Risk appetite

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives^[1], before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. This concept helps guide an organization's approach to risk management. Risk appetite factors into an organization's risk criteria, used for risk assessment.^[2]

Definition[edit]

ISO 31000 defines risk appetite as the "amount and type of risk that an organization is willing to pursue or retain."^[3]

Risk appetite is burdened by inconsistent or ambiguous definitions, but rigorous risk management studies have helped remedy the lack of consensus.^[4] This remainder of this section compares the standardized definition of risk appetite with other related terms.

Risk threshold[edit]

Since risk appetite can be stratified into levels of risk, risk threshold can be defined as the upper limit of risk appetite.^[5] Risk threshold can also be defined as the maximal exposure^[6] before risk treatment (i.e, action to reduce risk) is necessary.

Risk appetite is often used ambiguously to mean either all of the levels of risk below the threshold, or just the threshold level.

Risk attitude[edit]

Risk attitude is an organization's approach to (assess and eventually pursue, retain, take or turn away from) risk.^[7] Risk appetite is the amount and type of risk an organization is willing to pursue, retain, or take.

According to the Risk Appetite and Risk Attitude (RARA) Model, these two concepts "act as mediating factors between a wide range of inputs and key outcomes," which aids in decision-making. Risk appetite is expressed as risk thresholds, whereas risk attitude influences choice of risk thresholds.^[4]

Risk tolerance[edit]

Whereas risk appetite is how much risk an organization is willing to take on, risk tolerance is how much risk an organization is capable of taking on. Therefore, an organization's risk threshold is always lower than or equal to its risk tolerance.^[5] Exposure past the risk tolerance limit (not to be confused with the risk threshold) is sometimes referred to as 'unacceptable risk', since it won't pass risk acceptance^[8].^[9]

For a simple example, consider an organization that is willing to ask for a loan of $50,000, but capable of asking for $100,000. In this context, $50,000 and $100,000 are levels of risk; the former is the threshold, the latter is the tolerance - one could possibly distinguish each bracket of $10,000 (under $50,000) as a different risk appetite. A loan of anything greater than $100,000 (or multiple loans adding up to the same, i.e, multiple risks) is considered unacceptable risk. This example combines qualitative and quantitative risk measurement.

Risk management[edit]

There is often a confusion between risk management and risk appetite,^{[citation needed]} with the rigor of the former now recovering some of its lost ground from the vagueness of the latter. When derived correctly, the risk appetite is a consequence of a rigorous risk management analysis, not a precursor. Simple risk management techniques deal with the impact of hazardous events, but this ignores the possibility of collateral effects of a bad outcome, such as for example becoming technically bankrupt. The quantity that can be put at risk depends on the cover available should there be a loss, and a proper analysis takes this into account. The "appetite" follows logically from this analysis. For example, an organization should be "hungry for risk" if it has more than ample cover compared with its competitors and should therefore be able to gain greater returns in the market from high-risk ventures.

Measurement[edit]

Qualitative[edit]

Below is one possible qualitative model of risk appetites (that is, risk levels^[10]) that a business may adopt to ensure a response to risk that is proportionate given their business objectives.^[11][12]

• Averse: Avoidance of risk and uncertainty is a key organization objective.
• Minimal: Preference for ultra-safe, low-risk options that only have a potential for limited reward.
• Cautious: Preference for safe options that have a low degree of risk and may only have limited potential for reward.
• Open: Willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money.
• Hungry: Eager to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk.

A more complex approach might have multiple dimensions of risk, such as a risk matrix.

The appropriate model may vary across an organization, with different parts of the business adopting an appetite that reflects their specific role, with an overarching risk appetite framework to ensure consistency.

Quantitative[edit]

Precise (quantitative) measurement is not always possible and risk appetite will sometimes be defined by a broad statement of approach or qualitative categories. An organization may have an appetite for some types of risk and be averse to others, depending on the context and the potential losses or gains.

However, measures can often be developed for different categories of risk. For example, it may aid a project to know what level of delay or financial loss it is permitted to bear. Where an organization has standard measures to define the impact and likelihood of risks, this can be used to define the maximum level of risk tolerable before action should be taken to lower it.^[13]

Implementation[edit]

In some organizational contexts, a board of directors are responsible for setting an organisation's risk appetite. In the UK the Financial Reporting Council says: "the Board determines the nature, and extent, of the significant risks the company is willing to embrace."^[14] The appropriate level will depend on the nature of the work undertaken and the objectives pursued. For example, where public safety is critical (e.g. operating a nuclear power station) appetite will tend to be low, while for an innovative project (e.g. early development on an innovative computer program) it may be very high, with the acceptance of short-term failure that could pave the way to longer-term success.

In other contexts, once upper management has set broad goals and expectations that integrate all interested parties' input and the organisation's obligations, decision-making is then delegated to authorising officials.^[15] These officials are authorised to make risk acceptance decisions at varying thresholds of risk acceptance criteria; different acceptance criteria may require higher levels of management to be authorised for acceptance.^[16]

Purpose and benefits[edit]

This section does not cite any sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (July 2024) (Learn how and when to remove this message)

By defining its risk appetite, an organization can arrive at an appropriate balance between uncontrolled innovation and excessive caution. It can guide people on the level of risk permitted and encourage consistency of approach across an organisation.

Defined acceptable levels of risk also means that resources are not spent on further reducing risks that are already at an acceptable level.

Main areas[edit]

This section does not cite any sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (July 2024) (Learn how and when to remove this message)

In literature, there are six main areas of risk appetite:

1. financial
2. health
3. recreational
4. ethical
5. social
6. information

See also[edit]

• Enterprise risk management
• Risk analysis

References[edit]