How much risk is too much risk? Understanding risk appetite
The Risk Doctor, Risk Doctor & Partners
One of the most important decisions for any business, project, or individual is how much risk to take. The phrase “risk appetite” is often used to describe the level of acceptable risk, but there is no accepted definition for this term; even worse, there is confusion between risk appetite and other risk-related terms, especially risk attitude.
In seeking to answer the “How much risk…?” question, this paper considers a range of risk terms, showing how they relate to one another. This reveals that two risk-related factors are particularly influential when individuals or organizations decide how much risk can be taken in a risky and important situation. These two key factors are risk appetite and risk attitude, which have central and complementary roles.
The paper explains how to use both risk appetite and risk attitude to set appropriate risk thresholds in any given situation. Risk appetite is an internal tendency to take risk in a given situation, and it reflects organizational risk culture and the individual risk propensities of key stakeholders. But unmanaged risk appetite can lead to the wrong outcome. Risk attitude is a chosen response to risk, driven by perception, and it can act as a control point to ensure that the right amount of risk is taken, so that the achievement of objectives is optimized. Putting both risk appetite and risk attitude together into a single framework (the RARA Model) provides a practical approach that enables individuals and organizations to take the right risks safely.
What Is Risk Appetite? The Physical Analogy
All important management decisions involve risk taking, and we need to be able to answer questions starting with “How much risk…?” These questions include:
- How much risk do we face?
- How much risk can we take?
- How much risk should we take?
- How much risk do we want to take?
- How much risk will we take?
- How much risk are we taking?
Each of these questions is important, and a variety of risk-related terms are in use to describe the answers, including risk appetite, risk attitude, risk capacity, risk culture, risk exposure, risk perception, risk preference, risk profile, risk propensity, risk threshold, risk tolerance, and so forth. No one seems able to define how these terms might differ, overlap, replace, or relate to each other.
Among these terms, risk appetite has recently become a hot topic. Recent research on risk appetite (Association of Insurance and Risk Managers, 2009) has identified four ways in which an understanding and expression of risk appetite can be used within organizations:
- To support strategy-setting, leading to a balanced risk profile and identification of which risks to avoid and which to take
- To support effective management of risk, by ensuring that risk management resources are allocated optimally, and fostering a risk-aware culture across the organization
- To set appropriate boundaries for risk-taking, by motivating decision makers to make better and more consistent decisions
- To maximize stakeholder value, by enhancing organizational performance and delivery.
But what exactly is risk appetite? One way to understand this term is to start with its physical equivalent and see whether helpful analogies can be drawn.
What Is Appetite?
For most people, the word appetite is closely linked with being physically hungry. But dictionary definitions of appetite are wider. Of course they include a desire for food or drink, but appetite can also mean a desire to satisfy some other bodily craving, such as sexual pleasure. There are also non-physical appetites, where the desired result is intangible, such as an appetite for excitement or fame. And some appetites can be destructive, involving drugs or violent behavior. The word appetite is derived from the Latin word appetere, which means to desire strongly.
These roots immediately tell us something important about appetite, which most people fail to recognize. Appetite is not the same as hunger. Appetite is a desire, a psychological need that demands to be met. The external expression of appetite is hunger, which we experience as a lack of something, and which motivates our behavior in an attempt to satisfy the internal desire.
So what might influence appetite in a particular individual? There are wide ranges of factors, including these:
- Physical characteristics (size, weight, age, etc.);
- Metabolic rate (high, normal, low);
- State of mind (anxious, calm, stimulated, etc.);
- Underlying state of health (good, poor, diseased);
- Lack of something that is required for good health (nutrients, vitamins, water, etc.); and
- Last experience when appetite was satisfied (how long ago, how fully satisfied, etc.).
Several of these influences are outside the immediate control of the individual, at least in the short term because they arise from one or more inherent characteristics.
So, we see that appetite is an internal desire or craving for food or some other physical stimulant. It exists within a person, and motivates him or her to meet a felt need. Appetite is the answer to the question “How hungry do I feel?” But because physical appetite is intangible and has no units, it is hard to measure or express. It results in outwardly measurable behavior, and it is affected by various factors, but it is not something we can choose or influence as it happens, it just is what it is.
What Is Risk Appetite?
The physical analogy allows us to understand some of the key features of risk appetite, by comparing physical appetite with its risk counterpart. For example:
- Just as physical appetite is an internal desire for something such as food, in the same way, risk appetite reflects our desire to take risk. How much risk do we feel that we can take on in a given situation?
- Our appetite for risk is likely to be influenced by a wide range of other factors, just like our physical appetite, but it exists as an internal drive or desire that is not visible externally.
- Physical appetite is expressed outwardly through hunger, and likewise risk appetite can be seen through decisions we make about how much risk to take, which are expressed as risk thresholds.
