Understanding risk appetite. Conducting a risk assessment helps a business determine its risk appetite or the amount of risk that a firm is willing to accept in pursuit of value or opportunity. A firm’s risk appetite reflects its risk management philosophy and comfort level for undertaking business in situations where there could be an elevated sanctions risk. In turn, risk appetite influences the firm’s culture and operating style and guides resource allocation.
Understanding Risk Appetite
An organization’s risk appetite is determined through the risk-assessment process and formalized in a Risk Appetite Statement or Framework. A Risk Appetite Statement is a statement of the level and type of risk the organization is willing to take to meet its objectives. In contrast, a Risk Appetite Framework provides a structured approach to managing, measuring, and controlling risk. A business should determine its risk appetite based on the resources it has to invest in controls, staffing, and measures to protect its reputation. Organizations can have an overarching risk appetite enterprise-wide or have risk appetites defined on a more granular level by department.
Regulators frequently expect businesses to explain how they decide what types of customers to accept, based on the level of sanctions risk they have determined they can manage. Initially, the business needs to determine what it considers to be high, medium, and low risk—for customers, products and services, countries, and delivery channels.
The board of directors, or its equivalent, often will set limits and thresholds on the percentage of high-risk customers the firm can accept without receiving additional approval from the board. Remember that what is considered high risk for AML purposes may not necessarily be considered high risk for sanctions compliance and vice versa. This principle also applies to low risk. One mistake some firms make is using their AML country risk ratings for their sanctions risk assessment, leading to inaccurate results. In short, when a business determines its risk appetite, it is identifying its comfort level based on the resources it has to invest in controls, staffing, and measures to protect its reputation.
Factors That Influence Risk Appetite
Risk appetite, which is an important component of enterprise risk management, can be influenced by a variety of factors, including the following:
- an organization’s culture
- the industry in which an organization operates;
- types of initiatives undertaken; and
- current position in the industry and/or financial strength
A risk appetite statement for the entire organization can be a powerful tool for directing your risk criteria or compliance program. However, risk appetite is nothing more than an idea without accompanying action, just like any other policy. Risk managers can collect the information needed to implement appropriate risk appetite and risk tolerance at both the enterprise and individual business process levels using standardized risk assessment templates and intuitive risk dashboards.
Risk tolerance is influenced by the same wide range of factors that influence risk appetite. However, the amount of risk tolerance that an organization accepts varies on a case-by-case basis, depending on factors such as the nature of a project, the timeframe of the project, and the experience of the people involved. Risk tolerance can shift over time as industry standards, regulations, and accepted practices evolve.
The amount and type of risk that an organization is willing to pursue, retain, or take is referred to as risk appetite. The difficulty in developing a risk appetite definition is determining how to implement and enforce it so that it is relevant to business units on a daily and case-by-case basis. This means that risk appetite must be linked to business objectives before collecting the appropriate risk metrics to measure risk appetite.