“Know thyself†was the first and greatest commandment of the Greeks. “All men have the capacity of knowing themselves and acting with moderation†(Heraclitus 540BC). This tells us that the desire and willingness to take risks lies within man, and is the reason why certain actions are taken.
Risk appetite is a vitally important concept in the practice of risk management. It is a key factor that determines the willingness to undertake an activity that involves risk. How far are you willing to go in pursuit of your objectives?
We generally tend to associate risk with uncertainty. It is the effect of uncertainty on our objectives that makes the study of risk important. If risk management is about achieving the most favourable outcome, and reducing uncertainty, then risk appetite is about identifying the optimum level of risk that will achieve the most favorable outcome.
For organizations (includes councils, ministries, departments and agencies), the risk appetite is the total value of corporate resources that the board is willing to put at risk in pursuit of its objectives. Agreeing the risk appetite will ensure that the organization does not put too much (or too little) value at risk. On an individual level, lifestyle decisions are usually taken bearing risk appetite in mind.
When establishing the risk appetite for a particular decision, we also have to take into account what the threat or opportunity might be of not taking the decision and the context for the risk. Is the risk worse if we fail to make the decision?
Then you need to decide how much risk you CAN accept versus how much risk you are WILLING to accept. The risk you CAN accept is your risk capacity. You don’t want to go there, that’s at the highest end of what you can bear. What you are WILLING to accept is your tolerance or appetite.
Risk appetite is officially defined in many public documents as “the types and amount of risk an organisation is willing to take in pursuit of its objectives†and MUST be owned by the Board of Directors albeit with a great deal of input from lower echelons of the organisation.
For example, consider a large Bank. There will be a statement where there will be zero tolerance for fraud risks. That is neither a realistic assessment of their risk appetite, or indeed their capacity for fraud risks. Their capacity with regards fraud could be quite high in reality, and even a multimillion Naira fraud is unlikely to cause huge financial distress to the organisation.
Yet they still have a stated appetite towards fraud of zero. The reason why they articulate it thus is that they can then set in place appropriate rewards and sanctions for behaviours that are outside the risk tolerance statement.
Capacity is a hard fact. It’s about how much capital (and other assets) an organisation needs to sustain a certain level of threat and opportunity. Appetite is about willingness to take risk. Thus risk appetite is about a deliberate discussion about the ability to be able to take threats and opportunities in order to achieve strategic objectives, taking into account the organisation’s capacity and its tolerance levels.
Setting the risk appetite is an important process. It starts with a good analysis of the value drivers and goals for the organisation, which is critical. Stakeholders perceptions of risk and needs for value creation and value protection too are really important for helping to shape the risk appetite. Risk appetite should be shaped around the key risks that affect the value drivers.
Agree the language. One set of words and their meanings is really important – there has to be a clear understanding of the meaning of risk appetite. The language then needs to be communicated throughout the organisation.
As the organisation matures in its approach towards risk and risk management, the approach to risk appetite can become more involved and complex. The rule is to keep risk appetite as simple as the organisation can cope with.
For the more mature organisation, there should be a reckoning of all the risk tolerances and how the aggregate of these might affect risk capacity. In turn this would be compared to the capital in the business, and in the case of extreme sensitivity to risk, the risks should be exposed to stress and scenario testing to ensure that the capital remains adequate.
A policy, statement, operating model and reporting dashboard for risk appetite should be established as well as reporting and monitoring processes.
Communication about the risk appetite sets the boundaries for permitted risk behaviours in the organisation and allows safe innovation to take place within those boundaries. The permissions for managed risk taking needs to be accompanied by clear and fair policies for rewards and sanctions. External communication might also take place in, for example, the annual report and accounts.
Risk appetite changes over time and triggers for those changes should be built into the structure of the process.
The most important thing is that the risk appetite enables the organisation to take managed risk in a safe manner, and if the risk appetite is changed because of continual breaches, this might not be a safe way of operating.
Throughout my risk management career, a lack of understanding of risk appetite by individuals, and its clear communication in organisations has contributed majorly to mistakes and failures. Sometimes we pretend not to know when we know. Therefore, knowledge of oneself is the only real knowledge, for as one understands oneself, only then may one truly understand another.
