How to Perform ESG Audits: A 5-Step Checklist
Companies are playing closer attention to environmental, social, and governance than ever before. Here's how to perform ESG…
For all organizations, taking on risk is an accepted outcome of doing business. Most organizations proactively seek to reduce risk and minimize its potential impact through the process of risk management. While some risks are necessary and can drive positive business outcomes, others can lead to negative impacts such as operating errors, poor strategic decision-making, accidents, potential legal exposure, financial uncertainty, or natural disasters. Organizations must accept that not all risks are avoidable, but they do have control over the scale and scope of risks they are willing to take.
Making this conscious decision about how much risk an organization is willing to take on is known as its risk appetite.
What is Risk Appetite?
PwC defines risk appetite as “an articulation of the tolerance levels for risk, that an enterprise is prepared to accept in the execution of its strategic and business objectives.” When an organization puts in place a risk appetite framework, it guides decision-makers to consciously recognize the risks and acknowledge the potential exposure that corresponds with their chosen strategy or operations.
A risk appetite framework is defined by how the organization views the relationship between risk and reward. An organization with higher risk appetite is essentially willing to accept higher uncertainty and greater volatility in exchange for potentially greater growth or profit. In contrast, an organization with a lower risk appetite is relatively more risk-averse, prioritizing stability or lower growth over market or operating volatility. Although risk appetite is organization-specific, it may also be informed by regulatory or legal requirements. Banks or insurance companies, for instance, must operate within risk parameters defined by regulatory bodies.
To effectively deploy a risk appetite framework, an organization must adopt an agreed risk measurement and risk scoring methodology, as well as a common risk language, in order to be consistently understood and applied throughout the organization.
What is Risk Tolerance?
Once an organization determines its risk appetite, it must identify the various risks it is facing and decide its risk tolerance. Risk tolerance represents the specific maximum risk that a company is willing to take for each type of risk. Risk tolerance defines the boundaries within which the firm is comfortable operating given its overall risk appetite. An organization must consider the various risks it faces including financial, operational, credit, third-party, information security, compliance, and legal risks and decide how much of each it is willing to take on. Risk tolerance can be expressed through different metrics, reflecting the unique nature of each risk. It can be defined through acceptable loss, credit ratings, KPI limits, probabilistic measures, qualitative measures, or balance sheet metrics. These quantitative measures inform daily decision-making.
For example, a bank with a higher tolerance for credit risk may be willing to lend a higher amount to people or entities with lower credit ratings, taking on relatively more credit risk than a bank with a lower risk tolerance. Or a manufacturer that utilizes a global supply chain may have a higher risk tolerance for foreign exchange risk or operational risk than a manufacturer that sources their inputs domestically. A company may choose to utilize third-party vendors for specific functions, trading off some level of third-party risk in exchange for the expertise, value, and flexibility a third party brings. In these examples, the organizations are consciously deciding to take a level of risk that is within their stated level of tolerance, consistent with their strategic and organizational objectives, and, when all categories of risk are aggregated, within their risk appetite.
What is Risk Posture?
Taken together, risk appetite and risk tolerance define a company’s risk posture. Risk posture is a company’s overarching approach to risk management and a function of how embedded risk management is in its culture, strategic decision-making, day-to-day operations, capital allocation, compensation practices, and corporate governance. A strong risk posture helps companies take meaningful risks within the constraints of strategic and operating objectives.
Establishing a strong risk posture requires senior executive focus and board support to ensure accurate risk reporting, proactive management, and a consistent approach. This needs to be supported by an independent risk function, the use of a risk management platform to identify, analyze, and measure risk, and a conscious, risk-based approach to decision-making.
A well-structured risk appetite framework helps organizations consciously decide how much risk to take in line with overall business and operating strategy. The risk appetite, or acceptable level of trade-off between risk and reward, is captured through an integrated risk management framework with an agreed risk calculation and aggregation methodology, adherence to agreed risk tolerances, and a dynamic risk reporting solution. An organization with a strong risk posture will integrate risk management into its strategic positioning and daily operations, ensuring informed risk-taking is part of its culture.
