Developing, Defining and Quantifying Your Risk Appetite

August 7, 2020 · READ

Effective risk management is critical to the success of any organization, especially during times of uncertainty. In order to make informed decisions within their risk appetite, leaders often rely on their risk teams to identify and assess emerging risks. However, many organizations struggle with developing clear and actionable risk appetite statements and face challenges such as inconsistent definitions and unclear governance structures.

Quantifying risk appetite is an essential part of this process. Risk statements that are clear, concise, and actionable are critical to getting employees, customers, the Board of Directors, the C-suite, investors, and regulators aligned. By quantifying risk appetite, organizations can make informed decisions about how much risk to take on and how to balance their risk and reward.

To dive deeper into this topic, we hosted a session with RIMS, Leeanne Barnes, Director of Enterprise and Operational Risk at Ontario Teachers’ Pension Plan, and Devi Mohan Das, Senior Manager of Risk Consulting at KPMG Canada. In this session, we focused on strategies to help risk teams:

In the following sections, we will delve into their expertise and experiences and extract practical tips and best practices for developing and implementing a risk appetite statement that can be quantified. Whether you’re a seasoned executive or a newcomer to the world of risk management, this article will provide valuable information to help you navigate the complexities of risk management and optimize your risk-taking strategy.

Read: How to Run a Successful Risk Assessment Workshop

Understanding risk appetite: What does it mean, really?

Quantifying risk appetite means determining the level of risk an individual or organization is willing to accept in pursuit of their goals. It is a critical concept in risk management and can vary significantly between different entities. By quantifying risk appetite, organizations can make informed decisions about how much risk to take on and how to balance their risk and reward.

It’s important to note that risk appetite is distinct from risk tolerance. While risk appetite refers to the willingness to accept risk, risk tolerance refers to the level of risk that an individual or organization can handle without compromising their objectives. For example, a person with a high-risk appetite may be willing to invest in a speculative venture, while someone with a low-risk tolerance may prefer a safer, more conservative investment strategy.

When developing a risk management strategy, it’s crucial to consider both risk appetite and risk tolerance. By understanding these factors, organizations can make informed decisions about how much risk to take on and how to balance their risk and reward.

What are some common misconceptions and challenges around risk appetite?

There are many misconceptions and challenges around quantifying risk appetite. A few of the most common ones that we’ve heard from customers include:

  • Inconsistent definitions of their risk appetite
  • Unclear governance structures around who is responsible and accountable across your organization, from business units to the board level
  • Lack of framework methodology to develop risk appetite
  • Inability to communicate risk appetite throughout the organization
  • Lack of monitoring mechanisms for risk appetite

Expert advice on quantifying risk appetite

This engaging, in-depth session raised excellent questions about risk appetite statements and practical use cases that attendees could apply in their organizations. We asked our panelists to continue the conversation and answer some of the most common questions that we received.

Are risk appetite metrics the same as Key Risk Indicators?

Leeanne Barnes: We think about Key Risk Indicators (KRIs) as metrics to monitor specific risks and tolerances.   At Ontario Teachers’ Pension Plan, each KRI rolls up to support the broader risk appetite of the organization. A Risk Appetite Metric is usually a much higher level, similar to monitoring an enterprise limit, as an example.   The way that we have developed the taxonomy at Ontario Teachers’ Pension Plan is that KRIs are mid-level metrics to monitor various aspects of enterprise risk. We establish tolerances (i.e. green, amber, red) to determine what is acceptable versus what is above tolerance for that specific metric.   We try to leverage existing data to build these KRIs.  

What role does policy development play in embedding risk appetite?

Leeanne Barnes: Great question, it is a big role. Policies ultimately reflect the amount of risk an organization is willing to accept, and adherence to the policies embeds risk appetite in the organization.   For example, if an organization has a very low-risk appetite for the health and safety of their people, then their training policies, operational practices, and reporting would reflect that. Policies ultimately reflect the culture and the risk appetite of the organization.   If those things are not aligned, then there will be a lot of work to do.  

What is the importance of developing the annual risk context prior to developing the risk appetite statements?  

Leeanne Barnes: Assuming risk context is similar to a business environment assessment, it is a super important component to both your risk and strategy discussions.   An organization needs to understand the context in which they are operating, and be able to answer the question “do we need to take more or less risk in certain cases to achieve our objectives and strategy?” Understanding the internal and external landscape is key.  

Do you include both threats and opportunities under the concept of risk?

Leeanne Barnes: Absolutely. Risk is not only about managing the downside but also understanding and making decisions regarding the upside.   A good example of this is disruptive technology. There may be risks based on an organization’s current platform, or there could be a competitive advantage as the organization undergoes modernization and harnesses that momentum to lead change and shake up the industry.

How do you relate risk appetite to risk acceptance (need for a risk acceptance framework)?

Leeanne Barnes:   At Ontario Teachers’ Pension Plan we leverage the well-defined management governance structure to support risk acceptance.   With defined roles and accountabilities as well as decision authorities, it is clear how risk is accepted or not.   We do not have a separate framework; it is embedded into everything we do and at various levels.   We also have escalation built into the governance framework in case we need more voices at the table.  

Devi Mohan Das: Risk appetite and risk acceptance mechanisms should ideally be featured as key components of the organization’s overall ERM framework. Once the  organization  has  identified  and set  their risk tolerance  across  their risk  index, they can  go on to consider  their  risk acceptance.

Can you give some tactical examples of how you’d integrate risk into the strategy and decision-making process?

