The traditional definition of risk appetite is:
The amount of risk an organization is willing to take in pursuit of objectives.
This is a mouthful that makes little sense, especially when you try to come up with “an amount of risk”.
Is that a bushel, a pound, a gallon, a million dollars, or what?
Some would argue with me (without success) that it makes sense to add up the level of risk (given that there is a range of effects from each source of risk, each with its own likelihood) from disparate and unconnected sources such as:
- Cybersecurity
- Exchange rates
- Commodity prices
- Supply chain
- Competitors
- Loss of key personnel
- Regulation
- Safety
- Compliance
- , etc., etc.
I can’t see where that makes sense for anybody. (See ** below.)
So…
Let’s rethink what we are trying to achieve.
I think there’s a better way to frame any discussion.
Let’s replace the traditional, useless definition with a question:
What risks should we take to achieve success (achievement of objectives)?
I believe a discussion around this question will be productive and should lead to more informed and intelligent decisions – and they, in turn, should increase the likelihood of success.
In my books, I have suggested another replacement, which I still like and advocate. Instead of focusing on a level of risk, let’s talk about whether…
