How Well Do You Know Your Organization's Risk Appetite?
Everyone within an organization perceives risk differently. CFOs are focused on the big financial picture, while business units are more likely to pay attention to threats to the profitability of their individual divisions of the company.
The different appetites and perspectives of risk within an organization can sometimes hamper the effectiveness of risk management. Risk professionals should work to have all the organization's stakeholders on the same page.
The economic volatility caused by the COVID-19 pandemic makes taking a more unified approach to addressing the risks to the enterprise even more important. Risk managers ought to have a clear understanding of what kinds of risks affect the organization the most and what risks the company is comfortable accepting.
Take these three steps to understand your organization's overall risk appetite.
1. Develop a Consistent Risk Appetite Framework
The natural array of perspectives means people will define risk appetites in different ways. The diversity of views can make a more robust risk management process, but there should be a structure to allow an organization to capture all the feedback.
Risk appetites should link directly to an organization's strategic goals, and each category of risk should have a tolerance level. Questions risk managers should consider to help create a framework include:
- What drives the organization's risks?
- How do you translate each risk within a global risk appetite?
- How are you going to monitor and measure each risk?
Answering these questions and developing the risk appetite framework takes time. It requires data on risk and operational metrics that align with the organization's overall strategy while being understandable enough to use for all of stakeholders.
However, that time is well-spent because it gives an enterprise the tools it needs to understand its risk exposures and take action to mitigate or transfer them.
2. Build Consensus Within the Organization
Across the organization, people should speak the same language about risk and develop a shared understanding. Once a risk appetite framework is in place, organizations can collect assessments from all levels of the company.
A comprehensive review of perspectives can identify threats to the enterprise that aren't often considered when taking a top-down approach. This process requires time and buy-in from senior management to incentivize all the relevant teams to contribute to risk assessments.
Realize that specific parts of the organization may have competing views on how to manage risk. The assessment is not about squashing dissent as much as it is about risk managers building consensus.
Workshops are useful exercises to help risk managers in different parts of the organization understand the spectrum of risk appetites and come to an agreement on the total risk faced by the enterprise. Some risks may require a distinct approach that is specific to a particular business unit, but the goal should be to come together around a collective enterprise risk appetite. Those specific risks may need a local policy, but it's about managing risk at the enterprise level and using that consensus to guide decisions to purchase coverage as an organization.
The key to running productive workshops is great data-sharing among all the participants. The data is the basic building block for creating a reliable decision-making process based on the risk assessment framework.
3. Quantify Your Risk Appetite Across the Organization
Risk appetites boil down to numbers from which effective risk management depends.
The organizational consensus should identify, measure, analyze, and understand the enterprise's existing and emerging risks. That data can now be used to design a sustainable and successful risk management strategy based on a comprehensive risk appetite.
Knowing an organization's all-inclusive risk appetite rather than a disjointed collection of individual views on risk can help significantly improve financial performance. It allows an enterprise to better respond to business uncertainties, such as the COVID-19 pandemic, with better decision-making capabilities, stronger governance and a more thoughtful overall approach to risk. Armed with an enterprise-wide risk appetite, risk managers can evaluate what potential dangers are acceptable and which ones require insurance coverages.
Most organizations have defined their risk appetites at the enterprise level. A greater sophistication in risk management means that organizations that don't take steps to comprehend their risk appetites may lose a competitive advantage. Risk management includes looking at an enterprise's blind spots and preparing for the unexpected. COVID-19 has demonstrated the value of resilience in the face of uncertainty.
Risks and opportunities change over time, as does an organization's risk appetite. The work of assessing risk and updating risk appetites requires regular maintenance to be effective. The good news is that a job well done will form a foundation to benefit an organization's risk managers long after this crisis passes.