Risk appetite

Last updated

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". This concept helps guide an organization's approach to risk and risk management.

Contents

Levels

The Board of Directors are normally responsible for setting an organisation's risk appetite. In the UK the Financial Reporting Council says: "the Board determines the nature, and extent, of the significant risks the company is willing to embrace." [1] The appropriate level will depend on the nature of the work undertaken and the objectives pursued. For example, where public safety is critical (e.g. operating a nuclear power station) appetite will tend to be low, while for an innovative project (e.g. early development on an innovative computer program) it may be very high, with the acceptance of short-term failure that could pave the way to longer-term success.

Below are examples of broad approaches to setting risk appetite that a business may adopt to ensure a response to risk that is proportionate given their business objectives. [2]

The appropriate approach may vary across an organization, with different parts of the business adopting an appetite that reflects their specific role, with an overarching risk appetite framework to ensure consistency.

Measurement

Precise measurement is not always possible and risk appetite will sometimes be defined by a broad statement of approach. An organization may have an appetite for some types of risk and be averse to others, depending on the context and the potential losses or gains.

However, measures can often be developed for different categories of risk. For example, it may aid a project to know what level of delay or financial loss it is permitted to bear. Where an organization has standard measures to define the impact and likelihood of risks, this can be used to define the maximum level of risk tolerable before action should be taken to lower it. [3]

Purpose and benefits

By defining its risk appetite, an organization can arrive at an appropriate balance between uncontrolled innovation and excessive caution. It can guide people on the level of risk permitted and encourage consistency of approach across an organisation.

Defined acceptable levels of risk also means that resources are not spent on further reducing risks that are already at an acceptable level.

Main areas

In literature,[ citation needed ] there are six main areas of risk appetite:

  1. financial
  2. health
  3. recreational
  4. ethical
  5. social
  6. information

There is often a confusion between risk management and risk appetite, with the rigor of the former now recovering some of its lost ground from the vagueness of the latter. When derived correctly, the risk appetite is a consequence of a rigorous risk management analysis, not a precursor. Simple risk management techniques deal with the impact of hazardous events, but this ignores the possibility of collateral effects of a bad outcome, such as for example becoming technically bankrupt. The quantity that can be put at risk depends on the cover available should there be a loss, and a proper analysis takes this into account. The "appetite" follows logically from this analysis. For example, an organization should be "hungry for risk" if it has more than ample cover compared with its competitors and should therefore be able to gain greater returns in the market from high-risk ventures.

See also

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.

A marketing plan may be part of an overall business plan. Solid marketing strategy is the foundation of a well-written marketing plan so that goals may be achieved. While a marketing plan contains a list of actions, without a sound strategic foundation, it is of little use to a business.

<span class="mw-page-title-main">Performance indicator</span> Measurement that evaluates the success of an organization

A performance indicator or key performance indicator (KPI) is a type of performance measurement. KPIs evaluate the success of an organization or of a particular activity in which it engages. KPIs provide a focus for strategic and operational improvement, create an analytical basis for decision making and help focus attention on what matters most.

A feasibility study is an assessment of the practicality of a project or system. A feasibility study aims to objectively and rationally uncover the strengths and weaknesses of an existing business or proposed venture, opportunities and threats present in the natural environment, the resources required to carry through, and ultimately the prospects for success. In its simplest terms, the two criteria to judge feasibility are cost required and value to be attained.

The chief risk officer (CRO) or chief risk management officer (CRMO) or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 2013), COSO published the Internal Control - Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Business analysis is a professional discipline focused on identifying business needs and determining solutions to business problems. Solutions may include a software-systems development component, process improvements, or organizational changes, and may involve extensive analysis, strategic planning and policy development. A person dedicated to carrying out these tasks within an organization is called a business analyst or BA.

Supplier relationship management (SRM) is the systematic, enterprise-wide assessment of suppliers’ strengths, performance and capabilities with respect to overall business strategy, determination of what activities to engage in with different suppliers, and planning and execution of all interactions with suppliers, in a coordinated fashion across the relationship life cycle, to maximize the value realized through those interactions. The focus of SRM is to develop two-way, mutually beneficial relationships with strategic supply partners to deliver greater levels of innovation and competitive advantage than could be achieved by operating independently or through a traditional, transaction purchasing arrangement. Underpinning disciplines which support effective SRM includes supplier information management, compliance, risk management and performance management.

In finance, a trading strategy is a fixed plan that is designed to achieve a profitable return by going long or short in markets. The main reasons that a properly researched trading strategy helps are its verifiability, quantifiability, consistency, and objectivity.

Intellectual property assets such as patents are the core of many organizations and transactions related to technology. Licenses and assignments of intellectual property rights are common operations in the technology markets, as well as the use of these types of assets as loan security. These uses give rise to the growing importance of financial valuation of intellectual property, since knowing the economic value of patents is a critical factor in order to define their trading conditions.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 where GRC was formally defined as "the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." The research referred to common "keep the company on track" activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">Entity-level controls</span>

Entity-level controls are controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a to understanding the risks of an organization. Generally, entity refers to the entire company.

<span class="mw-page-title-main">Risk</span> Probability of loss of something of value

In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value, often focusing on negative, undesirable consequences. Many different definitions have been proposed. The international standard definition of risk for common understanding in different applications is "effect of uncertainty on objectives".

Risk IT, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.

<span class="mw-page-title-main">Corporate finance</span> Framework for corporate funding, capital structure, and investments

Corporate finance is the area of finance that deals with the sources of funding, and the capital structure of corporations, the actions that managers take to increase the value of the firm to the shareholders, and the tools and analysis used to allocate financial resources. The primary goal of corporate finance is to maximize or increase shareholder value.

Risk-based internal audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level. It is the risk management framework of the management and seeks at every stage to reinforce the responsibility of management and BOD for managing risk.

References

  1. "Guidance on Board Effectiveness" (PDF). FEC. Retrieved 2 July 2019.
  2. Thinking about Risk - Managing your risk appetite: A practitioner's guide November 2006 HM Treasury, page 12.
  3. Hassani, B.K. (2015). "Risk Appetite in Practice: Vulgaris Mathematica". The IUP Journal of Financial Risk Management. 12 (1): 7–22. SSRN   2672757.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.