Defining risk appetite – a major stumbling block

Others are recognizing, to various levels, what I’ve been writing about for a while. Risk management as a stand-alone activity has much less value compared to what it can provide when it’s properly integrated into an organization’s performance management activities.

I just read a paper from Professor Regine Slagmulder and Maria Boicova from the Vlerick Leuven Gent Management School. Its title is Integrating Risk Into Performance (1) with copyright by the Chartered Institute of Management Accountants.

This paper addresses their research into risk reporting to the board at a number of European companies. Many of their findings and observations are common sense; what you might expect if you’re at all  involved in risk management or working with a managing board.

There are, however, a few findings that I thought were interesting and want to address. These findings are, I believe, absolutely right but they go against the flow a bit.

The establishment of formal Risk Appetite 

Risk appetite is a formal concept within risk management. The idea behind it is that the level of risk in any endeavor is neither too high nor too low by a purely objective assessment. It is only too high or too low when compared to the level of risk that management believes is appropriate. This appropriate level of risk is often referred to as “risk appetite.”

This study found that most companies are “at the lower end of the spectrum” when it comes to formally defining risk appetite. In other words, they found that companies do not necessarily make a big effort to formally define an all-encompassing level of risk that is appropriate for the organization. Certainly my experience indicates that this is true. The issue, though, is the reason behind this. Often, this situation is bemoaned as a failing of organizations to step up and address risk management correctly. I’ve always disagreed on the grounds that risk appetite, while it may be a foundational concept, is far from the starting point when an organization actually implements risk management. In fact, early in a project, it often is an unnecessary stumbling block.

This study indicated that in “those companies that favoured a more integrated view on risk, the attitude towards formalisation of risk appetite remained fairly reserved.” The key, here, is the reference to an integrated view of risk. The report goes on to say “One potential reason could be that companies might prefer to stay flexible and adjust their risk appetite based on the particular project and/or strategic initiative at hand …”.

Since flexibility is extremely valuable when starting up any new and unfamiliar endeavor, it follows that formal establishment of a risk appetite at the early stages of risk management implementation may be detrimental to success.  It simply adds too much rigidity to the project at a point when not only are the unknown variables too great, but the process itself is often poorly understood.

To be clear, risk appetite is not irrelevant. But the term, itself, implies rigidity. I like ISO’s phrase “risk attitude” better. I believe that it more correctly references the real need – to align human action with certain ideals.

There are some other good points in this study that I’ll address in my next post.