Organizations need to take risks to achieve their objectives. But if they take too many risks, they're likely to lose more than they can afford to. So the question is: what degrees and types of risks are an organization willing to accept if doing so gets the organization to where it wants to be? This question, stated another way, is the concept of risk appetite.
So what is risk appetite? Why should businesses have an explicit policy on it? And how do they go about crafting this policy? Those are the issues we’ll discuss below.
What is Risk Appetite?
Risk appetite is a general outline of the types and amounts of risk an organization is willing to accept in operating towards its goals. In other words, accepting these risks has a less adverse effect on the organization’s ability to achieve its objectives than trying to mitigate these risks.
Essentially, risk appetite is an organization’s acknowledgement of needing a balance between taking risks to innovate and grow, and being prepared for when things change or don’t go as planned.
Risk Appetite vs. Risk Tolerance
Related to the concept of risk appetite is risk tolerance. The difference of risk tolerance vs. risk appetite is that risk appetite is an average level of risk a company is willing to accept. Risk tolerance, meanwhile, is how far outside its own risk appetite an organization is willing to go before it begins to actively mitigate risk.
To use a metaphor, think of an organization as a person driving their car. The posted speed limit is the risk appetite, and what they should use as their guide to drive safely. But drivers rarely drive at exactly the posted speed limit, many feel comfortable driving 5 to 10 miles over the posted speed limit. This would be their risk tolerance, how far they are willing to go beyond their initial risk appetite.
Just like drivers, organizations can have drastically different risk tolerances. Some people drive at exactly the speed limit, some won’t go more than 5 miles over, while others are willing to drive 10 to 20 miles over. But, the further beyond that risk tolerance they go, the more they are at risk of being fined or getting in an accident.
Risk tolerances aren’t static either. People—and organizations—may have a different risk tolerance in different situations. After all, in an emergency, drivers are sometimes willing to go faster than they normally would.
Risk appetites themselves aren’t static either. Ambulances and law enforcement are allowed to drive well beyond the speed limits when people are in danger, as the risk scenario is drastically different in that case. Risk appetites can shift based on certain circumstances, or be changed entirely based on changes to the associated risk. For example, highway speed limits can be increased or decreased slightly based on changes in risk levels, changing the risk appetite, and forcing the risk tolerance to adjust as well.
When it comes to risk appetite at a company, an organization finds ‘balance’ by adopting and adjusting risk management controls.
Benefits of Having a Defined Risk Appetite
So, if an organization is going to have to adjust its risk appetite and tolerance regularly, why should a company even build out an explicit risk appetite framework? There are several reasons, including:
- Identifying risks: In evaluating how much risk it’s willing to take on, an organization naturally will have to become aware of the specific risks it faces.
- Setting realistic goals: It can be good for an organization to be ambitious, but not if the path towards its objectives is so risky that those goals likely won’t be achieved. Determining risk appetite helps an organization pick targets that can be reasonably reached while taking on a comfortable level of risk.
- Making informed risk-based decisions: When an organization has a baseline for what kinds of risks it is or isn’t willing to take, it gives senior management a set of guidelines within which to steer the company’s direction while maintaining appropriate risk levels.
- Properly allocating resources: By establishing where it faces risks and how much risk it faces in each area, an organization can move resources from areas where risk mitigation isn’t needed as much to areas where risk poses more of a threat.
- Increasing organizational transparency: Having a codified model for risk appetite helps an organization establish standards for employee conduct in day-to-day affairs. It also helps to inform expectations and decision-making for stakeholders, regulators, lenders, and others who interact with the organization.
Now that we’ve discussed why organizations should define their risk appetite, we’ll now talk more about how to assess risk appetite.
Levels of Risk Appetite
Unfortunately, there is no universal framework for risk appetite levels. Every organization is different, and so types and amounts of risk are relative. That means an organization has to decide for itself what constitutes high-risk or low-risk behavior.
