Risk appetite represents the amount of risk that an entity or person is willing to accept in the pursuit of their goals and objectives. The level of risk will vary from low to medium to high. It depends on how the entity balances its goals for growth, return, and investment. This usually relates to quantitative analysis and applied directly to strategy.

The Enterprise Risk Management framework works to enhance the organization by facilitating risk appetite and strategy. This is a process of linking growth, risk, and return. Using this approach provides a balance for enhancing risk response decisions and helps to minimize operational surprises and losses. It is a great platform for identifying and managing cross-enterprise risks and providing integrated responses to multiple risks. In short, it helps to reduce the downside and increase the upside. This is exactly the approach to apply in the turbulent ecomomic conditions that we face today.

Risk appetite is established by finding an acceptable balance between growth, risk and return. It is a process of finding the right relationship between risk appetite and strategy. The risk management framework assists in the alignment of people, processes, and infrastructure. Essentially strategy guides the process of resource allocation.

Another aspect of understanding risk appetite is dealing with the entity’s tolerance for risk. This boils down to reaching acceptable levels of variation to achievement of objectives. It should be measurable. You want to align the organization to ensure that actual results will fall within an acceptable level of risk tolerance. Operating with an acceptable level of risk tolerance gives management greater assurance that the entity stays within it risk appetite.

You might ask how do we form a defined risk appetite. We need to evaluate the impact of a potential event between low, medium, and high. At the same time we need to consider the likelihood of an event occuring and making a judgment as to whether it is low, medium, or high. Events that have low impact and a low likelihood of occurence will produce a situation falling within risk appetite. On the other hand an event with high likelihood and high impact will exceed our risk appetite.

We need to define events as incidents or occurrences that are internal or external that could affect the implementation of strategy or impair the achievement of goals and objectives. What management needs to do is identify uncertainties that exist and assess when they could occur and what will be the outcome. It is a process of evaluating a range of potential events and ranking them from obvious to obscure. The next step is to measure the potential effect from significant to insignificant. Finally a determination must be made relative to the likelihood of occurrence.

It is really a common sense and straight forward approach to managing the business by following these simple rules. Unfortunately not enough management teams follow this disciplined approach. Instead they follow the methodology of “fire, ready, aim.” This is the probably the best way to lose the game. I think there is a better way as I have described above. It is a lot easier to do it right than suffer the consequences of doing it wrong.

The first thing we need to realize is that risk will evolve from either internal or external sources with the potential to affect strategy. Risk represents the possibility that some event will occur. Management’s job is to assess all the risks associated with implementing strategy and achieving the organization’s objectives. It boils down to considering the impact of all the underlying events that might have some impact.

Enterprise Risk Management (ERM) is a framework for aligning risk appetite and strategy. Based on application of the framework, managing risk becomes a process of enhancing our risk management decisions. It is about reducing operational surprises and losses through a process for identifying and managing all of the potential multiple and cross-enterprise risks. It is more than avoiding losses; it is a process for seizing opportunities and looking for ways to improve the deployment of capital.

It is very closely linked to internal control in that is a process that is created and managed by people. It is, or should be, applied in a strategy setting and across the enterprise. It will only provide reasonable assurance and is geared to the achievement of objectives. When we say that risk management is applied in setting strategy is that it sets strategies and then considers risks relative to alternative strategies. It evaluates alternatives and helps decide on a course of action.

Risk management is applied across the entire enterprise and should consider the entire scope of activities at all levels of the organization. You need to consider special projects and new initiatives. Don’t apply the concept too narrowly because taking a portfolio of risks may override the occurrence of a single isolated event. Your assessment should consider both quantitative and qualitative factors in reaching judgments. Also, it is useful to group risks into categories.

Now that we have got you started on the road to understanding risk management we will next take up risk appetite in our next post.