The risk appetite of an individual or a group is the tendency of that individual or group to take risks in each situation. This is important because working towards zero risk is a utopia. The less risk you take, the more expensive the measures are to get there. Conversely, if the residual risk you take is too big, it is dangerous for the organization, project, process, or service your organization provides. So, the optimum is somewhere in between. | In this post I give my own opinion, not that of any organization. |
Risk appetite – a mandatory number?
A statement that may seem bold is that you cannot do risk management without having a good determination of your risk appetite and without knowing the risk capacity of your organization, or your business unit.
Risk capacity is the ability of an organization to bear risks, quantified based on its objectives.
(These definitions are taken from ‘A short guide to risk appetite’ by David Hillson and Ruth Murray-Webster)
Contents
Why are risk appetite and capacity important?
Let me first argue why these concepts are necessary in risk management.
The reasoning is simple: if you don’t know the limits of your risk management and determine them responsibly, you can’t do risk management in a meaningful way. In that case, risk management remains a paper tiger, which can be ticked off audit-wise, but which has no power of expression when problems arise.
The main risk of the top management’s failure to take risk appetite and risk capacity seriously, if it puts a number on these terms at all, is that when a risk materializes, the damage is bigger than the risk appetite and perhaps also the actual risk capacity. This can cause the organization to run into financial problems. It then suffers reputational damage and becomes known as an organization that fails to prepare for adversity. However, on paper, it seemed fine. But the paper exercise turned out to be insufficient and, in addition to an audit checkmark, provided for an expensive occupational therapy.
What this means is that risk management can be very ineffective without responsibly defining risk appetite and risk capacity.
What does this mean if top management refuses to determine risk appetite and risk capacity?
This means that if top management does not fill in these definitions, they consider risk management to be unimportant. It probably therefore considers the implementation of the entire resilience work, which also includes BCM and crisis management, to be unimportant. This means that the delivery of high-quality products and services to the customer is considered by top management to be unimportant. Top management is expected to have a very good idea of the interests and wishes and needs of the customers. (It therefore also determines the strategic mission and vision and objectives.) Therefore, this means that the top management believes to know that the customer does not consider these services and products important. This automatically raises the question of whether the organization is important, and whether it has a right to exist.
A possible answer to this reasoning could be that top management was not aware of this. I would have believed that answer 30 years ago. But given the risky circumstances in an increasingly VUCA world that is increasingly being communicated about in the media, this is no longer a sufficient argument.
What actions do you take around risk appetite and risk capacity?
First, you determine a few things.
- You determine the maximum risk capacity of the organization or per business unit.
- Then, you determine the risk appetite per project, process, and service.
- You look at whether the sum of all risk appetites remains within the maximum risk capacity, or whether you can ensure that this is the case.
Determine risk capacity.
Determining risk capacity is not always easy. A large financial institution or a petrochemical company has different options than a smaller SME with limited financial and human capital.
One possibility is to set up a captive. In doing so, the organization is partly building its own insurance.
Another possibility is that the objectives are set every year and regularly reviewed to decide which projects, processes and services are “must haves”, and which are the “nice to haves”. Within projects, it is also possible to look at which deliverables are “must haves”, and which are “nice to haves”. The resources for those “nice-to-haves” will become part of the risk capacity. If a risk occurs on a project or other level, the organization can cannibalize on the “nice-to-haves” in favor of the “must-haves”. This means, among other things, that the projects that are “nice to haves” should be able to be postponed until after the projects that are “must haves”. So, start relatively later in the year. And that is a job for top management, who then must make difficult decisions.
Determine risk appetite.
All projects, processes and services have risks. To this end, there are risk management techniques that identify, analyze, evaluate, propose measures, determine residual risk, and so on. The (financial) impact of these residual risks determines the (financial) risk appetite-indicator of these projects, processes, and services. This assessment is contained in risk indicators, the sum of which may not exceed the risk capacity. This risk impact must be provided by the project leader / process owner to the top management, who must take a critical look at it. Together with the CRO and, if necessary, the project leader and process owner, top management discusses how the total risk of the business unit, or the organization can remain within the risk capacity.
Aligning risk appetite with risk capacity.
If the risk appetite exceeds the risk capacity, additional risk measures must be taken, or processes and projects or services must be cut. Maybe “must-haves” can be revisited, or they can become “nice to haves”. Perhaps they can be postponed to a later date so that budgets can be released in the current financial year.
Conclusion
If we reverse the reasoning above, the idea that the needs of the customer are important is sufficient reason to engage in risk management and to determine the risk appetite and risk capacity by top management.
Note that these concepts are not fully elaborated in most norms and standards if they mention them at all.
Partly because of this, this assignment has long been terra incognita for the CRO and the project leaders, process owners and top management. In recent years, these concepts have been on the rise, but without much guidance on ‘how to do this’. So, one can always know that these are important risk management aspects. But it remains a challenge to implement.
In this blog, I suggested some ideas for creating risk capacity, and the requirement that the sum of all risk appetite should remain within it.
Question for the reader
I would like to get a better sense of in which organizations risk appetite is applied, and how you do this. Can you answer that in the comments below?