Risk appetite is an essential component of any successful business strategy. It's the amount and type of risk that an organization is willing to take on in order to achieve its goals. But getting risk appetite right can be tricky, especially in today's fast-paced and ever-changing business environment. High inflation, pending recession, intense competition and the need for a strong digital strategy (customer experience, engagement and technology enhancements, new distribution channels, leveraging different ecosystems, increasing the use of data analytics and establishing digital metrics and measurements) are only a few of the challenges that organizations face when trying to strike the right balance between risk and reward. In this article, we'll take a closer look at what it takes to get risk appetite right and explore some strategies for managing risk in an uncertain environment.
As part of our services to clients, we have seen leaders spend considerable time on enterprise risk management (ERM): risk identification, assessment, response and monitoring activities, all tied to strategy, business objectives and performance. And while that is an important piece of the puzzle, sometimes what is lacking is enough time spent on defining and ensuring risk appetite is understood and consistent within the organization as it aligns with strategy, mission and values. In other words, the amount of risk leadership within an organization communicates they are willing to accept in pursuit of their goals does not always align with the actions, investments and priorities. That's where risks can emerge.
Examples
Misaligned IT security risk appetite and investment
A leader states the organization has a low-risk appetite for IT security risk (while recognizing cybersecurity risk as a high risk); however, investments made versus requested and projects prioritized for IT security do not align with the stated risk appetite and communication to stakeholders.
Misaligned risk appetite related to realizing benefits of data analytics for a competitive advantage
An organization has a high-risk appetite to increase technological and data analysis capabilities for competitive and strategic purposes, all while not investing in the required solutions, stretching talent thin on multiple projects and cutting corners for financial purposes. These actions are misaligned to the strategy, mission, values, correlated risk appetite and business objectives.
Unclear stance on risk appetite related to compliance
The risk is that the company's operations will be conducted in a way that falls outside of regulatory compliance and exposes it to legal or penalties. If the company's leaders have not communicated their risk appetite, it can be hard for employees to understand which activities are or are not acceptable, which can lead to costly compliance breaches.
Set clear statements and guidelines on your risk appetite
Without clear guidelines for how much risk is acceptable, decision-makers within the company may pursue risky opportunities without fully understanding the potential downsides. This can cause financial losses, damage to the company's reputation and, in some cases, even the failure of the company.
If you are an internal audit practitioner, a regulator or a leader, take the time to revisit risk appetite at the organization. Understanding or assessing your organization's risk appetite is critical for effective enterprise risk management because it helps with:
- Improved decision-making: Clearly defining an organization's risk appetite allows decision-makers to more easily evaluate the potential risks and rewards of different options and make more informed choices.
- Better alignment with organizational goals: Risk appetite helps ensure that an organization's risk-taking aligns with its overall goals and objectives.
- Enhanced risk management: Regularly assessing risk appetite helps an organization to identify and address potential risks before they become major issues.
- Greater transparency: Communicating its risk appetite to stakeholders will increase an organization’s transparency and build trust with its shareholders, customers and other stakeholders.
- Increased compliance: Defining and assessing risk appetite can also help an organization ensure that it is in compliance with relevant regulations and industry standards.
In 2020, COSO issued guidance called Risk Appetite–Critical to Success: Using Risk Appetite to Thrive in a Changing World. Below is a high-level approach summarizing the guidance that can help organizations kick-start their processes to update and refine their risk appetites and align them with their business objectives and strategies:
Avoid costly mistakes
Organizations make the mistakes related to risk appetite when they stop with definition and alignment at the enterprise level and do not proceed with conducting a top-down and bottom-up approach to risk appetite development, assessment and refinement.
Questions to facilitate risk appetite at the enterprise level and the business operations level:
- Which strategies or objectives are most important to our success?
- Can you describe activities that would, in your view, indicate the organization isn’t taking enough risk to attain the performance it wants?
- Can you describe activities that would, in your view, be above our appetite and how might these relate to our strategy?
- Where do you think our risk appetite is today? Is it averse, neutral or aggressive? Do you think it should be higher or lower in the future to sustain success?
- Are there aspects of our business that have a lower or higher appetite for risk? Why?
- Are there specific risks that need to be considered in developing our appetite? Which ones and why?
In summary, setting and communicating risk appetite is important to ensure that the company is taking on the appropriate level of risk, which can help to prevent costly mistakes and ensure that the company's operations are in line with regulatory requirements.
How Baker Tilly’s industry and risk advisory specialists can help:
- ERM assessments
- ERM and risk appetite workshops and implementation assistance
- ERM benchmarking
- Advisory and industry insights on data to support risk tolerances and key risk indicators