I have had some very interesting conversations lately with Boards, Senior Managers and Risk Managers about risk appetite. Here are some insights:
Describing what we mean by risk appetite: Risk appetite is risk speak, however, it can be easily explained. With private sector firms I tend to describe using dollars as the example - "How much capital are you are willing to risk to try and make your forecast profit?" For not-for-profits I tend to bring it back to values - "What are you willing to do to achieve your mission? What would you not do?" And for the public sector I tend to use their number one objective in their corporate plan - "What are you willing to do to achieve your number one objective? Would a few minor adverse audit findings be OK? Would you be prepared to weather the storm if the media ran with a story about your methods?"
Why risk appetite is important in risk management: I find putting risk appetite in context with how it is used when assessing risk is quite important. I use the example of crossing the road. The objective is the same, however, there is always a reason (running late for a meeting, running late for a hot date, to save your 4 year-old child from being abducted by a stranger). Your willingness to get to the other side based on your assessment of difficulty level to cross the road is an expression of your risk appetite.
Risk Appetite Statements: While risk criteria in the form of likelihood and consequence tables and a risk matrix are valuable expressions of risk appetite, staff who were not involved in the discussions that formulated them are not aware of all of the thinking behind them. Providing additional commentary on each category of risk and on the core corporate objectives will communicate a much clearer message to staff as to what constitutes acceptable behaviour.