Leeanne Barnes: This is a great question and one that we have spent a lot of time on over the past couple of years.   First, be sure that you know the timing of the various discussions and make sure that the risk work is done in advance of the strategy work. This way, risk becomes an input into the overall strategy. Through Enterprise Risk Management we focus on the most important risks to achieving strategy and work with the organization to determine priorities and potential shifts that we need to make. This allows us to validate the business environment which is a key input into strategy discussions. I would also suggest building strong relationships between the two teams.    

Do you have any guidance on industry standards for certain KRIs/tolerances to set when the board needs guidance on what is appropriate for the business? For example: what percent of capital might be a reasonable amount to put at risk for a 1 in 250-year insurance event? What are appropriate qualitative measures to be concerned about in terms of our operational risk?

Leeanne Barnes: Unfortunately, there isn’t a clear-cut answer to this. We leverage thought leaders to help in certain cases. It’s also helpful to gain insight from peers if the information is available or if you’re able to pull together a peer group. We recommend that you have a well-understood Probability and Impact assessment scale, i.e. what are the risk categories and potential impacts the organization is most worried about?   Understanding that can help to reinforce the risks that are most important to the organization and help to determine the Key Risk Indicators (KRIs) or metrics that you can leverage (internal and external data) to start monitoring the risk.   KRIs are always evolving, so it will take time and you should expect to make adjustments along the way.

Devi Mohan Das: I definitely agree with Leanne. There is no one-size-fits-all solution for setting tolerances. It is very centric to the organization, strategic objectives, risk landscape, risk culture, and risk maturity of the organization.

How do you incentivize a board of directors to invest sufficient funds to manage risk, e.g., cyber? How do you get the board to engage to build a risk appetite statement and let the organization know where the risk tolerances are?

Devi Mohan Das: The 2008 global crisis provided several examples of how boards failed to set and oversee their company’s risk appetite and tolerance. Since then, we have seen regulators emphasizing their expectation of the boards to oversee the risks, which helps to ensure alignment with management on the amount of risk that organizations are willing to take and/or accept for specific risk types over a given time. In addition to regulatory compliance, boards can also gain early warning of the risks that the organization faces on its journey ahead.  

We are early in our ERM journey as an organization. Leeanne, how and when did you blend the Risk Appetite work into your wider EMR program?

Leeanne Barnes: I believe that the Board needs to be part of the risk management journey.   It is helpful to share external learnings and incidents with Senior Management and the Board that can be found in the media or in an incident database. These learnings can be used to figure out if your organization could also be exposed (or not) to such an event, and what the organization’s position is.   I think the evolution of risk management is definitely about making sure the right information is getting to the right people, in a meaningful way, to help them make informed decisions.   Using cyber as an example, there are a lot of people who might not be tech savvy, so bringing in external advisors or conducting internal assessments of the risks and potential exposures and clearly articulate the impacts is very helpful and eye-opening. I find engaging in meaningful and easily understandable discussions goes a long way.

Regarding aligning Risk Appetite with Enterprise Risk Management, this should be done early on, at least at a high level. For us, it started with really understanding the risk categories and risk impacts, both financial and non-financial.   Defining your Probability and Impact scale and figuring out which boundaries are “green”, “amber”, and “red” can help articulate risk appetite through discussions with the senior leaders / executive team.   It can also highlight where there may be some differences of opinion.

How do you start developing the risk culture in a company that associates “risk” only with safety and insurance?   How do you change the mindset of the people that you need to have a true “culture”?

Leeanne Barnes: Culture is a very broad concept.   I would suggest starting with some smaller ambitions through objectives that the organization agrees to on how you want to shift the “risk culture” of the organization. For instance, is it education that is needed?   Every year, I pick two or three ambitions to focus on.   Also, integrating risk into every discussion or decision can be super helpful. Making sure risk has a seat at the table is important.

What approaches would you recommend for identifying actionable KRIs?  

Devi Mohan Das: KRIs are indicators or metrics that are used to measure risks that the business is exposed to.  

While identifying KRIs, organizations must:  

  • Consider risk drivers/root causes, correlations, probability, and severity of risks
  • Relate KRIs to business objectives and operations as far as  possible (i.e. link back KRIs to KPIs)  
  • Identify fewer and high-quality indicators

How can you leverage existing KPIs to develop KRIs; avoiding duplication?  

Devi Mohan Das: KRIs and KPIs are closely related in an ideal state. The KRIs should be traced to a KPI, and this would be linked to the organization’s strategic goal and objectives. This way organizations can maintain their focus on the “Top” risks.  

How often should tolerance limits & indicators be reviewed/updated?  

Leeanne  Barnes: We like to review our KRIs and tolerances regularly, at least annually, but as we learn and adjust.  

Devi Mohan Das: Risk appetite should be reviewed annually, at the  very least to  ensure that  the organization’s strategic objectives and business plans are consistent with the risk appetite.  

If you’re looking to improve your organization’s risk management strategies and develop a clear and actionable risk appetite statement, our team of experts is here to help. Contact us today to schedule a custom demo and learn how our risk management solutions can help you quantify your risk appetite, identify emerging risks, and make informed decisions. With our comprehensive approach to risk management, you can take a proactive approach to risk intelligence and gain a competitive advantage in uncertain times.


Request a Demo

I'd like to learn more about
  • I'd like to learn more about
  • Enterprise Risk Management
  • Incident Management
  • IT Risk
  • IT Compliance
  • Investigations Management
  • Security Operations Management
  • Compliance
  • Security Audit
  • Loss Prevention
  • Brand Protection
  • ESRM
  • Internal Audit
  • Internal Control (SOX)
  • Third Party Risk Management
  • Threat Assessment

I agree to receive promotional email messages from Resolver Inc about its products and services. I understand I can unsubscribe at any time.

By submitting this form you agree to Resolver's Terms Of Service and Privacy Policy.