Key messages: It is worth the time to express risk appetite
There is a great deal of confusion, even in the ranks of risk professionals, in and around the terms risk appetite and tolerance. I will focus on the former at this stage and address the latter in another article. So how is the term risk appetite defined? The ISO 31000 definition describes it as
“amount and type of risk an organization is prepared to pursue or take”.
Whilst risk tolerance is defined as the
“organization’s readiness to bear the risk after risk treatments in order to achieve its objectives,
NOTE Risk tolerance can be limited by legal or regulatory requirements.”
When these definitions are compared it would seem that a reasonable assertion is that risk appetite is considered pre-treatment and risk tolerance is used in conjunction with residual risk as defined in the standard
“risk remaining after risk treatments.
NOTE 1 Residual risk can contain unidentified risk.
NOTE 2 Residual risk is also known as retained risk”
as a post-treat consideration.
Courtesy of Getty Images
If you accept the assertion, then the next consideration/question is “should the organisation express its risk appetite”. For me there are several reasons why I would recommend that this is done. First, it provides guidance for those who are completing the risk assessment on what is an acceptable level of risk. If guidance is not given then the risk evaluation step is not required as the process would simply involve developing risk treatments for all risks.
Second, it provides a mechanism to support risk prioritisation in the risk evaluation step. A few years ago I conducted a risk assessment for an organisation and came up with 1,422 risks on the initial pass. If we hadn’t applied the risk appetite then all of those risks would need a treatment plan. Clearly an unworkable situation. Having applied the risk appetite we at least were able to focus on the top 400 risks using existing controls to manage the other risks that were deemed acceptable. Third, it becomes a valuable tool to sort and communicate risk events to management that were important to management based on their appetite/guidance.
The next challenge is how to express this appetite. I have seen it expressed in two forms. One is within the risk policy itself where broad guidance is provided on what is an acceptable level of risk. This alone maybe insufficient for some organisations and may need to be supported with specific examples eg. A risk that puts our company on the front page of a national newspaper is unacceptable. The second way of expressing the risk appetite is within the overall risk criteria table.
Some readers maybe more familiar with this approach where colours are used to express the Appetite. In this format, there have been some interesting approaches including using a traffic light system of Red, Amber, Green or a four colour system where those who believe that there was insufficient granularity with the traffic light colours and introduced the colour Blue. I am not going to discuss the merits of the number of colours. Suffice to say that in addition to the traffic light/four colour system a description needs to be provided that expresses the meaning of the colour. Eg Red may mean the BOD needs to be informed immediately. Supporting this statement a timeframe within which action needs to be taken should be included.
This article has put the case forward for organisation’s to express their risk appetite. How they do that is really dependent on the context. However, what has worked for some organisations is to express their risk appetite both in the policy and as part of the risk criteria tables.