At KRM22, we advocate the implementation of an integrated, real-time, enterprise risk management approach which enables firms to operate at the optimal threshold of risk-taking, driving increased and sustainable shareholder returns.
In this article, I am going to introduce two important concepts related to setting boundaries for risk-taking and seek to clarify their meaning. These two concepts are Risk Appetite and Risk Capacity.
Unfortunately, there is not a definitive and universally agreed definition for these terms. Therefore, I am going to provide a definition based on how we think about these terms and use them in the development of the KRM22 Enterprise Risk Cockpit.
It is also worth noting that these terms are often used interchangeably and out of context. Where possible, I will refer back to the world's two leading enterprise and operational risk management standards; IS3100:2018 Risk Management (https://www.iso.org/standard/65694.html) and COSO Enterprise Risk Management Framework (https://www.coso.org/Pages/default.aspx).
At KRM22, we define Risk Appetite as "the amount and type of risk that a firm is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders'. With the inclusion of the phrase "and must take" we are explicitly signals that risk-taking is a fundament part of strategy and value creation.
Without taking risk, nothing is achieved. Therefore we see Risk Appetite as a key part of both delivering firm objectives and managing risk.
The COSO Enterprise Risk Management Framework 2018 states that "The organisation defines risk appetite in the context of creating, preserving, and realising value". It lacks a clear and concise definition of what is Risk Appetite.
However, its predecessor, the 2004 version of the COSO framework includes this definition "risk appetite as the amount and type of risk that is acceptable to be taken by an organisational entity over a defined time period, to achieve the objectives of that strategy".
The ISO31000 standard does not include the term Risk Appetite. However, it uses the term Risk Criteria, which has a similar, if broader meaning.
Under the definition of Risk Criteria, it includes a statement "the organisation should specify the amount and type of risk that it may or may not take, relative to objectives. Within the definition of Risk Criteria, the ISO31000 standard goes on to state "It [the organisation] should also define criteria to evaluate the significance of risk and to support decision-making processes. Risk criteria should be aligned with the risk management framework and customised to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the organisation's values, objectives and resources and be consistent with policies and statements about risk management.
However, the ISO 73:2009 Risk management — Vocabulary does explicitly define Risk Appetite as the "amount and type of risk that an organisation is willing to pursue or retain".
Also known as Risk-bearing capacity, we define Risk Capacity as the maximum amount of risk that a firm can take before the firm fails should those risks crystallise.
We believe that knowing your firm's Risk Capacity is an essential part of the Enterprise Risk management framework. By understanding the firm's Risk Capacity, Boards, and Executive teams can make better strategic and operational decisions. They can also take specific actions to increase Risk Capacity.
Many firms have to submit an ICAAP and ILAAP for regulatory purposes. Too often, this is approached as an annual regulatory compliance exercise only. Forward-looking firms leverage the ICAAP and ILAAP process to understand their Risk Capacity and drill into what risk-taking will lead to the firms failure.
Interestingly both ISO31000 and the COSO Enterprise Risk Management Framework 2018 don't mention Risk Capacity.
Knowing your Risk Appetite and Risk Capacity are two essential tools for firms to use to define and clarity boundaries around their risk-taking. They both have a significant role to play in strategic and operational decision-making and help set the tone of a firm's enterprise risk management approach and culture.
Whereas Risk Appetite is about what risk and the amount of risk that is to be taken to create value, Risk Capacity is about survival. Therefore both are a critical part of your enterprise risk management framework.
And while having a 'fixed' definition of both is essential, there must be flexibility and a regular review process. Both Risk Appetite and Risk Capacity should reflect the state of the business internally and market conditions externally, and change as they change. Living through the COVID-19 crisis shows how quickly firms and market conditions can change.