Drawing these thoughts together, we can define risk appetite as:
Tendency of an individual or group to take risk in a given situation
Risk appetite is then expressed using risk thresholds, which are described against objectives, and which can be measured externally.
Why Does Risk Appetite Matter?
Risk appetite matters for two key reasons. The first is that it is increasingly becoming a compliance requirement, driven by international risk standards, corporate governance regulations, and others. These are key examples:
- ISO Guide 73:2009 (International Organization for Standardization [ISO], 2009a) includes a normative definition of risk appetite as “amount and type of risk that an organization is prepared to seek, accept or tolerate” (p. 6). This is reflected in other risk standards such as ISO 31000:2009 (ISO, 2009b), BS 31100:2008 (British Standards Institution, 2008), and the Office of Government Commerce (OGC) “Management of Risk” (M_o_R) guidance (OGC, 2010).
- Corporate governance guidelines refer to the need for organizations to define and communicate their risk appetite, with the UK Corporate Governance Code stating that “The board is responsible for determining the nature and extent of the significant risk it is willing to take in achieving its strategic objectives” (Financial Reporting Council, 2010, p. 7). Similarly, the U.S. National Association of Corporate Directors (NACD) Blue Ribbon Commission issued their Report on Risk Governance: Balancing Risk and Reward in October 2009, stating that “The Board of Directors need to understand the organization's risk appetite and level of risk tolerance. The assessment of the company's risk appetite should be an ongoing process, considering that risks facing the company are constantly changing” (National Association of Corporate Directors, 2009, p. 4).
- Professional risk bodies such as the UK Association of Insurance and Risk Managers (AIRMIC), the Institute of Operational Risk (IOR), and the Institute of Risk Management (IRM) have each issued advice to their members aiming to clarify the meaning of the term and how it should be used in practice (Association of Insurance and Risk Managers, 2009; Institute of Operational Risk, 2009; Institute of Risk Management, 2011).
- Consultancy firms have undertaken research and offered guidance to clients on the subject (PricewaterhouseCoopers, 2008; KPMG, 2008; Towers Perrin, 2009), perhaps seeing a new business opportunity to provide advice and support.
Second and more importantly, the ability to understand and express risk appetite allows decision makers at all levels in an organization to decide how much risk they should take in a given situation, from boardroom to project teams. This should inform decision makers on matters such as corporate goals, investment decisions, business strategy, portfolio construction, project execution, technical solutions, operational efficiencies, and so forth. For each of these important management decisions, risk appetite drives the answer to the question “How much risk should we take?” As a result, it is important for managers at all levels to understand and express their risk appetite, from the CEO to the project manager, and for these multiple levels of risk appetite to be consistent, coherent, and aligned.
Risk Appetite—Inputs and Outcomes
We have seen that risk appetite is an internal tendency within an individual or a group, and that it cannot be seen or measured directly. It represents a hunger for risk in a given situation, a desire or drive to take on a certain level of risk exposure. But where does this internal tendency comes from? What influences risk appetite?
One obvious input to risk appetite is the situation that is being faced. Risk appetite does not exist in a vacuum or in isolation. We have defined risk appetite above as “tendency of an individual or group to take risk in a given situation”, so clearly that situation is influential. In fact, it is not just the situation in general that influences risk appetite, but the specific objectives that an individual or organization wishes to achieve in or from that situation. For a project manager, the situation is the project, and the objectives are the project objectives.
In addition to the situation and its associated objectives, there are two other factors that influence risk appetite. Both of these deal with people, which is unsurprising since risk appetite is an internal tendency. The first factor relates to individuals and the other arises from the group context.
- On the individual side, the appetite for risk in a particular situation is affected by the general tendency of each individual to take risk in any circumstances. This is called risk propensity, and it in turn is driven by a range of risk-related personality traits, or innate motivations, known as risk preferences.
- Another influence on risk appetite is the culture of the group or organization in relation to risk, describing the set of shared beliefs, values, and knowledge that a group has about risk. This is called risk culture, and it results in a set of norms and behaviors that are naturally adopted by the group when situations are faced that are perceived as risky and important.
One interesting fact to notice about these inputs to risk appetite is that they are all internal, and they are not chosen by the individuals separately or the group acting together, they just are what they are. The effect of individual risk propensity and corporate risk culture on risk appetite is subtle and invisible, it is essentially unmanaged, and it cannot be seen or measured externally. The resulting risk appetite therefore arises unconsciously and without the deliberate choice or intentional intervention of the individual or group concerned. That is why we describe risk appetite as a tendency—because it is internal and unmanaged.
