High, medium or low?
What does it mean?
Does anyone know?
This concept of risk appetite as a means to set a risk management strategy has, I must admit, baffled me since it first started to creep into the vocabulary of risk management. And, frankly, I'm not sure any of the statements really mean anything: if company A says their risk appetite [to something] is high and company B says theirs is medium [to the same thing] it's just a subjective statement - it depends on what company A thinks is "high" and what company B thinks is "medium". It could be that company B has the bigger risk appetite but because it has a large risk appetite it thinks it's risk appetite isn't that high.
So in the interests of debate, here's an assertion "risk appetite can't be stated, but it can be observed". And, because it can be observed, it can measured and compared. First, I think it's helpful to drop the term "risk appetite" and think in terms of "uncertainty tolerance" and how this might manifest itself not in statements by actions taken or not taken. For instance, what's your tolerance to the uncertainty of having an accident while driving your car? You could say "it's low - I'm a careful driver" - which would mean you:
regularly check tyre pressures
have your vehicle regularly serviced
and you don't:
exceed speed limits
follow too closely
run an amber light etc....
However, observation of your actual driving behaviour may indicate that you do some or all of the above - meaning your uncertainty tolerance (or risk appetite) is in fact higher than you have said it is.
Now back to the corporate world. The driving anecdote above is just as applicable. The "risk appetite" stated in the annual report or risk registers is just that - a statement. The real risk appetite of an organisation will be reflected by their actions not their words, what they do, or don't do, indicates their intrinsic risk appetite. For example, an organisation might say it has a low risk appetite when it comes to cyber threats or major IT investments. But it's real risk appetite ( as measured by the amount of uncertainty it is prepared to live with) will be indicated by:
The exposure proportionate to the organisations overall assets.
The resources devoted to threat mitigation
The amount of attention given by senior management to gain assurance that threat mitigation activities are being effectively operated and are fit for purpose.
Interestingly, taking this perspective on "risk appetite" makes it measurable:
The resources invested can be benchmarked across business sectors - and supply chains. The lower the level of investment, the higher the tolerance for uncertainty
The greater the attention given to assurance, the more certainty management requires to assure themselves of the ongoing effectiveness of mitigation measures.
As always "actions speak louder than words" - and are easier to measure