“Would you rather” is a party game that poses dilemmas by asking questions starting with “would you rather...”. For example, “Would you rather be 10 minutes late or 20 minutes early?”
This simple game illustrates the principles of risk appetite and risk/reward decision-making. Similarly, a commonly used decision-making technique poses the questions:
This is the first decision-making gate. It involves assessing the level of risk involved in each choice and comparing those to your personal risk appetite. This requires identifying the risks and related impacts of each alternative. For example:
Applying your personal risk appetite, you need to ask: “Is that risk outside, or within, my risk appetite?”
Your risk relating to being late may be outside of your risk appetite, whereas the risk relating to being early may be within your risk appetite. This would make your choice easy: You “can’t” do the one that is outside your appetite (being 10 minutes late), but you can accept being 20 minutes early.
If both alternatives are within your appetite, you need to move to decision-making gate two — should I? The “should I?” test involves weighing the benefits and costs with the level of risk. When the net benefits/costs outweigh the risk, you should do it. When they do not, you should not.
For example, being 20 minutes early costs you 20 minutes of your time, while being 10 minutes late provides you with an extra 10 minutes. You then compare these different time costs/benefits against your assessment of the related risks and select the one with the best benefit/cost-to-risk ratio.
Where the party game becomes interesting is when both alternatives are outside of appetite. The resulting discomfort of the person choosing is obvious. Fortunately, in business, we can usually reject both alternatives.
Risk appetite plays a crucial role in the governance and operation of a successful organization. In addition to decision-making as outlined above, it should also be used to provide assurance to management and boards regarding the level of risk within the organization.
Risk appetite explicitly sets the boundaries within which people have freedom to take risks, undertake activities, make decisions, and fail.
In many organizations, these boundaries have developed over time from the bottom up, driven by the personal risk appetites of staff who have passed through the role. This is dangerous, as it may not reflect the desired risk appetite of the organization.
It is therefore critical that risk appetite is set from the top-down. It should be set by executives and the board and be specifically “owned” by the board.
A well-articulated and operationalized risk appetite is a critical component of a robust enterprise risk management framework. Do you have one? Find out more in Protecht’s Risk Appetite: Taking and accepting the right amount of risk eBook.
TERRY LEE is Protecht's Vice President of Sales for North America.