This article needs additional citations for verification . (February 2018) (Learn how and when to remove this template message)
Risk appetite is a concept to help guide an organization's approach to risk and risk management.
Risk is the possibility of losing something of value. Values can be gained or lost when taking risk resulting from a given action or inaction, foreseen or unforeseen. Risk can also be defined as the intentional interaction with uncertainty. Uncertainty is a potential, unpredictable, and uncontrollable outcome; risk is a consequence of action taken in spite of uncertainty.
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". In a literal sense, defining your appetite means defining how "hungry" you are for risk.
ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.
The appropriate level will depend on the nature of the work undertaken and the objectives pursued. For example, where public safety is critical (e.g. operating a nuclear power station) appetite will tend to be low, while for an innovative project (e.g. early development on an innovative computer program) it may be very high, with the acceptance of short term failure that could pave the way to longer term success.
Below are examples of broad approaches to setting risk appetite that a business may adopt to ensure a response to risk that is proportionate given their business objectives.
The appropriate approach may vary across an organization, with different parts of the business adopting an appetite that reflects their specific role, with an overarching risk appetite framework to ensure consistency.
Precise measurement is not always possible and risk appetite will sometimes be defined by a broad statement of approach. An organization may have an appetite for some types of risk and be averse to others, depending on the context and the potential losses or gains.
However, often measures can be developed for different categories of risk. For example, it may aid a project to know what level of delay or financial loss it is permitted to bear. Where an organization has standard measures to define the impact and likelihood of risks, this can be used to define the maximum level of risk tolerable before action should be taken to lower it.
By defining its risk appetite, an organization can arrive at an appropriate balance between uncontrolled innovation and excessive caution. It can guide people on the level of risk permitted and encourage consistency of approach across an organisation.
Defined acceptable levels of risk also means that resources are not spent on further reducing risks that are already at an acceptable level.
In literature[ citation needed ] there are six main areas of risk appetite:
There is often a confusion between risk management and risk appetite, with the rigor of the former now recovering some of its lost ground from the vagueness of the latter. Derived correctly the risk appetite is a consequence of a rigorous risk management analysis not a precursor. Simple risk management techniques deal with the impact of hazardous events, but this ignores the possibility of collateral effects of a bad outcome, such as for example becoming technically bankrupt. The quantity that can be put at risk depends on the cover available should there be a loss, and a proper analysis takes this into account. The "appetite" follows logically from this analysis. For example an organization should be "hungry for risk" if it has more than ample cover compared with its competitors and should therefore be able to gain greater returns in the market from high risk ventures.
Broadly speaking, a risk assessment is the combined effort of 1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment ; and 2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors. Put in simpler terms, a risk assessment analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. As part of this process, the resulting determination of risk may be expressed in a quantitative or qualitative fashion. The risk assessment is an inherent part of an overall risk management strategy, which attempts to, after a risk assessment, "introduce control measures to eliminate or reduce" any potential risk-related consequences.
Feasibility Study is an assessment of the practicality of a proposed project or system.
Business valuation is a process and a set of procedures used to estimate the economic value of an owner's interest in a business. Valuation is used by financial market participants to determine the price they are willing to pay or receive to effect a sale of a business. In addition to estimating the selling price of a business, the same valuation tools are often used by business appraisers to resolve disputes related to estate and gift taxation, divorce litigation, allocate business purchase price among business assets, establish a formula for estimating the value of partners' ownership interest for buy-sell agreements, and many other business and legal purposes such as in shareholders deadlock, divorce litigation and estate contest. In some cases, the court would appoint a forensic accountant as the joint expert doing the business valuation.
The chief risk officer (CRO) or chief risk management officer (CRMO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as Chief Executive officer and Chief Financial Officer.
Business analysis is a research discipline of identifying business needs and determining solutions to business problems. Solutions often include a software-systems development component, but may also consist of process improvement, organizational change or strategic planning and policy development. The person who carries out this task is called a business analyst or BA.
Supplier relationship management (SRM) is the discipline of strategically planning for, and managing, all interactions with third party organizations that supply goods and/or services to an organization in order to maximize the value of those interactions. In practice, SRM entails creating closer, more collaborative relationships with key suppliers in order to uncover and realize new value and reduce risk of failure.
Intellectual property assets such as patents are the core of many organizations and transactions related to technology. Licenses and assignments of intellectual property rights are common operations in the technology markets, as well as the use of these types of assets as loan security. These uses give rise to the growing importance of financial valuation of intellectual property, since knowing the economic value of patents is a critical factor in order to define their trading conditions.
'Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing is a catalyst for improving an organization's governance, risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
IT portfolio management is the application of systematic management to the investments, projects and activities of enterprise Information Technology (IT) departments. Examples of IT portfolios would be planned initiatives, projects, and ongoing IT services. The promise of IT portfolio management is the quantification of previously informal IT efforts, enabling measurement and objective evaluation of investment scenarios.
Governance, risk management and compliance (GRC) is the umbrella term covering an organization's approach across these three areas: Governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
Internal control, as defined in accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
Initially pioneered by financial institutions during the 1970s as interest rates became increasingly volatile, asset and liability management is the practice of managing risks that arise due to mismatches between the assets and liabilities.
Entity-level controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.
Enterprise performance management (EPM) is a field of business performance management which considers the visibility of operations in a closed-loop model across all facets of the enterprise. Specific to financial activities in the office of the chief financial officer, EPM also supports financial planning and analysis (FP&A).
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
Project risk management is an important aspect of project management. According to the Project Management Institute's PMBOK, Risk management is one of the ten knowledge areas in which a project manager must be competent. Project risk is defined by PMI as, "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives."
Corporate finance is an area of finance that deals with sources of funding, the capital structure of corporations, the actions that managers take to increase the value of the firm to the shareholders, and the tools and analysis used to allocate financial resources. The primary goal of corporate finance is to maximize or increase shareholder value. Although it is in principle different from managerial finance which studies the financial management of all firms, rather than corporations alone, the main concepts in the study of corporate finance are applicable to the financial problems of all kinds of firms.
Risk based Internal Audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level. It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and BOD for managing risk.