English (UK) 
English (United States) 
English (Australia) 
Determining the risk appetite for any business is critical for organisational success.
By the simple act of being in business, organisations automatically expose themselves to a myriad of risks. But what are the residual risks you are prepared to tolerate? What are the calculated risks that you want to take in order to grow the business? And more importantly which risks could be detrimental to the business and must be mitigated at all costs?
This International Women’s Day 2022, we got the opportunity to discuss risk appetite with a formidable and engaging panel of female enterprise risk leaders. They discussed the importance of risk appetite statements, KPIs and risk tolerances and explored how to build a well-defined risk appetite, that connects business strategy, target setting and risk management.
We also got the chance to find out how they structured their risk management frameworks to ensure their organisations are operating within the defined thresholds, while still allowing for ‘calculated risk-taking’ in scenarios where the opportunity outweighs the risk.
This blog shares some key highlights uncovered in the panel discussion.
Christy Kaufman
Global Risk Management Leader
Zillow
Christy began by drawing the distinction between risk appetite and risk tolerance. She shared “When I think about risk appetite, it’s about the overall amount of risk an organisation is willing to take in pursuit of its objectives. And when I think about risk tolerance, I think more specifically about the amount of risk we are willing to take for a specific risk in a specific context’’. Christy notes that she “Finds more value in the risk tolerance aspect of the equation” as it “gives specific guidance to our business partners on how much risk we are willing to take in the situation that they’re in at that particular moment.”
We asked Christy about the importance of appetite statements, have they been changed by the pandemic, and if her organisation’s approach to risk appetite has evolved at all. She had this to say, ‘’I think the importance has remained the same, however the issues, that we’re applying them to are different, for example business interruption and disaster recovery are getting much more attention’’. Christy believes that “The fundamentals of why risk appetite is important are still true”. She added ‘’I’m a very practical person, and a lot of it comes down to resource planning. She noted that “The value is – when you know your risk appetite, you can plan how much energy, effort, and money you want to apply to address a particular risk”.
Christy also added risk appetite and tolerances are “Great as an early warning system, when a risk starts to exceed our comfort zone’’. If you are using your risk appetite well, using a proper framework, you should be able to use the data to make informed decisions based on the amount of risk you are willing to take, and plan resourcing and budgets accordingly.
Christy noted that “There is a cultural challenge in some organisations around admitting that you are willing to accept any level of risk”. As it “Feels like you are not doing your best”. She noted that businesses need to understand that it is “Not about performance” but about adequate planning of resources and money to mitigate the most critical risks. She added ‘It is about the willingness to accept some level of risk in the spirit of resource allocation”.
Christy highlighted the importance of considering “Risk vs Return”. She compared the scenario to “Investing in stocks or bonds” where you evaluate the risk compared to how much money you will make. She added, “Business leaders need to understand what they will gain or lose, so it is important that both pieces are represented”.
Christy went on to describe how she builds a risk appetite statement that considers both business strategy, and targets. She shared details of the defined process they use. First, they ask, “What is the objective within the strategic plan?’’. Then they look at “What are the things that could put the achievement of that objective at risk?”. Then for each of those risks, they “Do a root cause analysis to get at, what the real drivers that could cause that risk to materialise”. Then for each of those root causes they ask, “What are the leading indicators?”. She added, “These indicators then allow us to identify the root causes about to occur, or which are occurring, out of our comfort zone. Once we have the Key Risk Indicators, we work with business owners cross functionally to develop tolerance bands around those indicators”. She noted that “It is a sequential process directly tied to the strategy” that “needs to be monitored over time”.
Finally, in honour of International Women’s Day, we asked Christy what her personal appetite for risk is, in respect to managing her career. She had this to say, “I believe that a lot of risk principles we apply in business, can be used to manage our careers. It’s all about calculated risk-taking versus reward, because every time that I have pushed myself to take a risk, it’s paid off!”
