What is risk appetite?
Within the risk management of a company, the need arises to establish the risk appetite that will decisively influence the achievement of the objectives defined by the organization.
The most widespread definition of risk appetite is defined as the amount and type of risk that an organization is willing to accept or assume. We could think that the ideal would be not to assume any type of risk, but we will see that this position goes against effectiveness of the operations or business of the organization.
In the following graphic we can see the risk tolerance level that can be had:
To better understand each level an example could be a screw factory, in which we have a little old machine to produce them that we do not want it breaks down and interrupt production.
Experience tells us that if we make 100 screws in an hour, the machine is not forced and does not have major breakdowns. This production allows us to cover current demand. This level would be the organization’s risk appetite.
If we slow down and make fewer screws the probability of breakdown is almost zero, but production is not enough for the business. We would be below risk appetite.
Demand increases and the company must decide whether increase production by forcing the machine. It would be possible to make 150 screws an hour, but the possibilities of breakdown could increase considerably and could lead to a stoppage of production indefinitely. Changing to this level of production would suppose a risk above the risk appetite but considered within a tolerable level for the company.
If demand continues to rise, the company would have to further increase production, making 200 screws every hour would push the machine to its limit of capacity. Normally companies do not assume this level of risk and reject the increase in production even if it affects their result.
Exceeding risk capacity you have might have disastrous consequences for the company from which it may not recover.
There are several factors to take into account when defining risk appetite. We must at least to consider following:
- • Economic: It is the first thing that everyone can think of, the cost-benefit analysis, considering the financial resources of the company and the return value that will be achieved.
- • Strategic:The strategy defined for the company can vary the risk appetite in certain business lines compared to others. It is important to consider the needs of interested parties such as shareholders, clients or regulators.
- • Capacity: The availability of resources and deadlines for achieving them can determine the risk appetite of business processes.
- • Legal: We may have legal requirements to comply with that will significantly influence the decision to be made.
Each company is different, and this decision is completely unique to each one. There is no standard formula that can work in general terms. In addition, risk appetite must be continually reviewed, considering all influencing factors, to update it and avoid it not being consistent with the organization’s objectives.
Acceptable risk level, that’s the key
The result of the definition of risk appetite is to establish the acceptable risk level (ARL), within risk management system of the company.
The ARL will mark the decision regarding the treatment of each of the risks identified in the system. It can be defined globally or at the process or asset level considered in the risk analysis.
The implementation of a risk management system is a complex process that requires the participation of all areas of the company. From the Consulting department of GlobalSUITE Solutions we are at your disposal to help you implementing a complete risk management system that reflects the reality of the protection that your company has against potential events that may occur and affect the achievement of the defined objectives.
We use the platform GlobalSUITE® that facilitates the registration, traceability and system monitoring, considering the complete risk management process based on the ISO 31000 standard.
- Managing personal data in schools
- Changes in data protection and the importance of risk analysis
- The figure of the Data Controller and Data Processor in the GDPR
- Protecting personal data in the coronavirus crisis
- What is it and how to develop a Record of Processing Activities, risk analysis and impact assessment?