Risk appetite is an essential component of any successful business strategy. It's the amount and type of risk that an organization is willing to take on in order to achieve its goals. But getting risk appetite right can be tricky, especially in today's fast-paced and ever-changing business environment. High inflation, pending recession, intense competition and the need for a strong digital strategy (customer experience, engagement and technology enhancements, new distribution channels, leveraging different ecosystems, increasing the use of data analytics and establishing digital metrics and measurements) are only a few of the challenges that organizations face when trying to strike the right balance between risk and reward. In this article, we'll take a closer look at what it takes to get risk appetite right and explore some strategies for managing risk in an uncertain environment.
As part of our services to clients, we have seen leaders spend considerable time on enterprise risk management (ERM): risk identification, assessment, response and monitoring activities, all tied to strategy, business objectives and performance. And while that is an important piece of the puzzle, sometimes what is lacking is enough time spent on defining and ensuring risk appetite is understood and consistent within the organization as it aligns with strategy, mission and values. In other words, the amount of risk leadership within an organization communicates they are willing to accept in pursuit of their goals does not always align with the actions, investments and priorities. That's where risks can emerge.
A leader states the organization has a low-risk appetite for IT security risk (while recognizing cybersecurity risk as a high risk); however, investments made versus requested and projects prioritized for IT security do not align with the stated risk appetite and communication to stakeholders.
An organization has a high-risk appetite to increase technological and data analysis capabilities for competitive and strategic purposes, all while not investing in the required solutions, stretching talent thin on multiple projects and cutting corners for financial purposes. These actions are misaligned to the strategy, mission, values, correlated risk appetite and business objectives.
The risk is that the company's operations will be conducted in a way that falls outside of regulatory compliance and exposes it to legal or penalties. If the company's leaders have not communicated their risk appetite, it can be hard for employees to understand which activities are or are not acceptable, which can lead to costly compliance breaches.
Without clear guidelines for how much risk is acceptable, decision-makers within the company may pursue risky opportunities without fully understanding the potential downsides. This can cause financial losses, damage to the company's reputation and, in some cases, even the failure of the company.
If you are an internal audit practitioner, a regulator or a leader, take the time to revisit risk appetite at the organization. Understanding or assessing your organization's risk appetite is critical for effective enterprise risk management because it helps with:
In 2020, COSO issued guidance called Risk Appetite–Critical to Success: Using Risk Appetite to Thrive in a Changing World. Below is a high-level approach summarizing the guidance that can help organizations kick-start their processes to update and refine their risk appetites and align them with their business objectives and strategies:
Organizations make the mistakes related to risk appetite when they stop with definition and alignment at the enterprise level and do not proceed with conducting a top-down and bottom-up approach to risk appetite development, assessment and refinement.
In summary, setting and communicating risk appetite is important to ensure that the company is taking on the appropriate level of risk, which can help to prevent costly mistakes and ensure that the company's operations are in line with regulatory requirements.
How Baker Tilly’s industry and risk advisory specialists can help: