A few days ago I was discussing with a colleague the concept of “risk appetite” and how, depending on it, organizations and individuals can make one type of decision or another under the same circumstances.
Risk is an inherent part of life and business. Every decision we make carries with it a certain level of risk that we must assess. But why do some people make one type of decision and others another under the same circumstances? What drives one person to invest in the stock market or cryptocurrencies and another in guaranteed funds? Risk analysis and risk perception are responsible for this.
Risk appetite is the amount of risk a person or organization is willing to accept in order to achieve its objectives. It is a measure of the level of uncertainty they are willing to manage. For example, a start-up company may have a high risk appetite, willing to take significant risks for the possibility of high rewards. On the other hand, a well-established company might have a lower risk appetite, preferring to take fewer risks to maintain its current market position. In the business world, risk appetite is a strategic decision that varies from one organization to another. Similarly, a single, young, childless person will be more likely to switch to a job in a new startup than a person already established in a job and with a family to support. Their risk appetite is different.
Closely related to risk appetite is the better known concept of risk management. Risk management is the process of identifying, assessing (quantitative and qualitative) and prioritizing risks, followed by the coordinated and cost-effective application of resources to minimize, monitor and control the probability or impact of the risk. In organizations, these threats, or risks, can come from a wide variety of sources, such as financial uncertainty, legal liabilities, strategic management errors, accidents or natural disasters.
The relationship between risk appetite and risk management is that risk appetite defines the limits within which an organization or individual is willing to operate in terms of risk, while risk management is responsible for implementing strategies and actions to stay within those established limits. In other words, risk appetite sets the overall framework, and risk management is responsible for operationalizing and controlling risks within those predefined limits.
The risk management process
Risk management is not a one-time action, but an iterative process. Typically, the steps involved are as follows:
- Risk identification: This involves the recognition of potential sources of risk that could affect the organization. It is a task for everyone in the organization; everyone can identify risks at different levels.
- Risk assessment: Once the risks have been identified, they are assessed to determine their potential impact on the organization. It is very important that all risks are evaluated in the same way, following the same scale in order to be able to compare them. Risk assessment tools, such as risk matrices and fault trees, can help organizations to visualize and quantify risks. The risk matrix is widely used in this step. This is a table where the importance of the risk is defined, taking into account the likelihood of its occurrence versus the severity of its consequences. Each organization must define what each value is for it, for example, a low possibility can be defined as “occurring once every 10 years”. By having the definitions of each level, we will achieve a more homogeneous assessment across the risks.
- Risk mitigation: Once the risks have been detected and their impact assessed, strategies are developed to manage the risks and avoid or reduce their impact. Strategies may include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, or accepting some or all of the consequences of a particular risk (depending on appetite).
- Risk review: This is an ongoing process in which the organization periodically reviews and revises the risk management plan based on new risks, changes in risk or the effectiveness of mitigation strategies.
Even though measures have been taken to reduce or eliminate the inherent risk, there is always a residual level of risk that remains, this is called residual risk. Residual risk can be defined as the level of risk that remains after control measures have been implemented to mitigate hazards in the workplace or in a specific situation. The organization (the person assigned) must be willing to assume that residual risk.
Risk management frameworks, such as the one proposed by the International Organization for Standardization (ISO 31000:2018, Risk management), provide a structured approach to risk management. In the case of the ISO framework, the steps included are: establish the context, identify the risks, analyze the risks, assess the risks, treat the risks, and monitor and review the risks. Although there may be slight differences in nomenclature, almost all frameworks cover the same steps during the process.
Effective risk management requires a culture of risk awareness and a commitment to continuous improvement. Organizations should establish clear risk management policies and procedures, provide training and resources to employees, and periodically review and update their management strategies.
By understanding risk appetite, implementing a structured risk management process and conducting regular assessments, organizations can make informed decisions and plan for the future with greater confidence. It should be remembered that the goal is not to eliminate all risks; that is impossible. The ultimate goal is to manage risks in accordance with risk appetite and business objectives.