Determining Risk Appetite with focus on Strategic Risk Management

Risk Appetite, a term familiar yet confusing as multiple interpretations and perceptions exist. To put it simply, no one can run a business without taking risks. Therefore, risk appetite is the quantity of risk the business owners are willing to take to get the desired rewards. The perception is that organizations are doing a good job of calculating risk appetite. The financial crises showed that financial institutions, the torchbearers for risk management did a pathetic job at assessing their risk appetites. Further emphasizing the issue, KPMG survey stated that just a quarter of the organizations have a formal risk appetite statement.

While assessing risk appetite goes to the core of strategy formation, it becomes a more vexing and perplexing from the perspective of Strategic Risk Management (SRM) as an incorrect assessment can bankrupt the organization. To add on, nowadays in some countries boards are accountable for defining the risk appetite of an organization. For example, the UK Corporate Governance Code states, “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives” (Financial Reporting Council, 2010).

The challenge is how to determine risk appetite as a simple ballpark figure cannot be calculated. While one can say the devil is in the detail, the question remains how does one work out the details. In my view, there are three stages for designing and implementing a risk appetite statement in specific reference to SRM – assessing risk capacity, aligning to strategic objectives, and implementing measurement and monitoring framework. Let us discuss these three areas.

1.    Assessing Risk Capacity

The strategic objectives of the organization are growth, market share, profitability, increase in share value, reputation, regulatory standing, capital structure etc. To achieve objectives two aspects have to be balanced – propensity to take risks and propensity to control risks. For example, growth at the cost of reputation damage is not desirable.    

 The various aspects that impact risk appetite are organization culture, market position, geographical spread, reputation, industry sector, share price, ownership pattern, capital structure, business model, business processes and risk management maturity within the organization. Hence, a one-size fit all approach cannot be adopted for assessing risk appetite.

The Institute of Risk Management consultation paper of Risk Appetite propagates the concept of calculating risk appetite as a basis of shareholder value. “The model is based on the hypothesis that shareholder value is calculated as the cash flow from operations, discounted by the weighted average cost of capital, less the value of debt”. The model suggests that risks should be tested on their impact on shareholder value and an aggregate of various risks should be taken as risk appetite. However, this model does not take the qualitative factors in to account and some aspects of the business are not measurable. For example, reputation damage is difficult to measure and the impact is long term. In my view, both qualitative and quantitative factors should be taken.

In my opinion, the following approach may be followed. 

  • Board decides the strategic objectives of the organization and then explores the upside and downside risks, and their qualitative and quantitative impact.
  • Next, assess interrelationships between various factors influencing risk appetite.
  • Map these on a quadrant for level of risk and impact. This allows the board to have flexibility in determining assessing the separate risks for meeting each objective and the cumulative risk of the organization.

For example, the objective of a multinational is 100% increase in sales. The strategy is to enter Indian market. Now the upside risks are- different customer preferences, cheaper local products, lower costs of production etc. The downside risks are high-level corruption, geographical distance reduces managerial control, license permits etc. Here the risks for exploiting opportunities and mitigating threats are listed, graded and quantified where possible. Play with the growth figures to assess the movement in various risks. Do they change significantly or remain the same. Assess the impact on shareholder value if these risks occur. 

Next, to stay on the conservative side take the value of threats without deducting the opportunities for assessing risk appetite. Grade the level of threats with varying sales growth. Identify the figure at which the management is comfortable while taking risks and its impact on shareholder value. I think this figure should ideally be the risk appetite of the organization.    

2.    Aligning Risk Appetite

One of the frequent debates is that all operational risks eventually impacts strategic risks and strategic risks affect operational risks. However, it is not easy to line up all the ducks in a row. A strategic risk may occur while the tactical and operational risks are mitigated. For example, political risk is an external strategic risk, which can have huge impact on the organization although tactical and operational risks relating to the activity are adequately addressed.

The second aspect is that how does one align upside strategic risks to operational risks. Although operational risks can also have an upside, they may not be directly correlated to strategic upside risks.