However, a model for risk appetite might look something like this:
- Averse: The lowest level of risk appetite. At this level, an organization is making risk avoidance one of its top priorities. It will always choose the least risky actions, and invest in controls to curb risks wherever possible. For actions where controlling risk is not possible, the organization may refuse to move forward with an action altogether.
- Minimalist: A low risk appetite. An organization will try to avoid risk and uncertainty where possible, even if this means minimizing potential rewards. The organization will generally stick to actions that are necessary for its fundamental operation, and those that have a low chance and impact of failure.
- Cautious: A moderate risk appetite. An organization prefers actions where controls can limit residual risk, even if this also limits potential rewards. The organization may take some riskier actions, but only if it can minimize the chance and impact of failure, and only if these actions have much bigger upsides if they succeed than downsides if they fail.
- Flexible: A high risk appetite. An organization is willing to consider riskier actions and objectives that may provide greater rewards. It may even pursue them if there is strong enough justification for doing so. At this level, there is much greater focus on controlling the impacts of failures than on avoiding risk and uncertainty altogether.
- Open: The highest level of risk appetite. An organization will pursue actions and objectives that provide the highest potential rewards, if there is ample justification for doing so. The organization fully expects the road ahead to be uncertain, and accepts the possibility that some of its ventures may fail.
How to Determine Your Risk Appetite and Risk Tolerance (and Develop a Framework)
So, in light of the framework above, how does an organization determine its risk appetite? A basic roadmap looks like this:
1. Understand the Risks Your Company Faces
Brainstorm the types of risks the organization faces. Consider both internal and external factors, and consult with all necessary stakeholders (e.g. senior management, frontline employees, risk team, regulators, and major partners). Also consider potential risks associated with any future opportunities the organization is looking to pursue.
2. Identify the Top Risk Types
Determine which areas of risk are the most important for the organization to focus on. Usually, these will be areas where there is overlap in the identification of risks between stakeholders during brainstorming.
3. Prioritize Risk Management Efforts
Prioritize risks by considering how threatening each one is. Consider factors such as the rough likelihood of the risk to cause an adverse event, the general impact the adverse event would have, and approximately how prepared the organization is (or can be) to react to that adverse event. Also remember that risks can have impacts in more than one area at once, such as on finances AND reputation.
4. Determine & Establish Procedures
Articulate what actions will be taken to manage risk, and when. Sometimes, a risk will be expected and will warrant no more than ongoing monitoring to ensure it doesn’t get worse. Other times, an organization will notice certain risks becoming harder to control and have to investigate the root causes. And in some cases, a risk will be totally outside an organization’s risk appetite and tolerance, and require an immediate response.
5. Develop a Clear Risk Appetite Program
Draft a risk appetite statement. This is a document that identifies key risk types the organization faces, and explains why or how they might impact the organization. It should also outline what levels of risk appetite the organization has in different areas, including key signs that risk appetite and tolerance in a certain area is (close to) being exceeded. Finally, it should specify circumstances in which the organization’s risk appetite or tolerance in a certain area may increase or decrease.
We should note that the above method of crafting a risk appetite policy is largely qualitative in nature. However, it can be helpful to include specific risk appetite metrics to create more convincing arguments in favor of investing in risk management. Examples include calculated likelihoods of adverse events, control effectiveness ratings, and—based on these—the average amount of money potentially lost to a risk (either annually or in a specific event).
Make Financial Crime One Less Risk to Worry About with Unit21
While some risks are inevitable, others can be controlled by having the right tools and systems in place. When an organization is able to reduce its inherent risks down to just a few residual risks—preferably at less cost—it opens up the possibility of having a higher risk appetite. This, in turn, creates the potential to reap more rewards.
Unit21’s Transaction Monitoring and Case Management solutions work together to make fighting fraud and financial crime easier. So while your organization’s customers and accounts are covered, you can focus on the big picture. To try our products out yourself, schedule a demo with us today.