Risk appetite is an essential component of any successful business strategy. It's the amount and type of risk that an organization is willing to take on in order to achieve its goals. But getting risk appetite right can be tricky, especially in today's fast-paced and ever-changing business environment. High inflation, pending recession, intense competition and the need for a strong digital strategy (customer experience, engagement and technology enhancements, new distribution channels, leveraging different ecosystems, increasing the use of data analytics and establishing digital metrics and measurements) are only a few of the challenges that organizations face when trying to strike the right balance between risk and reward. In this article, we'll take a closer look at what it takes to get risk appetite right and explore some strategies for managing risk in an uncertain environment.
As part of our services to clients, we have seen leaders spend considerable time on enterprise risk management (ERM): risk identification, assessment, response and monitoring activities, all tied to strategy, business objectives and performance. And while that is an important piece of the puzzle, sometimes what is lacking is enough time spent on defining and ensuring risk appetite is understood and consistent within the organization as it aligns with strategy, mission and values. In other words, the amount of risk leadership within an organization communicates they are willing to accept in pursuit of their goals does not always align with the actions, investments and priorities. That's where risks can emerge.
Examples
Misaligned IT security risk appetite and investment
A leader states the organization has a low-risk appetite for IT security risk (while recognizing cybersecurity risk as a high risk); however, investments made versus requested and projects prioritized for IT security do not align with the stated risk appetite and communication to stakeholders.
Misaligned risk appetite related to realizing benefits of data analytics for a competitive advantage
An organization has a high-risk appetite to increase technological and data analysis capabilities for competitive and strategic purposes, all while not investing in the required solutions, stretching talent thin on multiple projects and cutting corners for financial purposes. These actions are misaligned to the strategy, mission, values, correlated risk appetite and business objectives.
Unclear stance on risk appetite related to compliance
The risk is that the company's operations will be conducted in a way that falls outside of regulatory compliance and exposes it to legal or penalties. If the company's leaders have not communicated their risk appetite, it can be hard for employees to understand which activities are or are not acceptable, which can lead to costly compliance breaches.
Set clear statements and guidelines on your risk appetite
Without clear guidelines for how much risk is acceptable, decision-makers within the company may pursue risky opportunities without fully understanding the potential downsides. This can cause financial losses, damage to the company's reputation and, in some cases, even the failure of the company.
If you are an internal audit practitioner, a regulator or a leader, take the time to revisit risk appetite at the organization. Understanding or assessing your organization's risk appetite is critical for effective enterprise risk management because it helps with:
- Improved decision-making: Clearly defining an organization's risk appetite allows decision-makers to more easily evaluate the potential risks and rewards of different options and make more informed choices.
- Better alignment with organizational goals: Risk appetite helps ensure that an organization's risk-taking aligns with its overall goals and objectives.
- Enhanced risk management: Regularly assessing risk appetite helps an organization to identify and address potential risks before they become major issues.
- Greater transparency: Communicating its risk appetite to stakeholders will increase an organization’s transparency and build trust with its shareholders, customers and other stakeholders.
- Increased compliance: Defining and assessing risk appetite can also help an organization ensure that it is in compliance with relevant regulations and industry standards.
In 2020, COSO issued guidance called Risk Appetite–Critical to Success: Using Risk Appetite to Thrive in a Changing World. Below is a high-level approach summarizing the guidance that can help organizations kick-start their processes to update and refine their risk appetites and align them with their business objectives and strategies:
Avoid costly mistakes
Organizations make the mistakes related to risk appetite when they stop with definition and alignment at the enterprise level
