Risk appetite is the amount of risk an organisation is willing to accept on a broad level in pursuit of value. The scope is further enlarged when viewed from an operational resilience perspective.
It reflects the organisation’s risk management philosophy and influences its culture and operating style.
Many organisations consider risk appetite qualitatively, with categories such as high, medium, or low, while others take a quantitative approach, reflecting and balancing growth, return, and risk goals.
According to COSO, it is a “guidepost” in strategy-setting. The organization’s business model provides an essential context for assessing risk appetite by clarifying its activities, customers, products, and how and in which markets it conducts business.
A thorough understanding of an organization’s business objectives, strategy and operations is beneficial when articulating the risks it chooses to accept and the risks it chooses to avoid as it creates value. As the organisation executes its operational resilience strategy, it develops and increases its exposure to uncertainty.
Therefore, business objectives and strategies provide the context for understanding the risks the enterprise chooses to undertake. Risk appetite also can set boundaries around opportunity-seeking behaviour, which impacts the entity’s objectives and strategies.
This step is to confirm the organisation's risk appetite concerning operational resilience. This involves:
Conduct a comprehensive risk assessment to identify and assess potential threats and vulnerabilities that could impact the organisation's operations.
Consider internal and external factors, such as cyber threats, natural disasters, supply chain disruptions, and regulatory changes.
This will help determine the acceptable level of risk exposure and inform decision-making regarding risk mitigation measures.
This statement should align with the overall risk appetite framework and guide decision-makers in evaluating and managing operational risks.
| Definition | Explanation | Definition | ||
| Risk Appetite |
is strategic and approved by the board; is the threshold assigned to each business & functional entity agreed upon and approved by the management is limited and transactional, with responsibilities of monitoring by each business & functional entity running from bottom-upwards. has a direct correlation to risk capital allocation is a qualitative measure. |
|||
| Risk Threshold |
is the maximum amount of risk that an organization is willing to take or withstand is a quantitative one. |
|||
| Risk Tolerance |
may be reflected differently for different objectives, including earnings variability, interest rate exposure, compliance with laws and regulations, and people's acquisition, development and retention. Related to all of these objectives are expressed differently. |
|
||
| Confirming Risk Appetite |
This blog discusses how management can perform these activities and provides the steps for confirming the risk appetite for operational resilience. |
|||
| Assess Capability and Maturity | Analyse Gap | Develop Strategy and Roadmap | Confirm Risk Appetite | Develop and Embed Governance | |
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|