Risk appetite is defined as the types and amount of risk an organization is willing to tolerate in pursuit of business objectives. An organization creates a risk appetite approach to provide a broad picture of risk-taking across an organization, where thresholds are pre-approved by the organization’s ultimate risk owner, typically the board or CEO.
Actual risk levels can be monitored against these thresholds, and deliberate decisions can be made about these risks relative to outcomes. An organization with a higher level of risk appetite will encourage a culture of risk taking. Alternatively, an organization with lower risk appetite will require more steps to bring their risks to tolerable levels, which has implications for its budget.
As shown in Figure 1, risk appetite can be looked at as a critical crossroads for a risk owner.
Figure 1: Enterprise Risk Management Framework
Currently, there are six key steps to clearly articulate an organization’s risk appetite: the clear articulation of methodology; creation of a risk appetite statement; key risk indicator (KRI) alignment; setting of risk appetite thresholds and risk tolerances; issue and action management; and risk monitoring, governance, and dashboards.
1. Clear Articulation of Methodology
The first step in creating an organization’s risk appetite is the clear articulation of its methodology. This includes the alignment of risk appetite statements to critical taxonomy risks that are outlined in Stage 3 of an organization's risk management framework, as seen in Figure 1. This alignment is useful because it builds upon the organization’s common language of risk to allow for consistent risk monitoring and aggregation.
2. Development of Risk Appetite Statements
The second step is the development of risk appetite statements. These statements are meant to be qualitative and reflect the risk tolerance of senior leadership. Each statement will correspond to one of the critical taxonomy risks as outlined in step one. Risk appetite statements are meant to be simple, concise, and cover the major portions of each risk category. The statements will also be tied to key risk indicators, the third step.
3. Key Risk Indicator (KRI) Alignment
The third step involves the alignment of KRIs to each risk appetite statement. KRIs are quantitative metrics, and preferably forward-looking over backward-looking. For many organizations, only backward-looking KRIs are available. A forward-looking KRI might be a predictive number calculated using an econometric model based on a variety of causal variables in normal and stressed scenarios.
4. Setting Risk Appetite Thresholds
Risk appetite thresholds are the pre-defined levels organizations have in place to monitor and ensure that the risks they are taking do not deviate significantly away from their risk targets, and stay within their risk tolerance. Risk tolerance is the specific maximum risk an organization is willing to take when pursuing a specific risk.
Brenda Boultwood
As mentioned in step three, initial key risk indicators are often based on historical data, which aligns an organization’s risk levels to familiar metrics. Using trends in this historical data, an organization can make a determination about their specific risk appetite thresholds, or upper and lower boundaries on the level of tolerable risk, and monitor the risk data to adjust their thresholds where needed to meet business objectives. When the actual risk levels cross a risk tolerance threshold, the risk owner must alert senior leadership to determine an appropriate risk treatment.
An organization could also have certain risks they have zero tolerance for, that is, no risk tolerance or thresholds. For example, a large financial institution could have a zero tolerance for the death of a worker. This would be because it is not needed or necessary in the nature of a large financial institution’s work environment. Zero tolerance policies will look different across all organizations, and will depend on their own defined risk appetite and operating environment.
5. Issue and Action Management
Step five in creating an organization’s risk appetite includes how the organization will respond if risk levels are outside their predetermined risk tolerance thresholds. These plans to return to a tolerable level are documented as issue and action management. If a risk exceeds its predetermined risk appetite level, then senior leadership must determine if that risk is treatable. Once a risk is determined to be treatable, senior leadership must determine the appropriate treatment.
These treatments are to avoid, transfer, mitigate, accept, or increase the risk. If senior leadership determines that they will mitigate the risk, then their mitigation strategy must be aligned with their available budget because risk treatments are often not free. In cases where there is no risk treatment, or management believes they can tolerate the risk for a specific time period, senior leadership must grant risk acceptance and increase their current level of risk appetite. A risk may be determined untreatable due to budget constraints, mandates, or strategy.
6. Risk Monitoring, Governance, and Dashboards
The sixth and final step involves risk monitoring, governance, and dashboards. The organization monitors their risks and escalates them when their associated risk tolerances are breached. When breached, the risk owner will report to its senior leadership based upon the agreed thresholds. Risk reporting can be done through dashboards that show the risk appetite, current risk levels, and risk treatments of senior leadership. This part of the process is dynamic, and must be done on a consistent basis to ensure current risk levels do not violate their associated risk thresholds. If an organization goes into crisis mode, its risk treatments choices may change.
