These two terms – “risk appetite” and “risk attitude” – are often used as a foundation for engaging in high level risk discussions. They are frequently associated with Board or executive level activities.
This is a term from COSO’s Enterprise Risk Management – Integrated Framework. In it, they say it “is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” COSO goes further to say “Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”
This term is from the International Organization for Standardization’s ISO 31000 document. ISO indicates “An organization’s risk attitude defines its general approach to risk. An organization’s risk attitude (and its risk criteria) influence how risks are assessed and addressed. An organization’s attitude towards risk influences whether or not risks are taken, tolerated, retained, shared, reduced, or avoided, and whether or not risk treatments are implemented or postponed.”
Risk appetite implies quantity. From it, I get a sense of somehow building a risk model, plugging in my data, and raising the flag if the model indicates my organization exceeds a certain level. Because of its quantitative image, it leads to guidance like E&Y’s ‘The board should ask itself: “What are our three most profitable risks?”’ To me, this question seems off the mark. I don’t think that anyone has “profitable risks”. This implies that an organization drives strategy around exploiting a particular risk rather than its strengths. Sorry, I can’t see that conversation actually taking place at any board meeting I’ve ever attended.
On the other hand, risk attitude implies an approach. I get the sense of a conversation and culture-building. This more closely matches my own experience where various attitudes toward risk taking naturally evolve from the culture. An attitude allows the flexibility to deal with complex and competing concerns. By naturally having conversations about focusing on “this” over “that”, the organization is building its risk culture as part of its overall culture. This helps an organization deal with questions in strategy setting – things like “Should we take a strategy that minimizes shareholder volatility even if it increases employee turnover?” This approach also allows risk taking to shift quickly as broader attitudes shift. For example, if an organization has just had an extremely contentious visit from a regulatory agency, the organization’s risk attitude toward regulatory compliance needs to change – right now.
For me, COSO’s “risk appetite” doesn’t feel right. Risk isn’t generally quantifiable across all parts of an organization in the sense that they seem to imply. ISO’s “risk attitude” is a more comfortable concept because it passes my ‘practicality test’. However, the overall goal of each approach is the same. The important things is to engage your highest level management team in providing guidance regardless of whether it’s primarily quantitative or qualitative.