Navigating the intricate landscape of risk appetite remains a challenge for many organisations. From defining this elusive concept, to seamlessly integrating it into operational strategies; unlocking its potential is key to sustaining value and informing sound decision-making.
Understanding the Basics of Risk Appetite
Risk Appetite, in essence, signifies the extent and nature of risks an organisation is willing to undertake to achieve its objectives. Different attitudes and appetites exist for various types of risks; organisations may embrace risk in commercial endeavours while maintaining a risk-averse stance on legal compliance. To articulate these nuances effectively, we recommend aligning risk appetite statements with primary risk categories or principal risks. More advanced businesses often go on to support these statements with metrics and clearly defined upper and lower limits.
Distinguishing Rewarded and Unrewarded Risks
The concept of risk appetite becomes more intuitive when applied to rewarded risks, where higher risks correlate with greater rewards. Boards and shareholders seek assurance that management decisions align with their risk appetites, emphasising the importance of risk-based decision making.
In an extreme historical case, infamous banker, Fred Goodwin, over-leveraged Royal Bank of Scotland in its acquisition of ABN Amro for £44b, leading to a liquidity crisis, and the eventual collapse and nationalisation of the Bank. Might Goodwin’s appetite have been greater than the Board and Investors at the time?
Exploring the example of IT Security, we uncover the less intuitive concept of risk appetite for unrewarded risks i.e. those we don’t want to materialise, and that offer little, or no return on investment for managing them. Organisations with a genuine commitment to low-risk appetite are willing to allocate substantial resources to develop best practice in these areas. Here, the focus shifts to how much investment is desirable to prevent or control these unrewarded risks.
Many boards and executives often overlook this crucial aspect e.g. that excelling in IT security requires a commitment of resources and financial investment. Failing to allocate adequate resources indicates a higher risk appetite than we might realise.
The critical question for boards to address is the standard of excellence they seek in managing such risks. Are we inclined to adopt best practices that align with a low-risk appetite? Should we implement these for every conceivable downside, or can we strategically embrace some level of risk in certain areas? The prudent assessment of “how good is good enough?” becomes essential in bridging the gap between desired and actual capabilities.
Without answers to these fundamental questions, there is the very real danger that business leaders and managers are left to make assumptions and isolated judgement calls.
Putting Risk Appetite into Practice
The preceding sections offer valuable insights into our organisation’s attitudes, shaping the foundation for decisions, strategic planning, and resource allocation. Going beyond pivotal decision-making moments, the establishment of risk appetite, enhanced by metrics featuring defined upper and lower limits, affords us ongoing feedback on our actual risk exposure. This framework aids in recognising when course corrections or interventions are required.
The robustness of a risk appetite statement is particularly evident when bolstered by a spectrum of metrics, each equipped with clear guardrails.
When these predefined thresholds are breached, it signals a call to action for both management and the board. A focused and urgent response is essential to formulate impactful interventions, turnaround strategies, and necessary pivots. A breach in risk appetite should be viewed as a potential warning sign, warranting careful consideration due to its implications for serious underlying problems.
Tips for Operationalising Risk Appetite with GOAT Risk™
GOAT Risk™ clients appreciate the high degree of flexibility and configurability embedded within the platform. While Risk Appetite statements are a default field, those seeking a more advanced approach can create a dedicated Risk Appetite template and seamlessly integrate a Risk Appetite Continuum. This can be crafted using the Editable Heatmap feature, available as part of the PRO upgrade package.
With this enhanced template, there is the freedom to transform the Executive Summary field into a detailed Risk Appetite Statement and then incorporate Key Risk Indicators (KRIs) with specified upper and lower limits. When reporting, simply selecting the Risk Appetite Profile will highlight the selected Risk Appetite themes and plot them on a continuum through a Heat-Map report. You can also utilise the Executive Summary and KRI report to generate comprehensive Risk Appetite Statements complemented by supporting KRIs.
Mastering risk appetite is essential for organisations striving to add sustainable value through better decision making. By understanding the basics, differentiating between rewarded and unrewarded risks, and operationalising risk appetite with tools like GOAT Risk™, organisations can navigate the complex terrain of risk management with confidence and resilience.Find out more about GOAT Risk™