The essence of risk appetite

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.

The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.

I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.

Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.

Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.

On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.

The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?

You can read more about Performance Risk Management at Risk Leader (


The essence of a risk management framework

In an earlier post I described risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable.

A risk management framework is a systematic way of approaching those activities. I see four main parts to an effective risk management framework:

  1. A common language. It’s important to share ideas, not just words. The words must mean the same thing to everything otherwise you’re sharing the words but not the underlying concepts. For example, when you use the word “risk” what do you mean? Are you referring to the concept of uncertainty or does your organization prefer to speak solely about specific risk events?
  2. A primary focus. A good framework can be adapted for a number of purposes, but it typically exists for one primary reason. My personal experience tells me that the highest and best purpose for a risk management framework is to help an organization achieve its goals in a more predictable manner. There are certain attributes of any good framework (see below) that will make it adaptable for a variety of purposes – but every framework must target a specific benefit. For me it’s the achievement of organizational goals.
  3. Abstraction. In order to make a risk management framework broadly applicable you need rules that describe which ideas are fundamentally similar and which are not. For example, your organization may traditionally use the term “strategy” and “process” in different ways. However, for purposes of a risk framework it may be valuable to abstract these and treat them the same because they both describe the action that will be taken to accomplish some goal. In the case of “strategy”, it may be primarily a high level plan that mostly consists of delegating to others. In the case of “process” it may be a specific activity that a single person will perform. But from an abstract view, they both represent how you will achieve a goal.
  4. Breadth and depth. A framework needs to be a road map. It should be sufficiently broad that the big picture is easily seen. But it also needs to be supported by sufficient depth and insight so that it can help us understand and take action in a detailed, complex, and often confusing real world. For example, it’s not good enough for a framework to simply define a term like “risk tolerance”. It also needs to sufficiently describe how this concept provides value in the real world to a CFO, a regional sales manager, or a production supervisor.

As I continue with these ‘essence of risk management’ posts I will share the components of a practical risk management framework. These future posts will include my recommendations for common language, abstraction, and depth in order to help everyone use this practical management tool.

You can read more about Performance Risk Management at Risk Leader (


The essence of risk management

This is the first in a series of posts that attempt to get to the essence of risk management. I’ll touch on various topics as they occur to me. Some of these posts will be on broader topics like this one. Others will be on very specific points that help you implement these concepts. As time goes on I hope to amass a series of short thought-pieces that help bring together a rather complicated subject.

The key word, of course, is “risk”. Risk is a synonym for uncertainty. It’s unpredictability.  Risk is the uncertainty of whether you’ll safely cross a busy street. Risk is the uncertainty of your body’s reaction to medication. Risk is the uncertainty of investing your money and getting the hoped-for return. Risk is the uncertainty of a strategic initiative delivering the expected results. Risk is the uncertainty of your town’s first responders arriving at a fire in time to prevent a catastrophe. Risk is the uncertainty of your sports team winning today.

This topic – the first one – is on risk management in general. Let’s start with the big question. What is risk management?

To answer that question, I will first avoid recapping all of the authoritative descriptions. Many of the definitions and explanations lead to over-complication. I prefer to keep it simple. As a business person, my point of reference is always centered around organizational results. In that context, risk management is very simple. It is the group of organizational activities that try to improve results by making the unpredictable a little more predictable. It’s that simple.

Managing risk is simply taking steps to make each goal a little more certain. Whether it’s crossing a busy street, taking medication, or any of the other examples mentioned above – risk management consists those activities that eliminate uncertainty to help you get what you want and avoid what you don’t want.

With this understanding of risk at its simplest and most fundamental level, I will explore the essence of specific parts of risk management in future posts.