An important part of risk management is the understanding that an organization cannot avoid all risk all the time. However, when implementing an enterprise risk management system, organizations are in control of certain aspects of potential risk. Before attempting to manage risk, an organization must determine its risk appetite.
What is Risk Appetite?
ISO 31000:2018’s companion document, Guide 73, defines risk appetite as “the amount and type of risk that an organization is prepared to pursue, retain or take.” Risk appetite is about the organization’s view of risk versus reward; is a certain type or amount of risk worth taking (or not)? A certain type of risk might be impossible to take on, while another could be rewarding in limited amounts. Risk appetite is unique to every company, and even to every department thereof.
An organization must establish an internal and external context in order to determine its risk appetite. There are many factors to consider when establishing context, such as competition or finances. When determining risk appetite, an organization might examine their financial resources to find out if they can take on specific financial risks, and to what amount. Contextual factors can change over time, therefore the process of understanding risk appetite is ongoing for any organization.
Types of Risk Appetite
When organizations determine what type and what amount of risk they can pursue through contextual factors, they will come to find their specific type of risk appetite. There are three main categories that an organization’s risk appetite can fall into; high risk, low risk, and risk-neutral.
Organizations that have a high-risk appetite are also defined as risk-seeking. These organizations have ascertained that they are willing to take risks that are high in uncertainty, but also high in potential reward.
Organizations that have a low-risk appetite are also described as risk-averse. These organizations determined that the best option for them is to avoid risk and therefore avoid potential losses.
Organizations that are risk-neutral use a risk-reward ratio to measure potential results and are neither seeking risk nor avoiding it. These organizations are comfortable accepting risks that have the best risk-reward ratio or risks that are needed to reach a critical goal.
An example of risk appetite
An organization determines that they cannot take any risks that could result in a loss of revenue, therefore all financial risk is off the table for this company. However, another organization concludes that they are willing to take financial risks, but only up to a bar of three million dollars. Both companies took internal and external context into account, and each one has established a risk appetite that is unique to their capabilities and objectives.
Calculating an organization’s risk appetite is an essential part of risk management, decision-making, and the pursuit of objectives within a company. Any organization should determine and understand its risk appetite in order to manage risk in the most efficient and effective way. Risk appetite is very often confused with risk tolerance, read more here.
Whether high or low risk, an organization’s risk appetite is established to support the achievement of objectives. Determining risk appetite is a great tool for an organization looking to encourage informed decision-making and streamline risk management.
ISO 31000 Training Courses & Certification
Online, self-paced, easy-to-understand video courses.
Online ISO 31000 certification exam.