The challenge of implementing Risk Appetitethe full document.<>There is one element in the discussion on Risk Appetite where I would like to ask some extra attention be given. Extra attention should be given to the challenge of divvying up Risk Appetite over various divisions, business units and entities. For the more quantitative components of risk appetite, this is already challenging, because risk appetite and risk tolerances can be divided over business units. This however may mean that risk appetite is actually the same for all, or every unit gets their fair share. Say, the risk tolerance for the company is that the board accepts no more than 5% deviation from budget revenue and profit numbers. This can be divided equally over all the business units, because if all would equally fail, the overall risk tolerance would not be surpassed. This works because these are percentages rather than absolute numbers. What if the same company has a very low tolerance for safety incidents, and would not accept a number higher than say three (because last year results were three)? It is not possible to give all units the same number, because this would lead to some very scary situations. Dividing the number three over all entities will not be possible. Finding alternative measures has the risk that it might not be 100% correlated to the true corporate risk tolerance. This can then either lead to unrealistic numbers or it leads to a too high overall risk tolerance. This means that these risks need to be monitored at a corporate level, and entity-level risk tolerance will probably reach zero tolerance.
This becomes even more difficult with qualitative risks. The reputation risk appetite on all sorts of topics will perhaps be very low, but it should be realized that even the smallest entity can witness an event with devastating reputational impact, just like the largest one. So, risk appetite for this should be viewed at a corporate level. This may mean that risk tolerances would need to be set at (near-) zero tolerance for all entities, in order to prevent risks being taken that are higher than the overall risk appetite. In itself, it is an indication that the organization has become so large that its size has made it more vulnerable for risk events with a reputational impact. Perhaps, this effect is also the reason why large organizations are considerably less agile than smaller ones. Organizations need to ensure that the risk tolerances they set this way do not freeze business, while there is a considerable risk in doing so the more detailed an organization becomes.
So, having some sort of system in place to monitor risks at a corporate level becomes crucial, more so than micro-managing all decisions in the organization. In addition, monitoring risks at a corporate level means that there needs to be a clear and defined way to roll-up risk monitoring results from all the entities. With that in mind, the discussion on risk appetite and risk tolerances will add a lot of value to today's business conduct.