The third challenge is that risk appetite of the organization continuously changes according to the various events occurring within and outside the organization. For example, the strategy was to increase sales of X product for which the organization determined a specific risk appetite. However, the competitor introduced a technologically advanced and cheaper Y product which made X product redundant. Hence, now since the organization has a strategy failure its risk appetite changes and that change would reflect on other products.

Hence, the big question is how does one align risk appetite to strategic objectives and link it back to other risks.

First, clear the misconception that risk appetite is one fixed number for an organization. Risk appetite is a moving figure continuously fluctuating and requires adjustment on an ongoing basis. Second, an organization can have a range of risk appetites for different strategic objectives. For example, if the organization sells two main products, for each the risk appetite will be different. For the same product, an organization has different risk appetites according to geographical area.

 Therefore, one can say that the overall risk appetite is a cumulative total of strategic, tactical and operational risks. Hence, as a first step apportion the total risk appetite to different strategic objectives and plans. From the strategic objectives, further break down risk appetite for tactical and operational goals. Follow this method to align risk appetite from top to the bottom of the organization. Finally, monitor the changes required by setting up measurement criteria at each level.    

3.    Implementing Measurement and Monitoring Framework

Peter Drucker cynical observation was “Management by objective works- if you know the objectives. Ninety percent of the time you don’t.” This dilemma is caused because organizations are measuring a number of things, and frequently effort is spent on measuring non-critical aspects of the business. The need of the hour is to have a strong framework for measuring risk appetite and deviations and exceptions to it. Dropping the ball in this aspect sometimes results in losses in millions. Hence, implementing good measurement criteria for risk appetite is crucial for any business.

As a first step, develop a set of Key Risk Indicators and Key Control Indicators for the strategy and business objectives. These indicators will measure propensity to take risks and control risk are within the parameters specified by the risk appetite statement. For example, the strategic objective is to grow sales of product X by 100%. To achieve this objective implementation plans would be developed and operations geared towards it. This may involve installing new machines for production of product X, developing a new market campaign, entering a new geography etc. After aligning tactical and operational risks to strategic risks, the deviation in any will reflect in the whole chain. The effect on interconnected risks and projects will be apparent. This continuous monitoring of risks will enable the organization to actual risks within the risk appetite of the organization. Secondly, as it is unlikely that the organization developed a completely accurate risk appetite statement the first time round, the monitoring will show the errors. The organization can go back to the designing phase and reconsider their assumptions and risks to further fine tune risk appetite statement. These juxtapositions spark fresh insights in re-sketching the risk appetite statement.

Closing thoughts

The short story is that risk appetite is an evolving concept that requires much more work and research. While developing risk appetite statements for organizations, risk managers get disheartened as they think they are zigzagging and backtracking between various risks, strategic objectives and business plans. It appears that they are following a lost trail. Though the concept is still fuzzy in some areas, it is a useful tool to manage risks within the organization. My suggestion to risk managers is to start with dipping your toes in the water and with practice, you can swim across the sea.


  1. Risk Appetite and Risk Tolerance – A consultation paper from the Institute of Risk Management,  May 2011
  2. Understanding & Articulating Risk Appetite – KPMG

10 comments on “Determining Risk Appetite with focus on Strategic Risk Management

  1. Pingback: Strong Risk Culture Benefits Strategic Risk Management « Sonia Jaspal's RiskBoard

  2. Pingback: Risk Management Failures « Sonia Jaspal's RiskBoard

  3. Pingback: 10 Best Practices for Governance, Risk Management & Compliance « Sonia Jaspal's RiskBoard

  4. Pingback: 10 Steps for Restructuring Risk Management Function « Sonia Jaspal's RiskBoard

  5. Pingback: engine mapping guide

  6. Pingback: Debt Management

  7. Pingback: India Country Risks in 2012 « Sonia Jaspal's RiskBoard

  8. Pingback: Comments on COSO revised framework Internal Control – Integrated Framework « Sonia Jaspal's RiskBoard

Comments are closed.