Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". This concept helps guide an organization's approach to risk and risk management.
Levels
The Board of Directors are normally responsible for setting an organisation's risk appetite. In the UK the Financial Reporting Council says: "the Board determines the nature, and extent, of the significant risks the company is willing to embrace." The appropriate level will depend on the nature of the work undertaken and the objectives pursued. For example, where public safety is critical appetite will tend to be low, while for an innovative project it may be very high, with the acceptance of short termfailure that could pave the way to longer term success. Below are examples of broad approaches to setting risk appetite that a business may adopt to ensure a response to risk that is proportionate given their business objectives.
Minimal: Preference for ultra-safe options that are low risk and only have a potential for limited reward.
Cautious: Preference for safe options that have a low degree of risk and may only have limited potential for reward.
Open: Willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money.
Hungry: Eager to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk.
The appropriate approach may vary across an organization, with different parts of the business adopting an appetite that reflects their specific role, with an overarching risk appetite framework to ensure consistency.
Measurement
Precise measurement is not always possible and risk appetite will sometimes be defined by a broad statement of approach. An organization may have an appetite for some types of risk and be averse to others, depending on the context and the potential losses or gains. However, often measures can be developed for different categories of risk. For example, it may aid a project to know what level of delay or financial loss it is permitted to bear. Where an organization has standard measures to define the impact and likelihood of risks, this can be used to define the maximum level of risk tolerable before action should be taken to lower it.
Purpose and benefits
By defining its risk appetite, an organization can arrive at an appropriate balance between uncontrolled innovation and excessive caution. It can guide people on the level of risk permitted and encourage consistency of approach across an organisation. Defined acceptable levels of risk also means that resources are not spent on further reducing risks that are already at an acceptable level.
Main areas
In literature there are six main areas of risk appetite:
financial
health
recreational
ethical
social
information
There is often a confusion between risk management and risk appetite, with the rigor of the former now recovering some of its lost ground from the vagueness of the latter. Derived correctly the risk appetite is a consequence of a rigorous risk management analysis not a precursor. Simple risk management techniques deal with the impact of hazardous events, but this ignores the possibility of collateral effects of a bad outcome, such as for example becoming technically bankrupt. The quantity that can be put at risk depends on the cover available should there be a loss, and a proper analysis takes this into account. The "appetite" follows logically from this analysis. For example an organization should be "hungry for risk" if it has more than ample cover compared with its competitors and should therefore be able to gain greater returns in the market from high risk ventures.