“Almost everything worthwhile carries with it some sort of risk, whether it’s starting a new business, leaving home, getting married, or flying into space.” – Chris Hadfield
Risk management is most effective when organisations understand their risk categories and define their risk appetite. By doing so, they can align risk responses with strategies and objectives while applying the cost-benefit principle. Risk appetite is the cornerstone of effective risk governance, enabling organisations to optimise their approach to managing inherent risks.
Risk responses: A strategic choice
At the heart of risk management is deciding how to respond to inherent risks. Responses are tailored to the impact of risks on an organisation’s goals and objectives. These include:
- Treating/Mitigating Risks: Reducing risk levels through targeted measures.
- Tolerating/Accepting Risks: Choosing to live with risks as they are.
- Terminating/Avoiding Risks: Discontinuing activities that create the risk.
- Transferring Risks: Passing risks to third parties, such as insurers or outsourcing providers.
Choosing the right response requires a formal framework to guide decision-making. Without such a framework, organisations often default to risk mitigation, which may not always be the most effective approach. This is where the principle of risk appetite comes into play.
Defining risk appetite
Risk appetite refers to the types and levels of risk an organisation is willing to accept in pursuit of its objectives. It is closely related to:
- Risk Tolerance: The acceptable variation in performance related to achieving objectives.
- Risk Capacity: The maximum level of risk an organisation can handle.
Risk appetite can be categorised as follows:
- Low Risk Appetite: Avoiding or limiting risks, particularly in critical areas.
- Cautious Risk Appetite: Preferring safer options to minimise adverse exposure.
- Moderate Risk Appetite: Balancing risk and reward, pursuing innovative opportunities with measured consideration.
- High Risk Appetite: Actively engaging with risks in pursuit of significant benefits, provided risks are understood and accepted.
Risk appetite in practice
Risk appetite varies depending on the type of risk and its relevance to an organisation’s strategy. Examples include:
- High Risk Appetite: A strategic risk that is intrinsic to the organisation’s business model. For instance, a company might prioritise its strategy despite potential failure risks.
- Moderate Risk Appetite: Risks with potential benefits but limited control over downsides, such as market risks in mining. A mining company might accept price volatility in exchange for potential gains during favourable market conditions.
- Low Risk Appetite: Risks governed by legislation or regulation. Regulatory compliance risks, for example, require a cautious approach due to the consequences of non-compliance, such as fines or licence cancellations.
- Cautious Risk Appetite: Operational risks that are unavoidable in day-to-day activities. For example, organisations might adopt a cautious stance to manage operational risks where no direct benefits from increasing exposure exist.
The role of risk appetite in governance
A clearly defined risk appetite is essential for effective risk governance. Boards of Directors must approve the organisation’s risk appetite to guide management and establish the framework within which decisions are made. Without this, organisations risk defaulting to suboptimal responses, such as unnecessary mitigation where risk tolerance or transfer would suffice.
An established risk appetite framework enables:
- Alignment of Risk Assurance: Ensuring internal audit, compliance, and risk functions provide optimal assurance.
- Mature Risk Management: Involving stakeholders to set expectations and define appropriate responses for different risks.
- Consistency Across the Organisation: Avoiding misunderstandings of the risk profile by management, assurance providers, and governance bodies.
Why organisations should act now
Organisations that lack a formal risk appetite framework should prioritise its development. A framework prevents inconsistent interpretations of risks and enables a unified approach across all levels of the organisation.
By aligning risk responses with strategic objectives, organisations can maximise opportunities, mitigate threats, and maintain resilience in the face of uncertainty.
About the Author:
Jeremiah Ndhlovu is a Certified Expert in Risk Management (CERM) with extensive experience in the mining sector. His expertise includes enterprise risk management, combined assurance, and process and controls standardisation.
