Risk appetite is an area that attracts diverse views among operational risk practitioners. Depending on the sector, scale and risk profile of an organization, operational risk appetite frameworks range in complexity and scope. Differences also exist in terminology, with some practitioners preferring the term tolerance over appetite when referring to operational risks. For these reasons, the following paper does not recommend a one-size-fits-all solution. Rather, it outlines a variety of good practices, from which may be drawn a collection of appropriate, relevant, and proportionate ideas.

Fundamentally risk appetite, whatever the risk that is focused upon, is about decision making. Every action or decision within an organization involves an element of risk. The organization must, therefore, be able to distinguish between risks that are likely to result in value-creating outcomes (e.g. profit, reputation, improved services, etc.) versus those that may destroy value. By determining an appropriate appetite for risk and implementing a framework to ensure that this appetite is maintained, organizations can ensure that decision-makers do not expose them to either too much, or too little, risk.

Whilst the focus of this paper is on operational risk, the IOR would expect that an organization’s appetite for operational risk is part of broader, enterprise-wide appetite for risk. Operational risk is important to all organizations and the Board and senior management must be engaged in its management. Effective governance and compliance require the management of risks which are typically operational (e.g. fraud, health and safety and conduct-related risks). Also, strategic decisions (e.g. new product development) often require exposure to operational risk and it is important that the Board and senior management are cognisant of these risks and satisfied that the organization can take them.