Risk appetite is an area that attracts diverse views among operational risk practitioners. Depending on the sector, scale and risk profile of an organisation, operational risk appetite frameworks range in complexity and scope. Differences also exist in terminology, with some practitioners preferring the term tolerance over appetite when referring to operational risks. For these reasons, the following paper does not recommend a one-size-fits-all solution. Rather, it outlines a variety of good practices, from which may be drawn a collection of appropriate, relevant, and proportionate ideas.
Fundamentally risk appetite, whatever the risk that is focused upon, is about decision making. Every action or decision within an organisation involves an element of risk. The organisation must, therefore, be able to distinguish between risks that are likely to result in value-creating outcomes (e.g. profit, reputation, improved services, etc.) versus those that may destroy value. By determining an appropriate appetite for risk and implementing a framework to ensure that this appetite is maintained, organisations can ensure that decision-makers do not expose them to either too much, or too little, risk.
Whilst the focus of this paper is on operational risk, the IOR would expect that an organisation’s appetite for operational risk is part of broader, enterprise-wide appetite for risk. Operational risk is important to all organisations and the Board and senior management must be engaged in its management. Effective governance and compliance require the management of risks which are typically operational (e.g. fraud, health and safety and conduct-related risks). Also, strategic decisions (e.g. new product development) often require exposure to operational risk and it is important that the Board and senior management are cognisant of these risks and satisfied that the organisation can take them.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.