B. Morris
Brydie Morris

What is risk appetite?

Risk appetite is used by organisations to drive decision-making, understand the extent of controls needed to manage risks, and assess how to take advantage of opportunities. It represents the level of risk an organisation is willing to accept to meet its goals. It differs to risk tolerance, which is how much an organisation is willing to let risk move from its acceptable level (as determined by management).

How do you set risk appetite?

To set your appetite for risk, you need to first understand and document what risks you have (our Risk management – where do we start? blog runs through this process). Once these are well understood, you can make an informed decision on how much risk you are willing to accept in an area. It’s important to consider the following when setting your risk appetite:

1. Who helps set the risk appetite?

It’s important for many areas of the organisation to be involved in the process of setting your risk appetite. People who manage the day-to-day processes, the risk owners, the risk management team, and executives should all work together on this. They should understand the impacts of risks on each other and agree on the appropriate appetite and tolerance. Those charged with governance should question and challenge the proposals management put forwards to ensure they understand and endorse their decisions.

2. Some risks must be managed differently.

You can apply a higher risk appetite to certain risks, if the consequences of the risk are not significant. For example, some public sector entities may have a higher appetite for risks relating to financial loss from certain events, as they are obliged to provide services and infrastructure that the private sector may not choose to. However, when there is a risk to human life, health and safety, or a requirement under legislation, they must be managed to a certain level. This can be expressed either under the lowest possible appetite, or using a methodology such as ‘as low as reasonably practicable’.

3. How do you set the remaining appetites?

Where you can set your appetite, depending on management and those charged with governance’s ideas, it’s important to consider:

  • strategy, and how these risks may help (or hinder) achieving this – for example, a strategy to grow a new service may mean taking a higher appetite for errors or incidents, as the service is ramped up.
  • your organisation’s resources to prevent the risk, and what additional resources would be needed to lower your risk
  • if the appetite level you are considering would negatively impact on other objectives or goals of your organisation – does a bit more risk need to be accepted to avoid risk elsewhere? In the example above, a very low or nil appetite for errors may result in people not feeling able to innovate or propose new services in the first place. This may lead to missed opportunities for new services or changes to existing services. 
  • what can be used to monitor the risk and any changes – if there are less indicators of the risk changing, the appetite may need to be set appropriately to minimise it moving out of tolerance (or new measures may be needed to help monitor the risk). Examples of indicators typically available include customer complaint reporting, service level compliance reporting, incident reporting, staff pulse survey results, and financial analysis (such as budget vs actual reporting).

Monitoring risk appetite

Setting your risk appetite is only one step of the process. It’s important to continue monitoring where the risk sits (to see if it’s in or out of appetite), and to regularly refresh and check if the appetite itself is still appropriate. Indicators that appetite may need to change include:

  • internal change – system changes/implementations, key personnel changes, restructures
  • external change – machinery of government changes, other legislative or regulatory changes, economic or geopolitical changes (for example, changes in inflation or risks of trading with certain partners)
  • strategic change – to the nature of operations, goals, policies, or objectives.

Any or all of the above can change what an organisation plans to do. It’s important to reassess what systems, processes, and people mean in relation to your risks and whether your appetite and tolerances have changed. 

Once you have defined your risks and appetites, you then can move onto controlling and monitoring your risks. We will discuss this in our next blog on risk, around risk control and treatment. 


Related article