Risk Appetite

November 11th, 2008

Risk appetite represents the amount of risk that an entity or person is willing to accept in the pursuit of their goals and objectives. The level of risk will vary from low to medium to high. It depends on how the entity balances its goals for growth, return, and investment. This usually relates to quantitative analysis and applied directly to strategy.

The Enterprise Risk Management framework works to enhance the organization by facilitating risk appetite and strategy. This is a process of linking growth, risk, and return. Using this approach provides a balance for enhancing risk response decisions and helps to minimize operational surprises and losses. It is a great platform for identifying and managing cross-enterprise risks and providing integrated responses to multiple risks. In short, it helps to reduce the downside and increase the upside. This is exactly the approach to apply in the turbulent ecomomic conditions that we face today.

Risk appetite is established by finding an acceptable balance between growth, risk and return. It is a process of finding the right relationship between risk appetite and strategy. The risk management framework assists in the alignment of people, processes, and infrastructure. Essentially strategy guides the process of resource allocation.

Another aspect of understanding risk appetite is dealing with the entity’s tolerance for risk. This boils down to reaching acceptable levels of variation to achievement of objectives. It should be measurable. You want to align the organization to ensure that actual results will fall within an acceptable level of risk tolerance. Operating with an acceptable level of risk tolerance gives management greater assurance that the entity stays within it risk appetite.

You might ask how do we form a defined risk appetite. We need to evaluate the impact of a potential event between low, medium, and high. At the same time we need to consider the likelihood of an event occuring and making a judgment as to whether it is low, medium, or high. Events that have low impact and a low likelihood of occurence will produce a situation falling within risk appetite. On the other hand an event with high likelihood and high impact will exceed our risk appetite.

We need to define events as incidents or occurrences that are internal or external that could affect the implementation of strategy or impair the achievement of goals and objectives. What management needs to do is identify uncertainties that exist and assess when they could occur and what will be the outcome. It is a process of evaluating a range of potential events and ranking them from obvious to obscure. The next step is to measure the potential effect from significant to insignificant. Finally a determination must be made relative to the likelihood of occurrence.

It is really a common sense and straight forward approach to managing the business by following these simple rules. Unfortunately not enough management teams follow this disciplined approach. Instead they follow the methodology of “fire, ready, aim.” This is the probably the best way to lose the game. I think there is a better way as I have described above. It is a lot easier to do it right than suffer the consequences of doing it wrong.

Posted in Internal Control, Uncategorized |