Protect Your Organization with Improved Incident Response
A well-planned incident response capability can protect your organization from external and internal threats, no matter where work takes place.
For all organizations, taking on risk is an accepted outcome of doing business. Most organizations proactively seek to reduce risk and minimize its potential impact through the process of risk management. While some risks are necessary and can drive positive business outcomes, others can lead to negative impacts such as operating errors, poor strategic decision-making, accidents, potential legal exposure, financial uncertainty, or natural disasters. Organizations must accept that not all risks are avoidable, but they do have control over the scale and scope of risks they are willing to take.
Making this conscious decision about how much risk an organization is willing to take on is known as its risk appetite.
PwC defines risk appetite as “an articulation of the tolerance levels for risk, that an enterprise is prepared to accept in the execution of its strategic and business objectives.” When an organization puts in place a risk appetite framework, it guides decision-makers to consciously recognize the risks and acknowledge the potential exposure that corresponds with their chosen strategy or operations.
A risk appetite framework is defined by how the organization views the relationship between risk and reward. An organization with higher risk appetite is essentially willing to accept higher uncertainty and greater volatility in exchange for potentially greater growth or profit. In contrast, an organization with a lower risk appetite is relatively more risk-averse, prioritizing stability or lower growth over market or operating volatility. Although risk appetite is organization-specific, it may also be informed by regulatory or legal requirements. Banks or insurance companies, for instance, must operate within risk parameters defined by regulatory bodies.
To effectively deploy a risk appetite framework, an organization must adopt an agreed risk measurement and risk scoring methodology, as well as a common risk language, in order to be consistently understood and applied throughout the organization.
Once an organization determines its risk appetite, it must identify the various risks it is facing and decide its risk tolerance. Risk tolerance represents the specific maximum risk that a company is willing to take for each type of risk. Risk tolerance defines the boundaries within which the firm is comfortable operating given its overall risk appetite. An organization must consider the various risks it faces including financial, operational, credit, third-party, information security, compliance, and legal risks and decide how much of each it is willing to take on. Risk tolerance can be expressed through different metrics, reflecting the unique nature of each risk. It can be defined through acceptable loss, credit ratings, KPI limits, probabilistic measures, qualitative measures or balance sheet metrics. These quantitative measures inform daily decision making.
For example, a bank with a higher tolerance for credit risk may be willing to lend a higher amount to people or entities with lower credit ratings, taking on relatively more credit risk than a bank with a lower risk tolerance. Or a manufacturer that utilizes a global supply chain may have a higher risk tolerance for foreign exchange risk or operational risk than a manufacturer that sources their inputs domestically. A company may choose to utilize third-party vendors for specific functions, trading off some level of third-party risk in exchange for the expertise, value, and flexibility a third party brings. In these examples, the organizations are consciously deciding to take a level of risk that is within their stated level of tolerance, consistent with their strategic and organizational objectives, and, when all categories of risk are aggregated, within their risk appetite.
Taken together, risk appetite and risk tolerance define a company’s risk posture. Risk posture is a company’s overarching approach to risk management and a function of how embedded risk management is in its culture, strategic decision-making, day-to-day operations, capital allocation, compensation practices, and corporate governance. A strong risk posture helps companies take meaningful risks within the constraints of strategic and operating objectives.
Establishing a strong risk posture requires senior executive focus and board support to ensure accurate risk reporting, proactive management, and a consistent approach. This needs to be supported by an independent risk function, the use of a risk management platform to identify, analyze, and measure risk, and a conscious, risk-based approach to decision making.
A well-structured risk appetite framework helps organizations consciously decide how much risk to take in line with overall business and operating strategy. The risk appetite, or acceptable level of trade-off between risk and reward, is captured through an integrated risk management framework with an agreed risk calculation and aggregation methodology, adherence to agreed risk tolerances, and a dynamic risk reporting solution. An organization with a strong risk posture will integrate risk management into its strategic positioning and daily operations, ensuring informed risk-taking is part of its culture.
Risk Cloud Exchange is an ecosystem that is designed to inspire your risk program in Risk Cloud by giving you that holistic look into the…
LogicGate CEO Matt Kunkel, discusses the 6 biggest GRC trends that you should be prepared for in 2021.