Risk Appetite vs Risk Attitude

These two terms – “risk appetite” and “risk attitude” – are often used as a foundation for engaging in high level risk discussions. They are frequently associated with Board or executive level activities.

Risk Appetite

This is a term from COSO’s Enterprise Risk Management – Integrated Framework. In it, they say it “is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” COSO goes further to say “Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”

Risk Attitude

This term is from the International Organization for Standardization’s ISO 31000 document. ISO indicates “An organization’s risk attitude defines its general approach to risk. An organization’s risk attitude (and its risk criteria) influence how risks are assessed and addressed. An organization’s attitude towards risk influences whether or not risks are taken, tolerated, retained, shared, reduced, or avoided, and whether or not risk treatments are implemented or postponed.”

Differing implications

Risk appetite implies quantity. From it, I get a sense of somehow building a risk model, plugging in my data, and raising the flag if the model indicates my organization exceeds a certain level. Because of its quantitative image, it leads to guidance like E&Y’s ‘The board should ask itself: “What are our three most profitable risks?”’ To me, this question seems off the mark. I don’t think that anyone has “profitable risks”. This implies that an organization drives strategy around exploiting a particular risk rather than its strengths. Sorry, I can’t see that conversation actually taking place at any board meeting I’ve ever attended.

On the other hand, risk attitude implies an approach. I get the sense of a conversation and culture-building. This more closely matches my own experience where various attitudes toward risk taking naturally evolve from the culture. An attitude allows the flexibility to deal with complex and competing concerns. By naturally having conversations about focusing on “this” over “that”, the organization is building its risk culture as part of its overall culture. This helps an organization deal with questions in strategy setting – things like “Should we take a strategy that minimizes shareholder volatility even if it increases employee turnover?” This approach also allows risk taking to shift quickly as broader attitudes shift. For example, if an organization has just had an extremely contentious visit from a regulatory agency, the organization’s risk attitude toward regulatory compliance needs to change – right now.

For me, COSO’s “risk appetite” doesn’t feel right. Risk isn’t generally quantifiable across all parts of an organization in the sense that they seem to imply. ISO’s “risk attitude” is a more comfortable concept because it passes my ‘practicality test’. However, the overall goal of each approach is the same. The important things is to engage your highest level management team in providing guidance regardless of whether it’s primarily quantitative or qualitative.


2 thoughts on “Risk Appetite vs Risk Attitude

  1. Robert Barker says:

    Mr. Schrock, I enjoy your essays, especially the way you weave meaningful analogies into the often dry words of an important concept, and express so many worthwhile thoughts in a succient manner.

    I’m writing for two additional reasons, to comment on the E & Y risk management “slogan” mentioned in this sentence (immediately following), and to seek permission for sharing your documents. “Because of its quantitative image, it leads to guidance like E&Y’s ‘The board should ask itself: “What are our three most profitable risks?”’ To me, this question seems off the mark. I don’t think that anyone has “profitable risks”.

    I’ve known and worked, as an accounting faculty member, with E & Y people for many years, and had heard the “slogan” you quoted. However, I had a difference reaction to it. To me, the “slogan” was a succient and slightly off-target way of saying that Boards should not focus on the risks under every “rock” of their operations but instead on the risks under the 3 largest “boulders” of their operations. Since I work for an organization that never met a risk (large or small) they wouldn’t try to eliminate, I’m especially sensitive to the concept of picking your risk battles.

    I’m semi-retired but still teaching accounting to sophomores. They seem particularly ripe for career advice and I found your summaries of Good to Great very readable, while rich with good career perspective. Do you mind if I share your essays with my students, giving credit to both you and Mr. Collins of course?

    • Mr. Barker: Thank you for your note. You certainly have my permission to share my writings with your students. My overriding goal is to contribute to a complex topic in a way that its essential value becomes more evident and, ultimately, more practical. And, I appreciate your insights on the E&Y quote.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s