Risk appetite

Last updated

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, [1] before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. This concept helps guide an organization's approach to risk management. Risk appetite factors into an organization's risk criteria, used for risk assessment. [2]

Contents

Definition

ISO 31000 defines risk appetite as the "amount and type of risk that an organization is willing to pursue or retain." [3]

Risk appetite is burdened by inconsistent or ambiguous definitions, but rigorous risk management studies have helped remedy the lack of consensus. [4] This remainder of this section compares the standardized definition of risk appetite with other related terms.

Risk threshold

Since risk appetite can be stratified into levels of risk, risk threshold can be defined as the upper limit of risk appetite. [5] Risk threshold can also be defined as the maximal exposure [6] before risk treatment (i.e, action to reduce risk) is necessary.

Risk appetite is often used ambiguously to mean either all of the levels of risk below the threshold, or just the threshold level.

Risk attitude

Risk attitude is an organization's approach to (assess and eventually pursue, retain, take or turn away from) risk. [7] Risk appetite is the amount and type of risk an organization is willing to pursue, retain, or take.

According to the Risk Appetite and Risk Attitude (RARA) Model, these two concepts "act as mediating factors between a wide range of inputs and key outcomes," which aids in decision-making. Risk appetite is expressed as risk thresholds, whereas risk attitude influences choice of risk thresholds. [4]

Risk tolerance

Whereas risk appetite is how much risk an organization is willing to take on, risk tolerance is how much risk an organization is capable of taking on. Therefore, an organization's risk threshold is always lower than or equal to its risk tolerance. [5] Exposure past the risk tolerance limit (not to be confused with the risk threshold) is sometimes referred to as 'unacceptable risk', since it won't pass risk acceptance [8] . [9]

For a simple example, consider an organization that is willing to ask for a loan of $50,000, but capable of asking for $100,000. In this context, $50,000 and $100,000 are levels of risk; the former is the threshold, the latter is the tolerance - one could possibly distinguish each bracket of $10,000 (under $50,000) as a different risk appetite. A loan of anything greater than $100,000 (or multiple loans adding up to the same, i.e, multiple risks) is considered unacceptable risk. This example combines qualitative and quantitative risk measurement.

Risk management

There is often a confusion between risk management and risk appetite,[ citation needed ] with the rigor of the former now recovering some of its lost ground from the vagueness of the latter. When derived correctly, the risk appetite is a consequence of a rigorous risk management analysis, not a precursor. Simple risk management techniques deal with the impact of hazardous events, but this ignores the possibility of collateral effects of a bad outcome, such as for example becoming technically bankrupt. The quantity that can be put at risk depends on the cover available should there be a loss, and a proper analysis takes this into account. The "appetite" follows logically from this analysis. For example, an organization should be "hungry for risk" if it has more than ample cover compared with its competitors and should therefore be able to gain greater returns in the market from high-risk ventures.

Measurement

Qualitative

Below is one possible qualitative model of risk appetites (that is, risk levels [10] ) that a business may adopt to ensure a response to risk that is proportionate given their business objectives. [11] [12]

A more complex approach might have multiple dimensions of risk, such as a risk matrix.

The appropriate model may vary across an organization, with different parts of the business adopting an appetite that reflects their specific role, with an overarching risk appetite framework to ensure consistency.

Quantitative

Precise (quantitative) measurement is not always possible and risk appetite will sometimes be defined by a broad statement of approach or qualitative categories. An organization may have an appetite for some types of risk and be averse to others, depending on the context and the potential losses or gains.

However, measures can often be developed for different categories of risk. For example, it may aid a project to know what level of delay or financial loss it is permitted to bear. Where an organization has standard measures to define the impact and likelihood of risks, this can be used to define the maximum level of risk tolerable before action should be taken to lower it. [13]

Implementation

In some organizational contexts, a board of directors are responsible for setting an organisation's risk appetite. In the UK the Financial Reporting Council says: "the Board determines the nature, and extent, of the significant risks the company is willing to embrace." [14] The appropriate level will depend on the nature of the work undertaken and the objectives pursued. For example, where public safety is critical (e.g. operating a nuclear power station) appetite will tend to be low, while for an innovative project (e.g. early development on an innovative computer program) it may be very high, with the acceptance of short-term failure that could pave the way to longer-term success.

In other contexts, once upper management has set broad goals and expectations that integrate all interested parties' input and the organisation's obligations, decision-making is then delegated to authorising officials. [15] These officials are authorised to make risk acceptance decisions at varying thresholds of risk acceptance criteria; different acceptance criteria may require higher levels of management to be authorised for acceptance. [16]

Purpose and benefits

By defining its risk appetite, an organization can arrive at an appropriate balance between uncontrolled innovation and excessive caution. It can guide people on the level of risk permitted and encourage consistency of approach across an organisation.