As well as considering the inputs that affect risk appetite, we should also look at its outcomes. Just as we have no units to measure or describe physical appetite, the same is true for risk appetite. We describe our natural hunger for food or drink by translating the internal appetite into externally measurable terms, for example, a steak or a salad. We also need an external proxy for risk appetite, something that can be seen and measured objectively. This role is taken by risk thresholds, which are external expressions of risk appetite. And just as risk appetite is defined in terms of the objectives associated with a specific situation, risk thresholds are expressed in the same way. There should be a risk threshold set for each objective, reflecting the overall risk appetite in the situation.
Once we have defined risk thresholds for a given situation (how much risk we are willing to take), we can then compare these with the overall risk capacity of the organization to bear risk, either in this specific situation or in aggregate. This will tell us whether our risk appetite can be fully satisfied or not. We might find that our appetite for risk leads us to set risk thresholds that exceed our capacity to take risk. This could lead to a problem if left unmanaged, since we might end up taking on too much risk, exceeding our risk capacity. Alternatively, our risk appetite may lead us to be too cautious, setting low risk thresholds which are well within our risk capacity, and which do not stretch or challenge the organization or make best use of its resources.
The inputs and outcomes for risk appetite are shown in Exhibit 1. The problem is that risk appetite and all its inputs are invisible internal factors that are hard to influence directly. This makes it difficult to change things if our risk appetite is leading to inappropriate risk thresholds. As a result we need some other way to intervene and exercise control over unmanaged risk appetite.
Using Risk Attitude to Moderate Risk Thresholds
Our previous work on risk attitude (Hillson & Murray-Webster, 2007; Murray-Webster & Hillson, 2008) has defined risk attitude as:
Chosen response to risk, influenced by perception
The important characteristic of risk attitude in this context is that it is chosen, and can therefore be modified and managed. And like risk appetite, risk attitude also has a range of inputs and outcomes, as illustrated in Exhibit 2.
Considering inputs first, the chosen risk attitude is influenced by the perception of the degree of risk exposure associated with a given situation, and risk perception in turn is affected by a complex web of factors, referred to as the “triple strand” of influences (conscious, subconscious, and affective factors). It is common to speak about only a few specific risk attitudes, such as risk-averse, risk-seeking, risk-tolerant, or risk-neutral. But in fact, risk attitude exists on a continuous spectrum with an infinite number of possible positions. Faced with a given risky situation, a particular individual or group might exhibit a risk attitude anywhere on this spectrum.
Turning to outputs from risk attitude, two things are important in the context of making decisions in risky and important situations. The first is that our attitude to risk affects the degree of risk we are willing to take, as expressed in risk thresholds. Clearly, if we are comfortable with the perceived exposure to risk (i.e., our attitude is risk-seeking), then we will wish to set higher risk thresholds than if we are uncomfortable with the uncertainty (risk-averse).
But the influence of risk attitude is much wider than simply affecting the chosen level for risk thresholds and tolerances; it also affects our risk actions. In fact, every action we take in relation to the perceived level of risk exposure is driven by our position on the risk attitude spectrum. Each step in the risk process is affected by the risk attitude we adopt in the situation, including these:
- Identifying threats and opportunities;
- Assessing and prioritizing identified risks; and
- Selecting and implementing appropriate risk responses.
Our risk actions modify the degree of risk exposure associated with the situation, leading to a revised perception of risk. As a result, we may wish to change our risk attitude, to give us the best chance of achieving our objectives in the light of the new risk challenge that we now face. Therefore, there should be a cycle between the current level of risk exposure, our chosen risk attitude, and the risk actions we take.
Changing risk attitude is a simple matter of making a different choice. Earlier work (Murray-Webster & Hillson, 2008) described how applied emotional literacy can be used to modify risk attitude in an intentional way, using a framework called the Six A's model. This starts with awareness of the existing risk attitude that we have initially chosen in a given situation, together with appreciation of the factors that have influenced that choice. Next we assess whether the risk attitude is helping us to achieve our goals or not. If the existing risk attitude is assessed as being appropriate, then we accept it and continue without change. However, if a change in risk attitude is required, then we assert the need for change and take action to modify our chosen risk attitude.
Putting It Together: The RARA Model
Comparing Exhibits 1 and 2 shows that risk appetite and risk attitude share common inputs (the situation and its objectives) and a common outcome (the setting of risk thresholds). Therefore, it is possible to merge the two exhibits into a single model, showing the relationship between risk appetite and risk attitude; we call this the RARA Model (Exhibit 3).
The RARA Model indicates how we can exercise control over setting risk thresholds to make sure that they are appropriate in the setting of the given situation, taking account of the influence of individual risk preferences as well as of organizational risk culture, and ensuring that the risk thresholds do not exceed our risk capacity.
