Risk Appetite-Key Considerations

There are numerous definitions of organisational ‘risk appetite’, but they all boil down to how much of what sort of risk an organisation is willing to take. Risks need to be considered in terms of both opportunities and threats and are not usually confined to money - they will invariably also impact on the capability of your organisation, its performance and its reputation.

In plain and simple terms, Risk Appetite normally represents ‘The amount of risk that an organization is prepared to accept, tolerate, or be exposed to at any point in time.’

Each level of the organisation needs clear guidance on the limits of risk that they can take. Risk appetite should be expressed in the same terms as those used in assessing risk. An organisation’s risk appetite is not necessarily static; in particular the Board will want to vary the amount of risk that it is prepared to take depending on the circumstances at the time.

Risk appetite is not a magic number, nor always quantifiable. It is dependent upon the aims of the business and what risks have to be taken to achieve those aims. However, those risks must be well-considered and well-managed. To be so, an organisation must provide guidance on the acceptable level of risk that it considers appropriate across the breadth of its business (i.e. risk appetite). Risk appetite needs to be considered not only for individual programmes/projects, but also across operational delivery areas and, in its totality, for the overall portfolio of risks to ensure that an organisation’s risks are appropriate, balanced and sustainable.

At the organizational level risk appetite can become complicated, but at the level of a specific risk it is more likely that a level of exposure (consequences) that is acceptable can be defined in terms of both an impact if a risk occurs, and the frequency of that impact.What is tolerable may be affected by the value of assets lost or wasted in the event of an adverse impact; stakeholder perception of such an impact; the cost of implementing actions to further manage the risk; the likelihood of the risk occurring; and the balance of potential benefit to be gained. There is also a need for a management culture and supporting processes that allow due consideration of risk before major decisions are taken to begin new policy projects or corporate change initiatives and during the development and implementation of programmes of work.

Once the risk appetite has been defined, individual risks can be assessed against the risk appetite descriptors and decisions can be made about whether the optimum level of residual risk has been reached.