Defined acceptable levels of risk also means that resources are not spent on further reducing risks that are already at an acceptable level.

Main areas

In literature, there are six main areas of risk appetite:

  1. financial
  2. health
  3. recreational
  4. ethical
  5. social
  6. information

See also

Related Research Articles

<span class="mw-page-title-main">Acceptance testing</span> Test to determine if the requirements of a specification or contract are met

In engineering and its various subdisciplines, acceptance testing is a test conducted to determine if the requirements of a specification or contract are met. It may involve chemical tests, physical tests, or performance tests.

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

A job safety analysis (JSA) is a procedure that helps integrate accepted safety and health principles and practices into a particular task or job operation. The goal of a JSA is to identify potential hazards of a specific role and recommend procedures to control or prevent these hazards.

A key risk indicator (KRI) is a measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. It differs from a key performance indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give an early warning to identify potential events that may harm continuity of the activity/project.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

A safety management system (SMS) is a management system designed to manage occupational safety and health risks in the workplace. If the system contains elements elements of management of longer-term health impacts and occupational disease, it may be referred to as a safety and health management system (SHMS) or health and safety management system.

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization. The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.

Fuel price risk management, a specialization of both financial risk management and oil price analysis and similar to conventional risk management practice, is a continual cyclic process that includes risk assessment, risk decision making and the implementation of risk controls. It focuses primarily on when and how an organization can best hedge against exposure to fuel price volatility. It is generally referred to as "bunker hedging" in marine and shipping contexts and "fuel hedging" in aviation and trucking contexts.

<span class="mw-page-title-main">Risk</span> The possibility of something bad happening

In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value, often focusing on negative, undesirable consequences. Many different definitions have been proposed. One international standard definition of risk is the "effect of uncertainty on objectives".

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.

Risk-based internal audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level. It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and BOD for managing risk.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

References

  1. result to be achieved Note 1: An objective can be strategic, tactical or operational. Note 2: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as a management system objective, or by the use of other words with similar meaning (e.g. aim, goal, target).
    ISO 31073:2022 — Risk management — Vocabulary — objective.
  2. "6.3.4 Defining risk criteria". ISO 31000:2018 — Risk management — Guidelines.
  3. ISO 31073:2022 — Risk management — Vocabulary — risk appetite . Retrieved 17 July 2024.
  4. 1 2 Hillson, David; Murray-Webster, Ruth. "Using risk appetite and risk attitude to support appropriate risk taking: a new taxonomy and model". Journal of Project, Program & Portfolio Management. 2 (1). doi:10.5130/pppm.v2i1.2188 . Retrieved 17 July 2024.
  5. 1 2 "Cybersecurity Materiality & Risk Management". ComplianceForge. Retrieved 17 July 2024.
  6. extent to which an organization and/or interested party is subject to an event
    ISO 31073:2022 — Risk management — Vocabulary — exposure . Retrieved 16 July 2024.
  7. ISO 31073:2022 — Risk management — Vocabulary — risk attitude . Retrieved 16 July 2024.
  8. informed decision to take a particular risk Note 1: Risk acceptance can occur without risk treatment or during the process of risk treatment. Note 2: Accepted risks are subject to monitoring and review.
    ISO 31073:2022 — Risk management — Vocabulary — risk acceptance . Retrieved 17 July 2024.
  9. Pratt, Mary (Sep 2023). "What is a risk profile?". TechTarget. Retrieved 17 July 2024.
  10. magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood
    ISO 31073:2022 — Risk management — Vocabulary — level of risk . Retrieved 16 July 2024.
  11. Thinking about Risk - Managing your risk appetite: A practitioner's guide November 2006 HM Treasury, page 12.
  12. Chief Financial Officers Council; Performance Improvement Council (28 Nov 2022). "Playbook: Enterprise Risk Management (ERM) for the U.S. Federal Government" (PDF). Office of Shared Solutions and Performance Improvement of the General Services Administration. p. 31. Retrieved 16 July 2024.
  13. Hassani, B.K. (2015). "Risk Appetite in Practice: Vulgaris Mathematica". The IUP Journal of Financial Risk Management. 12 (1): 7–22. SSRN   2672757.
  14. "Guidance on Board Effectiveness" (PDF). FEC. Retrieved 2 July 2019.
  15. Joint Task Force (Dec 2018). "SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations". NIST Information Technology Laboratory. p. 33. Retrieved 16 July 2024.
  16. ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection — Guidance on managing information security risks (4 ed.). p. 11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.