Understanding Enterprise Risk Management
Every business faces risk, yet studies conducted a few short years ago show that 69% of organizations don’t have enterprise risk
A plain-language explanation of risk appetite and overview of key concepts.
A plain-language explanation of risk appetite and overview of key concepts
This is the first article of a two-part guide on understanding and implementing risk appetite frameworks into enterprise risk management (ERM) programs. The guide is intended for board members, executive management and dedicated risk managers who want to familiarize themselves with the concepts of risk appetite and get ideas for practical, real-world approaches to incorporating risk appetite frameworks into their ERM programs.
This article provides an overview of risk appetite and its importance. It is accompanied by a second article that provides a practical, 7-step process for implementing risk appetite frameworks into ERM programs, including some real-life examples.
The first thing to know is that there is no single definition of risk appetite or approach to using it. Many regulators and oversight bodies require boards and executive teams to implement risk appetite frameworks, but none provide a prescriptive guide on exactly how to do so.
Second, the concepts of risk appetite are grounded in the study of human psychology and research into group risk taking and decision making. This provides a solid technical foundation and can make it an interesting topic. The downside, however, is that risk appetite also lends itself to complexity and risk jargon that can alienate business audiences and increase anxiety in the risk management process.
Together, these two points lead to our first recommendation:
Keep your approach to risk appetite practical and actionable for your organization. This means using plain language that makes sense to your business people. It also means starting simple and taking an iterative approach. Resist the temptation to get too fancy too quickly. It is far more important to effectively engage your executive team and get them comfortable with the process than it is to come up with an elegant and technically robust model out of the gate. Keep it simple. You will still get the most important benefits. Evolving and adding depth is easy later if you have properly engaged your board and executive team in the beginning.
Given that background, here is our practical, plain-language definition of risk appetite:
Risk appetite a description of the amount and types of risk that an organization wishes to take in order to achieve its desired objectives. It usually starts with a broadly written organizational-wide statement and then provides a series of more refined statements for certain situations (usually done by risk category). It is expressed in terms of residual risk levels (after considering the effects of risk mitigations). It can be qualitative, quantitative, or a mix of both.
Note from the definition above that risk appetite is closely related to business strategy and the risks inherent in pursuing that strategy. The board of directors has ultimate responsibility to set business strategy and to monitor performance against it. Accordingly, the board has an important role to play in setting, approving and monitoring risk appetite.
Underlying the definition of risk appetite is the understanding that risk and opportunity are inextricably linked. A business takes risks to pursue opportunities and generate returns (or achieve other desired outcomes). Conversely, risks can present opportunities for organizations that are better able to identify and exploit them.
In most cases, higher potential returns are associated with higher potential risks. There are many benefits for organizations who can take on riskier strategic opportunities by mitigating the extra risk through effective ERM programs.
For a simple example, imagine a firm wishes to start selling its services through a new online channel. The new online channel has tremendous potential but taking advantage of it may alienate the firm’s traditional partners that it is currently dependent on. The firm will most likely look for ways to pursue the online channel while minimizing and managing the impacts on its traditional partners. Regardless of the mitigation efforts taken, however, the firm’s executives must still make a risk/reward decision and ultimately assume some level of remaining risk if they wish to pursue the new opportunity. In this way, risk and opportunity are linked, and neither should be managed in isolation.
The concept of risk appetite also recognizes that lower levels of risk are not always better. Being overly cautious and assuming too little risk may cause the company to miss its targets and underperform relative to its full potential.
Continuing with the example above, the firm can avoid the risk to its traditional partners by deciding not to sell online. The firm will lower risk initially but will also miss an opportunity for growth and innovation. Even worse, a competitor may move in to fill the market gap left open by the firm’s inaction. This could lead to lost market share for the firm and a possible disruption of its traditional business model. Deciding not to pursue the new online opportunity may avoid some risks in the short term but create even larger ones in the long run.
For this reason, risk appetite is usually thought of as a desired range of risk levels that a firm wishes to assume in different situations. Low risk is not always better, and risk appetite usually involves some form of upper and lower thresholds, with the firm’s desired range of residual risk values represented by the values in between.
Also note that in the above example, the partner risk that the firm avoided became an opportunity for their competitor – further demonstrating the link between risk and opportunity. Often the difference between a risk and an opportunity lies in perception, or more properly, in a management team’s ability to minimize the downsides and maximize the upsides of a given situation.
Finally, risk optimization is an area where organizations may choose to use quantitative analysis to identify the optimal risk/reward balance in certain situations. This approach has been used for many years in the financial investment industry (e.g. Modern Portfolio Theory) and is incorporated into modern finance concepts (Capital Asset Pricing Model). Quantitative analysis can be challenging to apply in enterprise risk processes, but we share an easy and practical approach in the “7 steps” how-to guide that follows and accompanies this article.
