According to COSO, Enterprise Risk Management is 'a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives'.
For an organisation therefore to remain competitive in today's challenging business environment, an optimal balance must be achieved between risk retention, mitigation and transfer. In essence, an organisation should take risk on a controlled and informed basis in pursuit of its business objectives. How much risk an organisation can and may wish to take on board will depend on a number of factors including the environment it operates in, its stakeholder's expectations, the nature and culture of its business and the capacity it has to cope with absorbing risk without negatively impacting its objectives, otherwise known as its 'risk capacity'. Understanding clearly the differences between the two sides of risk - threat and opportunity - is a key business enabler for organisations. It is recognised that whilst there is a need to articulate how much risk an organisation should take using a format that can be understood by the organisation as a whole, formats will vary considerably between different business environments, including size, complexities and maturity of the entities in question. There is no one size fits all approach. For example, an organisation operating in a highly regulated environment may have its approach to risk taking defined through its processes and procedures and make very little reference to a stand-alone framework document.
More important is how the framework is designed and guidelines are used to drive improved business decisions which in turn drive performance and support the achievement of business objectives. Providing assurance to senior stakeholders that risk is being taken within specified limits is important. However, supporting improved decision making by clearly articulating risk appetite against future risk scenarios is a real driver of reducing future uncertainty and financial volatility. A clear link between strategies, the business model, the business plan, the related Key Performance Indicators ('KPIs') and risk limits that help to define appetite, should be established.
The Board are fully engaged in risk appetite as this underpins our business model and licenses to operate
Head of Risk, major insurance organisation
The inherent culture within an organisation is a critical success factor for risk management. An appropriate risk culture can both support risk informed decision making and can ultimately drive business performance and avoidance of significant financial losses. The successful implementation of a risk appetite framework will depend on the maturity of the risk culture that exists across an organisation.
The approach described in this guide is aimed at ensuring that an organisation effectively implements a mechanism for understanding how much risk it should take in relation to strategic objective setting, business model changes and investment decisions. The guide covers the basic components of a risk appetite framework, and how such a framework can be used in supporting the achievement of business objectives including the application of risk transfer through the purchasing of insurance. Organisations and the context in which they operate are dynamic and an approach of continuous improvement should be adopted to ensure that lessons learned are taken on-board and risk appetite is regularly reviewed, updated and signed off by key stakeholders. This guide is meant to build on the prevailing theoretical risk balance sheet view of risk appetite and provide a practical guide to drive risk based decision making.