Nick Duncan
Figure 2 below displays an example risk appetite dashboard, with fictitious numbers, of the attrition rate (in percent) across an organization. The figure shows the previous and current levels of risk across the past six years. It shows the risk thresholds, or “guardrails,” in red lines at the 2% level, for a minimum threshold, and the 5% level, for the maximum threshold. The dashboard indicates the current trend of the attrition rate, which is neutral. The dashboard includes a comment from the risk manager responsible for independent reporting.
In this case, the attrition rate is within the board-preapproved risk tolerance. The example also illustrates a period in 2020 when the board threshold was breached, and the risk manager suggested a risk treatment to mitigate the risk level. In this example, senior business managers invested in a program to reduce attrition to within its thresholds, while staying within budget constraints.
Figure 2: Illustrative Risk Appetite Reporting Example
Value Proposition
This risk appetite approach reflects industry best practices, and provides a data-driven decision support tool for senior leaders. Risk appetite dashboards give decision-makers insight into their current level of risk, approved risk tolerance thresholds, and the tools at their disposal to treat the risk. This will give leaders within an organization a reliable way to prioritize their risk treatments and ensure the achievement of their strategic objectives and goals while adhering to budget constraints.
Further Analysis
1. Development of Forward-Looking KRIs
Although backward-looking key risk indicators are often the first stage in the establishment of the risk appetite approach, a more mature and sophisticated approach would be the development of forward-looking, predictive KRIs. The nature of these forward-looking KRIs will allow an organization the option to treat risks even before actual risk levels exceed tolerance levels.
The adoption of forward-looking KRIs is a key step for the organization to ensure that it has the proper resources to achieve its strategic objectives while staying within budget constraints. To create these predictive, forward-looking KRIs, an organization could utilize econometric modeling. An econometric model could create a predictive forecast based on variables with the greatest causal link to the risk.
As time goes on, the econometric model parameters should be continually adapted to reflect changes in the risk landscape. These models must continue to be adapted and refined as an organization’s overall risk management framework matures and the variables affecting an organization’s ability to achieve its goals changes.
2. Development of a Risk Appetite Statement Cascade
After an organization has created risk appetite statements for its aggregate risk levels, each unit of the organization should adopt related risk appetite statements to allow for local management of each critical risk. These statements would delegate the responsibility of determining priority critical risks to risk owners within each respective part of an organization, allowing local control of what needs to be done, while remaining aligned with the critical aggregate risks established by the organization’s senior leadership.
To create this cascade, each respective organizational unit would be responsible for local adaptation of the risk appetite statements. KRIs to monitor the risk level may reflect needed variation based on the local operating environment and business objectives.
As the overall risk appetite approach matures, these statements can continue to be cascaded further within the organization and to critical third-parties. Ultimately, decision-makers closest to the sources of risk can determine how resources are allocated to treat risks that vary from acceptable levels.
Parting Thoughts
Risk appetite is a crucial step within an organization’s overall risk management framework because it creates a consistent view of critical risk across an organization. It is also important for defining the thresholds needed to manage risks within acceptable levels.
The industry best practice for creating risk appetite includes defining level one taxonomy risks, creating risk appetite statements, attaching correlated KRIs to each statement, using these KRIs to set risk thresholds, providing issue and action management steps for risk treatments if a threshold is breached, and finally the creation of risk dashboards to help monitor and report risk levels.
If these steps are adopted, an organization will receive a consistent, sophisticated guide. The risk appetite approach is designed to serve as a critical decision support tool, but will never be able to make a decision for a senior leader. Through this process, senior decision makers will receive a decision support tool for managing risk levels.
Overall, risk appetite is the critical crossroads for a risk owner to communicate actual risk levels and can be used to justify additional risk-taking or the need to pull back on the level of risk. An organization’s risk appetite approach is a dynamic, long-term process that requires constant attention and adaptation by the CRO to ensure an organization achieves its objectives while staying within its risk appetite and budget constraints.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy, the U.S. Navy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Nick Duncan is a rising first-class midshipman from Farmington, Connecticut. He is a Quantitative Economics major and a member of the Men’s Heavyweight Rowing Team and the USNA Finance and Investment Club.
Topics: Enterprise
