Step 1: Define risk appetite

Risk appetite can be defined in general terms as the variability in results that an organization and its senior executives are prepared to accept in support of a stated strategy. The end product, however, needs to articulate clearly key sources of risk in a form that is readily comprehensible to non-specialists. As such, defining risk appetite also requires a fundamental review of the perspectives and concerns of all key stakeholders, as well as the implications of current corporate strategy.

Step 2: Embed in the organization

Although a useful exercise in raising senior management awareness of risk issues, simply having a group-level statement of the desired aggregate risk profile will not by itself help the organization take the ‘right’ risks in a well managed manner. To achieve that, it must become embedded throughout the organization. The ‘top-down’ desired risk profile must be compared with the ‘bottom-up’ reality. Aggregate reporting of actual versus desired risk profile must be improved. The organizational model must be reviewed to ensure clear responsibilities and escalation criteria for ‘hard’ and ‘soft’ tolerance breaches. Finally, trigger levels, limit structures and delegated authorities must be realigned, and potential risk appetite implications must be considered in all major resource allocation decisions. This may seem a daunting and far reaching array of tasks – but consider the ramifications if not undertaken: the firm’s risk taking might be too extensive or ‘off strategy’ or both, storing up potentially severe problems for the future.

Step 3: Link to strategy and growth

The third step shifts the discussion of risk from a mindset of ‘loss minimising’ to one of optimizing the organization’s risk-return profile. This requires risk appetite ideas to be embedded into key strategic and tactical decisions. Again, this is not easy. It typically requires greatly improved interaction between the corporate strategy, risk and finance functions. Senior managers should start to think in terms of earnings at risk/cash flow at risk, and risk managers should think more about business requirements.