Risk appetite - from theory to practice

Fundamentals & monitoring

DOWNLOAD OUR RISK APPETITE CANVAS

Original content provided by 

BDO Belgium

One of the most fundamental concepts in financial risk management is risk appetite. It is the cornerstone of your risk management, the foundation upon which all your risk management decisions are built. While it might seem like a straightforward concept at first glance, it is actually far more nuanced and comprehensive than many realise.

Let’s dive into the must-known elements of risk appetite and look at a practical framework for correctly implementing this into your organisation’s risk management. 

Discover our other risk video's

The strategic foundation of risk appetite

When we talk about risk appetite, we are really discussing how organisations make conscious choices about risk-taking. Every financial institution must balance its desire for growth and returns against the potential for losses. The Basel Committee in its supervisory guidance recognises this balancing act, which is why they require boards of directors to clearly articulate their risk appetite. 

But risk appetite goes beyond simply stating what risks and losses you are willing to accept. When an organisation implements controls or monitoring systems, it is investing resources that could be used elsewhere. 

So, you need to ask yourself: how much are we willing to spend on risk mitigation? What's the right balance between protection and operational efficiency? 

The three dimensions of risk appetite

There are three building blocks of risk appetite, measured through your Appetite KRI’s (more on this in our first video article Risk Management Framework & Maturity Criteria). For each one of these blocks, ask yourself some of the following questions to get a better look on how your organisation currently approaches these aspects: 

Risk Appetite and KRIs Structure

Exposure limits 

Your exposure limits can be seen as the boundaries of your risk-taking activities. What is the maximum amount of risk you are willing to expose your organisation to, across different areas? 

  • How sensitive is the data you're handling? 
  • What's your technical infrastructure footprint? 
  • Where are you operating geographically? 
  • What products and services are you offering? 

How do these elements interact in your organisation? What limits to risk exposure make sense given your strategic objectives? 

Control requirements 

The safeguards you need are not just arbitrary rules, these are your defence mechanisms. 

  • What preventative controls do you need to stop issues before they occur? 
  • How will you detect problems early? 
  • What corrective measures should be ready? 
  • How will you know if your controls are working? 

Tolerated incidents 

Here is where theory meets reality. Even with the best controls, incidents will occur. The key questions to consider are: 

  • What level of incidents is your organisation ready to tolerate? 
  • How quickly must you respond to different types of events? 
  • At what point does an incident require escalation? 

Risk appetite approaches across risk types 

Your risk appetite may vary across different risk categories. 
Below are examples of several risks, each with a different approach from a risk appetite perspective. 
For a full description, check out the slides here or Ariane’s video

Information security

When it comes to the risk of loss of sensitive data, very little to no organisations have a tolerance for this type of risk. This is typically a risk where organisations adopt the ALARP approach, “as low as reasonably practicable”. Meaning it is best to have the strongest set of limits and controls as possible. 

Internal fraud

While organisations typically declare zero tolerance for fraud, the reality requires a more nuanced approach. As this is mostly an after-the-fact statement (i.e. that fraudsters will be sanctioned, not that fraud is made impossible), it is best to have the correct blend of preventative and corrective controls. 

Service continuity 

This is perhaps the most straightforward area to measure, but that does not make it simple to manage. Here it is possible to have a different risk appetite for different disruptions of continuity. This is where concrete metrics like your Recovery Time Objectives (RTOs) are faithful reflections of risk appetite levels for continuity risk. 

Strategic investments

You can also have ‘positive’ risks or situations where you are more willing to take risks. Unlike other risk types where you are primarily defending yourself against negative outcomes, strategic investments or setting up a new project require you to actively embrace calculated risks. 

Examples of Risk Appetite Metrics

Risk appetite definition & KRI monitoring for an international retail bank

Read our case study

The risk appetite matrix: a practical framework

The Risk & Control Self-Assessment (RCSA) matrix is a great way to translate the likelihood and impact you are willing to accept from your risks. 
Think of it as a map with four distinct territories. Each one requires its own approach and has a different colour to display the level of risk acceptance: 

Zone 1: cost of business

These are your everyday risks - the ones you cannot avoid but are manageable in terms of loss and impact.  

Zone 2: well-managed risks

This is where you want most of your significant risks to reside. 
Even though these risks are larger, they should be very well mitigated.   

Zone 3: control gaps 

This is your danger zone – these include significant risks without adequate controls. 

Zone 4: tail risks 

The risks in this category are hardly avoidable yet it is best to mitigate them as much as you can. 

Risk Appetite Matrix

Risk appetite in practice: the dual approach

There are two ways you can apply risk appetite within your risk management framework. on the one hand, you have the top-down approach. In this case, you translate your strategic risks into the corresponding exposure, controls and monitoring. This is the ‘orthodox’ way of doing things. 

But on the other hand, why not also do things from the bottom-up? Observe what is happening in your organisation. What do people control or not? Infer from that information how this translates into tolerance and your risk appetite. This will help you to compare these observations with your desired situation and identify gaps.  

Risk Appetite - Dual approach bottom-up and top-down

If you want to implement or refine your risk appetite framework, 
remember that it is not about creating perfect systems.

The key lies in building effective ones that align with your organisation's objectives.

Contact our experts by filling in the contact form.