Risk Appetite - Inherent and Residual?

The case for setting both an Inherent and Residual Risk Appetite

In the last two blogs, Inherent Risk - Is it useful? and Expected and Targeted Risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite. 

The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.

At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites. Listening to the conversations it becomes clear that the discussion was at cross purposes.

The director that wanted a higher appetite was an “ideas” person and wanted to encourage the business to explore opportunities and strategies that were “a bit out there” while the other director was concerned as to how this high appetite might affect the business, especially in relation to financial and reputation impacts.

As they were discussing, I realised that the “ideas” director was talking about inherent risk while the other director was talking about residual risk. This is like arguing about apples and oranges - they are not the same. I then suggested that we set a risk appetite for both inherent and residual risk defined as:

Once we did this, the divergence between the views of the two directors narrowed and some common ground was found.

In the following illustration, I have used the simple qualitative risk appetite measures of Low, Medium and High.

The setting of an inherent risk appetite demonstrates the willingness of the board to allow the organisation to investigate higher risk opportunities.

Setting a higher inherent risk appetite empowers the business to research new and innovative ideas. This is not implying we are giving authority to go ahead with these riskier ideas, just researching them.

This satisfied the “ideas” director who was keen in encouraging management to consider alternative and innovative strategies.

The setting of residual risk appetite, on the other hand, demonstrates the board's view as to the level of controls that would be required over the new initiatives and innovation prior to “going live”. This satisfied the more conservative director as they were concerned about the ultimate impact on the organisation from these initiatives. If a low residual risk appetite is set, this implies that before going ahead with the initiative, and where possible, we must invest in adequate controls to bring the residual risk to low.

This is illustrated below: Example Risk Appetite Extract

The various combinations of inherent and residual risk appetite and what that implies is as follows:

In terms of applying this to strategy, both appetites need to be addressed. The Inherent risk appetite defines what strategies can / cannot be even brought to the table. The residual risk appetite specifies that only where it is possible to control the risk to the residual risk appetite level, may the strategy be pursued. For example, if inherent risk appetite is high while residual is low, if it is not possible to implement controls to bring to a residual of low, even though the strategy is within the inherent appetite, it could not be pursued. i.e. Both the Inherent and Residual risk appetites need to be met.

As with all ideas in risk management, the usefulness and appropriateness of setting inherent and residual risk appetite will differ by organisation depending on the makeup of the board, the maturity of risk management and risk appetite and the level of complexity in the organisation’s existing risk management framework.

The main negative of setting both levels is increased complexity and this needs to be weighed up against the benefits and this judgement must be left to each organisation. We have found it to be very useful for some clients especially where disparate board views exist but can think of other examples where it would not add so much value.

We would like to hear your thoughts and views and invite your constructive feedback through comment. Alternatively, please feel free to contact me on [email protected].

If you would like to know more about Risk Appetite then you can subscribe to the next  Risk Appetite Workshop which is being held in Sydney on 4th April. More Information Here

To see what other training sessions are being held you can visit our training calendar.