5 Ways to put Risk Appetite into action

An organization-wide risk appetite can be a powerful statement that gives your risk or compliance program direction.  However, like any policy, risk appetite without accompanying action is nothing more than an idea.

So how do you give your risk appetite teeth?  How do you make it an actionable guide for your organization?

Here are five recommendations to put your risk appetite into practice.

1. Translate risk appetite to the process level.

Every day your front-line managers are making operational decisions about risk, far from your risk appetite policies.  This is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.

To successfully implement your risk appetite you need to identify and set risk tolerances at this level of operations; at the front-line process level.  This will allow you to connect front-line decisions with your overall risk appetite and determine which processes are out of range.

2. Set and measure risk tolerances around root causes analysis.

Setting risk tolerances around front-line processes isn't enough to truly put your risk appetite into action. You also need to be monitoring root causes of risk at this level.

For example, say your risk appetite sets a low tolerance for customer dissatisfaction and as a goal you aim to increase customer satisfaction.  You could set goals for a particular customer satisfaction survey.  However, this metric doesn't offer any actionable solution to improve customer service.

Instead, go to the root causes of customer dissatisfaction with metrics such as call wait time, email response time, or case volume.  Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.

3. Risk metrics need to be forward looking.

Another problem with our customer service survey comes from the time to it takes to compile responses and analyze aggregated results just to be able to make a decision.  With a survey you'll always be acting on customer impressions from last month as an effect of last year's policies.

Instead, your metrics need to be looking to the future.  Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization.

4. Standardize your risk metrics enterprise-wide.

Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.

Using our customer service metrics again, re-opened cases might a good root-cause metric, but it's not comparable over time or across products as the number of total customers will vary.  Instead measuring the percent of re-opened cases may be a more meaningful metric as it's value is independent of customer volume and is thus comparable both over-time and across silos.

5. Align your risk tolerances with your strategic goals and business model.

Risk tolerances will naturally develop from your overall risk appetite, but they also need to be in line with your organization's goals.  Your organization might define a very low tolerance for customer dissatisfaction, but if you're attracting lots of high cost customers, then this policy isn't in line with a discount business model.

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will both improve risk mitigation effectiveness and contribute to achieving your strategic goals.

To see the power of these recommendations in action, see our video "Streamlining Governance with ERM".

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • Steve, people might be interested in the discussion of risk appetite at http://normanmarks.wordpress.com/2011/04/14/just-what-is-risk-appet...
  • Just based on my experience, risk tolerance is also a function of patterns of decisionmaking.

    Hence the mindset of the Board or so-called group think can be at play without them even realising it. Recently in SA there have been a number of companies that got found guilty of competitive behavior by the Competition Commission and penalised heavy. They made anti- competitive decisions without perhaps realising the fact.

    We also find in crisis situations that there is not always a grasp for doing the unthinkable like apologizing and accepting that the organisation is guilty or that you can win ain court of law, yet lose in a court of public opinion.

    Risk tolerance can also be a problem if there is not adequate stakeholder profiling and understanding that stakeholders are volatile and that the dynamics of issues needs constant guarding and exploration. Some may regard perceptions without the impetus that they need, only to discover that so-called storm in the teacup can become a war in itself.

    Like Communication, Risk is also the sharing of meaning. Risk tolerance can therefore also be a function of adequate communication and risk awareness and analysis.

    We are all biased. Having been involved in OD, Reputation and media training over the years I can sufficiently say that everyone is biased, because of their own mental "cages" that contain life experiences, knowledge, feelings and emotions. Bias, like beauty, is often in the eye of the beholder and because of that every person's 'truth' is different as each of us encode and decode information differently.

     All of us encode and decode information within a context. All of us have our own mental cages - information is thus filtered through the mental framework of our attitudes, our knowledge and our mood. Understanding this and because everyone's 'cage' is different, people can see the same information and draw different interpretations.

    Differing thoughts and opinions are absolutely vital for a dynamic list or any committee. We of all people should encourage dialogue and debate. Language and the choice of words can be just as damaging in influencing risk tolerance – your statement of regarding one level, affecting another level.

    I am always keen on using your not normal what if techniques in situations like deciding about risk. We often tend to put it through batteries of accepted techniques instead of looking at tipping points, black swans and off the wall techniques.

    I am reminded of the quote by Dante "the hottest places in hell are reserved for those who in a period of moral crisis maintain their neutrality."  I say - Let the inferno begin!


This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!