Risk AppetitePosted: June 8, 2020
COSO recently released a paper looking at risk appetite. Risk appetite is a vague and usually misunderstood concept related to internal control and risk management. Risk must be taken to move a business forward. Even the simple act of opening a store or posting something for sale on a website involves taking on some risk. Don’t believe me? In order to sell something online, a website has to be set up and arrangements made to accept payment. Even if a person does all that on their own, they are taking a risk that the time they are investing on such an effort will provide a greater payback than spending that time on something else.
At a very simple level, risk appetite is how much risk an organization is willing to take. However, too often risk appetite is used interchangeably with risk tolerance. Risk appetite is different because risk tolerance is more about how much variability in outcomes the organization is willing to tolerate, while risk appetite is about how much risk the organization is willing to take on in the first place. Organizations need to consider risk appetite when developing strategy and plans.
If a strategy that calls for a lot of risk is misaligned with an organization’s risk appetite, the strategy is destined for failure. That sounds obvious, but the reality may be less easy to spot. An example from the document discussed an organization that had a strategy “to grow business by expanding global manufacturing locations.” However, when it became clear that some global locations presented risk that exceeded the manufacturer’s appetite, the strategy was updated: “To grow business by expanding to global locations within established infrastructure requirements and governmental regulations.”
Most people would agree the revised strategy involved a lower level of risk that apparently was in line with the organization’s lower level of risk appetite, but also limited the potential benefit from manufacturing across the globe. The point is that an organization needs to understand its risk appetite to understand if it can accomplish the strategy and goals it sets out. If the risk appetite is not aligned with the strategy, then either the strategy or the risk appetite needs to be changed.