One of the challenges with risk appetite is that there is a confusing array of related terminology. A quick online search returns terms such as risk capacity, risk attitude, risk propensity, risk preference, risk perception, and more. Some authors use these terms interchangeably, while others have different interpretations that are used in more elaborate risk appetite frameworks.
In our practical experience, these additional terms and concepts have lesser value when an organization is initially incorporating risk appetite into their ERM framework. Even worse, they can lead to overly complicated processes, which undermine the success of initiatives (i.e. high risk, low return).
Once again, our advice is to start simple and add further depth in the future – only as needed and with a specific goal or problem in mind. We will explore some of these concepts in a future article and you can get more background on these terms in our glossary of ERM terminology.
One additional term worth addressing now, however, is risk tolerance. In our view, risk tolerance is a problematic term. The word tolerance has multiple meanings and risk tolerance gets interpreted in different ways. Some models use it as a synonym for risk appetite. Others use it to denote the maximum range of risk that an organization and carry and still survive (i.e. a wider range than appetite). Still others use it in a more granular fashion to track and monitor variances against key performance and risk indicators. While there is some consensus on the meaning of risk appetite, unfortunately the same cannot be said for risk tolerance.
To avoid confusion, we do not use the term risk tolerance when dealing with risk appetite. Instead, we use the term risk thresholds within this guide (and in our Essential ERM software) to communicate the upper and lower values of a risk appetite range.
Building on our understanding of risk appetite, let’s consider why it is important in the first place. We believe risk appetitive is extremely important for ERM – in fact, we would argue that using risk appetite effectively is one of the top two key success factors for any ERM program.
Many ERM programs begin by creating a register (or list) of key risks. This may be done at an enterprise level, and/or for each functional unit. Once risks are identified, they are rated and analyzed to explore root causes, controls/mitigations and potential consequences.
Creating risk registers is not difficult. There is usually enthusiasm at the beginning of an ERM process and value is realized initially from the collaborative discussions that are fostered through risk workshops. Risk libraries and software tools can also help. Organizations may document dozens, or even hundreds of risks through this process.
Once a risk register is created, the challenge quickly becomes deciding how to prioritize and act on risks. Risk managers face several questions. Which risks are real, and which are merely perceived? How should risks be ranked? Given that executive time is limited, where should they focus? Which risks should the board be briefed on and how often?
Unfortunately, many ERM programs fizzle out and lose momentum after initial success because they lack effective prioritization and executives and board members to not perceive enough value in the information they provide.
As a result, the first reason that risk appetite is critical for the success of ERM programs is a practical one. Risk appetite and its associated risk thresholds provide context for the residual risk values that are generated through the risk identification and rating process. Executives can immediately see which risks have residual risk scores that exceed the upper and lower thresholds within their risk appetite statement. Rather than attempting to work through dozens or hundreds of risks, executives can focus on a smaller number of exceptions that fall outside of desired boundaries.
Note that another key success factor that provides context for residual risk values is aligning risks to strategic objectives. This success factor works hand-in-hand with risk appetite and is be discussed in the accompanying guide 7 steps to implementing risk appetite.
The second reason that risk appetite is critical for the success of ERM programs is more fundamental and is tied to human nature and social dynamics. Persons within an organization will have different perceptions, attitudes and decision-making styles with regards to risk. Organizations and departments will have different cultures that will also affect how risk is viewed and acted upon. Reward and compensation programs will further influence the way individuals act and the decisions they make with regards to risks and opportunities. Many these factors will create conflicts and the potential for individuals within organizations to end up working at cross purposes.
Risk appetite is a useful tool to help uncover and resolve varying perceptions and inherent conflicts in managing risks and opportunities. Board members and executives work through a collaborative process to create risk appetite statements. A common language and rating system are agreed to. Risk appetite thresholds become guideposts, set and monitored by the board, to help remove some of the subjectivity in subsequent risk prioritization and decision making by the management team. While natural tendencies and underlying culture will not be completely overcome, risk appetite provides a mechanism to help create common alignment among executives and board members that can then be translated down into departmental decision-making processes.
Sample risk register, as created and presented within the Essential ERM system. Risks are identified, rated and prioritized. For filtering and analysis purposes, risks are also mapped to other factors such as risk owner, category, subcategory, root causes, mitigations, consequences, action plans, business areas, strategic objectives, departments, portfolios and more.
Example showing a risk appetite dashboard for a filtered portfolio of risks within the Essential ERM system. The light blue bars represent the upper and lower thresholds for each risk category, specified by residual risk score. Report viewers can easily see which risks (shown as grey circles) have residual risk scores that fall above and below the risk appetite thresholds. The overall status for each category updates dynamically as underlying risk scores are updated.
Every business faces risk, yet studies conducted a few short years ago show that 69% of organizations don’t have enterprise risk