected and will warrant no more than ongoing monitoring to ensure it doesn’t get worse. Other times, an organization will notice certain risks becoming harder to control and have to investigate the root causes. And in some cases, a risk will be totally outside an organization’s risk appetite and tolerance, and require an immediate response.

‍

‍

5. Develop a Clear Risk Appetite Program

Draft a risk appetite statement. This document identifies the key risk types the organization faces and explains why or how they might impact the organization. It should also outline the organization's risk appetite levels across different areas, including key signs that risk appetite and tolerance in a given area are (close to) being exceeded.

Finally, it should specify the circumstances in which the organization’s risk appetite or tolerance in a certain area may increase or decrease. We should note that the above method of crafting a risk appetite policy is largely qualitative in nature. However, it can be helpful to include specific risk appetite metrics to create more convincing arguments in favor of investing in risk management.

Examples include calculated likelihoods of adverse events, control effectiveness ratings, and, based on these, the average amount of money potentially lost to a risk (either annually or in a specific event).

‍

‍

‍

Make Financial Crime One Less Risk to Worry About with Unit21

While some risks are inevitable, others can be controlled by having the right tools and systems in place. When an organization is able to reduce its inherent risks down to just a few residual risks—preferably at less cost—it opens up the possibility of having a higher risk appetite. This, in turn, creates the potential to reap more rewards.

‍

Unit21’s Transaction Monitoring and Case Management solutions work together to make fighting fraud and financial crime easier. So while your organization’s customers and accounts are covered, you can focus on the big picture. To try our products out yourself, schedule a demo with us today.

‍

‍