The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.
That is not a clear explanation that is in plain business language and makes obvious business sense to everybody from the board room to the people in the trenches.
The primary problem is the idea that there is an “amount of risk”.
Ask a safety practitioner what is the amount of risk that should be taken that somebody might be killed or suffer a serious injury.
How do you calculate an “amount of risk” that spans not only the entire enterprise, but different sources of risk such as compliance, safety, customer relations, reputation, competitor, economic, cash flow, third and fourth-party, cyber, human capital, and so on?
How does a risk appetite statement enable people across the extended organization, at various levels, make the informed and intelligent decisions necessary to achieve objectives?
I think there is a better way that should be at least considered.
X
The twist is to ask:
How much am I willing to spend to ensure that the possibility of such and such happening and affecting my objectives (a range of effects or consequences and their likelihoods) is within my desired range?
For example, how much am I willing to spend to ensure that the possibility of a significant…