We have already seen that the influences on risk appetite are internal and so cannot be easily modified or measured. However, risk attitude is a choice, and it is possible to choose a different risk attitude using the Six A's approach. As a result, the ability to choose a different risk attitude in a given situation provides a point of control in the RARA Model. We can now take a four-step approach to setting appropriate risk thresholds, as follows:
- Step 1 — Unmanaged. First, we set risk thresholds intuitively without any conscious intervention or modification. This will result in risk thresholds that reflect the internal risk appetite. However, since all the factors influencing risk appetite are internal and cannot be modified, the resulting risk thresholds may be inappropriate. Because these initial risk thresholds are set using “gut feel,” the effect of chosen risk attitude is excluded at this point.
- Step 2 — Constrained. The initial risk thresholds are reviewed in the light of the individual risk propensities of the decision-makers, as well as considering the organizational risk culture. Referring to Exhibit 3, we see that these are the two main influences on risk appetite, so by considering them explicitly, we are able to express our underlying risk appetite. This may result in a modification of risk thresholds.
- Step 3 — Check. At this point, we should review the risk thresholds against the risk capacity to determine whether they are appropriate. If not, then some intervention is required.
- Step 4 — Informed. The final step is taken if Step 3 indicates the need to modify the risk thresholds. This takes advantage of our ability to choose a different risk attitude, and uses it as a point of active and intentional control in the process. By changing our risk attitude we are able to influence the final choice of risk thresholds to produce something that is more appropriate.
This simple four-step process provides us with a simple and practical way to set risk thresholds at a level that will enable us to take the right risks safely.
Risk appetite matters. It is an important topic for us to understand, because our risk appetite drives the way we answer the important “How much risk…?” questions. But risk appetite is an internal tendency, invisible and impossible to measure. Therefore, we need to use an external proxy to allow risk appetite to be expressed, and this is the role of risk thresholds.
Unfortunately, the internal nature of risk appetite also means that if it is left unmanaged, it might result in the setting of inappropriate risk thresholds, leading us to take too much or too little risk. We therefore need a way to intervene and modify risk thresholds that have been set intuitively using the gut-level risk appetite.
Intervention is possible by choosing a suitable risk attitude that allows us to modify the initial risk thresholds, moderating the effect of unmanaged risk appetite. The RARA Model described in this paper combines both risk appetite and risk attitude, providing a practical way for decision-makers at all levels to answer the “How much risk…?” questions, and take the right risks safely.
The content of this paper draws on work done by the author in collaboration with Ruth Murray-Webster (Hillson & Murray-Webster, 2007, 2011, 2012; Murray-Webster & Hillson, 2008).
Association of Insurance and Risk Managers. (2009). Research into the definition and application of the concept of risk appetite. London, UK: Association of Insurance and Risk Managers.
British Standards Institution. (2008). BS 31100: Risk management – Code of practice. London, UK: British Standards Institution.
Financial Reporting Council. (2010). UK Corporate Governance Code. London, UK: Financial Reporting Council.
Hillson D. A., & Murray-Webster, R. (2007). Understanding and managing risk attitude (2nd ed.). Aldershot, UK: Gower.
Hillson, D. A., & Murray-Webster, R. (2011). Using risk appetite and risk attitude to support appropriate risk-taking: A new taxonomy and model. Journal of Project, Program & Portfolio Management, 2(1), 29–46.
Hillson, D. A., & Murray-Webster, R. (2012). A short guide to risk appetite. Aldershot, UK: Gower.
Institute of Operational Risk. (2009). Operational risk sound practice guidance Part 1: Risk appetite (version 1, December 2009). Retrieved from http://www.ior-institute.org/education/sound-practice-guidance/8-sound-practice-guidance-part-1
Institute of Risk Management. (2011). Risk appetite and tolerance. London, UK: Institute of Risk Management.
International Organization for Standardization (ISO). (2009a). ISO Guide 73:2009: Risk management – Vocabulary. Geneva, Switzerland: International Organization for Standardization.
International Organization for Standardization ISO. (2009b). ISO 31000:2009: Risk management – Principles and guidelines. Geneva, Switzerland: International Organization for Standardization.
KPMG. (2008). Understanding and articulating risk appetite. Sydney, Australia: KPMG
Murray-Webster, R., & Hillson, D. A. (2008). Managing group risk attitude. Aldershot, UK: Gower.
National Association of Corporate Directors. (2009). Report on risk governance: Balancing risk and reward. Washington, DC: National Association of Corporate Directors.
Office of Government Commerce. (2010). Management of Risk: Guidance for practitioners (3rd ed.). London, UK: The Stationery Office.
PricewaterhouseCoopers. (2008). Risk appetite – How hungry are you? The PwC Journal, Special risk management edition. London, UK: PricewaterhouseCoopers.
Towers Perrin. (2009). Risk appetite: The foundation of enterprise risk management. London, UK: Towers Watson.
© 2012, David Hillson/Risk Doctor & Partners Limited
Published as a part of the 2012 PMI Global Congress Proceedings – Vancouver, Canada