You're reading...


Risk appetite – a bad idea

It’s a truism that you can’t do anything – or even nothing – without taking risk.  This is an important issue for all organisations, but the discussion of what risk to take has become unnecessarily obscured.  Specifically it has become bogged down in the unhelpful concept of ‘risk appetite’ and this has added to the fog of ill-defined and misdirected thinking which plagues risk management.

This website aims to take a more direct and natural approach to helping organisations understand and manage the nature and extent of risk they are exposed to, in the words of the UK Corporate Governance Code.  The way forward is deferred to a different article.  First of all I want to identify in some detail the misleading and unhelpful nature of the risk appetite concept.  This is supported by a number of reviews of some existing work in this area.

My starting point is that you will inevitably be exposed to risk to meet your organisational objectives.  It’s not something you want, but it’s a fact of life.  What is not relevant to organisations (as opposed to individuals) is any sense of risk seeking.  The level of risk is not something that can be dialled up at will and there is no such thing as a risk appetite in the sense that you actively seek to be exposed to some level of risk.  In practice the objectives may impose a level of risk that is unacceptably high in which case you change the objectives (by going into a different business, for example).

A better paradigm for organisational risk taking is risk and reward, familiar from economics and finance.  Here the idea is that your available options for action will result in a cloud of points in the risk reward diagram, but that this contains an efficient frontier: there is a minimum level of risk which must be taken in order to gain a given reward.

The extent to which you can control risk is limited to selecting among the options which lie along the efficient frontier.  A simpler version of this will be familiar to anyone who has been questioned by their IFA about their risk appetite.  You answer a few questions and this enables the IFA to recommend a portfolio which meets your needs. It is assumed that the efficient frontier comprises some mixture of equities, bonds, commodities, or what ever.

You can see how this sparks off the ‘risk appetite’ idea but you can also contemplate how limited the choice of risk exposure is.

 You can then combine this with the idea of the risk seeker – the person who enjoys experiencing risk situations – and actively puts themselves in positions where risks have a higher chance of materialising.  This could be the mountaineer where the adrenaline experience of the risk of falling and death outweighs that risk that that actually happens.  Or it could be a trader enjoying the thrill of putting billions of other people’s money at risk.  But this idea has no place in organisational risk taking.  And because of the ‘risk appetite’ concept tends to lead you in false directions.

For example you can develop the idea of risk appetite by analogy with appetite for food.  This is discussed in the RARA model review.  It doesn’t help.

The phrase ‘risk appetite’ also tends to lead from ideas of how much risk we have to take to how much risk we want to take.  This is the key error.  People recognise the error bur persist in making it, see, for example the IRM definition of risk appetite.  From this you can go to the defining the level of risk you want and you get to diagrams like the one on the left.  As should be obvious, such levels cannot be set in a vacuum.

This in turn sets a train of thought going that is also of little use: that of a tolerable risk level.  Most documents develop the idea that your risk appetite is somehow constrained to lie comfortably within some outer limit of risk beyond which you really cannot go.  But the definition of the tolerable level varies greatly.  For example COSO simply defines the tolerable level (or tolerances) to be a quantified implementation of a qualitative appetite.  Other models claim to set outer levels of risk which are actually levels of performance.  That is, the probability of suffering consequences beyond these levels must be zero.  Yeah, right.

The original idea of risk tolerability was developed in the context of nuclear safety.  Frank Layfield, the Inspector at the public inquiry into the Sizewell ‘B’ nuclear power station, challenged the HSE to develop risk criteria based on the idea that society only tolerates risks to health and safety; it does not accept them (the word that had previously been used).  The HSE responded by setting levels of risk which would represent the limit of tolerability (a neologism at that time).  These limits were genuine risk levels, phrased in terms of the (non-zero) probability of death.

Since then the tolerance concept has been widely and inconsistently abused in other contexts, and especially when people start talking about ‘risk appetite’.  ‘Risk tolerances’ are as unhelpful as ‘risk appetite’.

However what is useful is to think about indicators of risks materialising, KRIs as they are sometimes known.  The financial community has done sterling work in identifying KRIs and associated trigger levels.  This train of thought would be very useful in other sectors and ought to be followed up.  The finance people call it the risk appetite though, which is not a good idea: KRIs should not be confused with risk.

Once you start thinking about how much risk you want to eat you start to focus unhealthily on measuring risk.  You start thinking there are objective measures of the risk you are exposed to and that you propagate safe risk decision making up and down the organisation by stipulating quantitative risk levels.  Even if people were not absurdly unimaginative in thinking through how risk events might play out, the fundamentally subjective nature of probability would put paid to that.  I’ve written about this in many other places.  I just want to emphasise that our difficulties in measuring risk are down to our laziness, as the IRM suggests, but are due to the inherent difficulty of the exercise.

This in turn leads to the risk appetite statement which is the centrepiece of much of the work.  This encapsulates, roughly speaking, the idea that the queen bees at the top of the organisation communicate rules on risk appetite to the drones at the bottom.  It is a convenient idea that such rules should be articulated in terms of the amount of risk (as in the IRM definition).  This attractive fiction (to queen bees, who love to spout about how they need things to be simple, measuring and managing, and so on) is a theoretical foundation for much writing on risk appetite, which tends to run into the sand when it comes to realistic and credible examples of risk appetite statements.  You won’t find much that is helpful in the documents reviewed.

Finally it is worth recognising one fundamental truth about risk decisions: it is the top people who take the big risks.  They do it on a case by case basis.  They don’t need a generic policy to tell them how to do this.  Obviously.  The role of the risk statement is to stop the organisation taking on big risks through the bottom people.  This creates the need for the ‘risk appetite’ statement or whatever you want to call it.  It is clear that should be communicated to a large extent via the controls which are expected to be exerted.  This was what I noted further up.  I have criticised the IRM guidance on risk appetite extensively, largely for the obscure way it is written rather than objections to the content.  And this is a very important contribution from the IRM (if I have understood the terms propensity for risk and propensity for control correctly!).  As the risk appetite statement is communicated into the organisation it is primarily about risk control rather than risk taking.

Of course it is pretty plausible that a policy on risk taking is a good idea for an organisation.  It is this that I shall talk about in more detail in the accompanying article.  Just don’t call it a risk appetite, a poorly defined concept with inconsistently defined supporting ideas, unrealistic assumptions about measuring risk and unrealistic expectation about how much risk you might have to suffer.  In fact try not to make up any convenient-sounding terms which serves to complicate and confuse.  But do expect to focus on how risks are controlled.

Print Friendly