How Risk Appetite can fail the Strategy & Risk management system?

Risk appetite is central strategy mindset, and for one simple reason, Organizational failure to fully comprehend and operationalize risk appetite in the prosecution of their strategies is a significant contributor to corporate failure. One of the reasons for world credit crunches are improper rigor around risk appetite management.

History shows that when risk appetite is not considered, the organization often suffers from greater risks than anticipated. Not managing or parametrizing risk appetite is actually taking huge risks that not defining it properly can fail the risk management system.

But, what do we actually mean by risk appetite? Before we look at definition, it should be understood that risk appetite is not a technique. Risk appetite is natural and everyday part of doing business.

Every decision a manager makes has a risk appetite component. They decide to make go or no-go choice based on the amount of risk to which they are willing to be exposed. Is should be noted that some risks is unavoidable and not within the ability of the organization to manage to a tolerable level.

Managing & defining risk appetite

In below is defined Risk appetite & how to manage risk appetite as per COSO model & ISO3100 Risk Management, as those most acceptable models for Risk Management.

As per COSO model of managing risk appetite, the board and executive should take three steps:

1.??????Develop risk appetite- means developing different objectives, organization should develop different risk appetites. There is no standard or universal risk appetite statement that fits all organizations, no there is ‘’right’’ risk appetite. Rather, management and the board must make choices in setting risk appetite, understanding the trade-offs involved in having higher or lower risk appetites.

2.??????Communicate risk appetite- several common approaches are used to communicate risk appetite. The first is to create an overall risk appetite statement that is broad enough yet descriptive enough for organizational units to manage their risks consistently within it. The second is to communicate risk appetite for different categories of risk.

3.??????Monitor and update risk appetite- once risk is communicated, management, with board support, needs to revisit and reinforce it. Risk appetite cannot be set once and then left alone. Should be monitored on consistent base and evaluated. Internal auditing can support management in this monitoring. Doing such, organization is creating culture that is risk-aware and that has organizational goals consistent with the boards.

So, how to define risk appetite and risk appetite statement?

COSO’s definition of risk appetite is one and very useful as provides ‘’what, who, when and why’’ of risk appetite:

‘’Risk appetite is amount and type of risk that is acceptable to be taken by an organizational entity over a defined time period, to achieve the objectives of the strategy. ‘’

·????????What: the amount and type of risk

·????????Who: an organizational entity

·????????When: over a defined time horizon

·????????Why: to achieve the strategic objectives of the entity.

Other definition that is wide used is ISO3100 Risk Management stating:

‘’ Risk appetite is the amount and type of risk that an organization is prepared to seek, accept or tolerate.’’

ISO3100 also relate risk appetite to strategy and governance stating:

‘’ considering and setting a risk appetite enables an organization to increase its reward by optimizing risk taking and accepting calculated risks within an appropriate level of authority.’’

Put another way, a risk appetite statement requires a focused conversation by the board and executive team.

Than, how to define Risk appetite statement?

Seven steps to Creating a Risk Appetite statement:

1.??????Identify the key business drivers of your organization

2.??????Define risk levels based on key business drivers

3.??????Define a set of strategic objectives

4.??????Define and assess a set of key risks

5.??????Align strategy and risk

6.??????Define the risk appetite statement

7.??????Monitor the alignment of risk-taking to appetite.?