Dafni LeFlore
ERM Manager
Norfolk Southern Corporation
Dafni started out by highlighting that “We take risks in order to grow”, and this is certainly true when it comes to business. A risk appetite should certainly offer the flexibility to enable calculated risk taking. She added that businesses “Must be adaptable to evolving conditions when it comes to decision making”, and highlighted that “Risk should be at the heart of all decision making, and it should focus on successful implementation of your strategy”. Your risk appetite should certainly be built around your strategic goals, as there are likely to be some areas where you are willing to accept a certain level of risk to grow the business.
Dafni believes “Risk appetite adds stewardship around risk in a conscious and meaningful way.” She added “It’s a mission statement, like your company’s code of conduct, it sets an expectation relative to our risk-taking behaviour when carrying out day to day business”.
Dafni believes “Risk appetite statements are like guardrails, and risk tolerance statements are like street edge markers. Both guide you towards making conscious and well-informed business decisions”. She noted that “Deviating requires you to consider controls”. She added “Risk appetite does not stop you from taking a particular course, it just requires you to do so in a responsible way, it just requires flexibility”. This is great advice for businesses who may feel too bound by their risk appetite statement. You do have the option to operate outside of your risk tolerance, but you should do so in an informed safe way, with the relevant controls in place.
Dafni believes that ‘”ERM in the grand scheme of things is still a relatively new area”. She highlighted the importance of “Socialising ERM throughout the organisation”. She quipped “All employees are risk managers, but all employees don’t know how to be risk managers!”. She also pointed out that it is important “For everyone to be involved in the risk appetite setting process, it’s important for them to know and understand the business objectives and strategic plan”.
We asked Dafni if she thought a business can be too careful and bound by its risk appetite, and become overly cautious to try new things? Dafni understands that it can be ‘Difficult for organisations not to feel boxed in” when it comes to risk appetite. She has experienced some companies where they ‘Feel that they cannot make certain decisions because of the risk appetite statement”, but this was largely because “They were not able to see how those risk appetite statements connected to their strategy”. But she did add that “If you have a risk appetite statement that doesn’t address future business objectives, she wouldn’t be too quick to change it, because that is like moving the goal posts so you can score!” But she would advise that you “Make an effort to connect the dots between risk appetite and strategy” and if they are not aligned, you may want to consider altering your statement to reflect the business goals.
Dafni highlighted the importance of data in the risk world, she added “Data creates an avenue for each business owner to tell their story, leaders can then work together to understand how that story fits together”, this will enable the business to understand how the actions of individual departments will affect the bigger picture.
Dafni spoke about the situation when “One risk appetite, conflicts with another”. She shared “I think it’s good, because it supports the fact that dialogue can be had”. She recommends that teams use a “Risk appetite gap identification tool” in order to determine how restrictive their risk appetite is. She added “The tool will help you identify deviations between expected risk behaviour, and actual risk behaviour”. This way, “You aren’t overreaching your strategic objectives, but you’re not overexposing yourself to losses”.
Dafni had this to say about what her personal appetite for risk is, when it comes to managing her career. “For me, career risks have been about being intentional, and branding myself in the IRM space, specifically at my company”. She added “Sociallising ERM and ‘getting buy-in’ is a matter of my company’s perception of me. It’s been risky but there has been a lot of rewards associated with that including learning more and moving our programme ahead in a positive way”.
Merline Denis Barrington
Enterprise Risk Management
The Port Authority of New York & New Jersey
In terms of the relevance of risk appetite statements and tolerances, Merline felt that it is “Really important for an organisation to understand its philosophy on risk, as well as opportunity, and to engage the board on concurrence for desired risk appetite”. She pointed out that it was “Equally important for that posture to be cascaded down throughout the organisation in a way that can inform the decisions that managers and decision-makers face daily”.
When quizzed about the pros of using a risk appetite statement or tolerance, she noted that organisations should definitely “Communicate their business intent in a well-articulated mission, vision, values, or a priority statement, or in a strategic framework, similar to what they have done at The Port Authority. She pointed out that “The true challenge is, translating that broad strategic guiding statement into measures and tolerances that can be used when making daily trade off decisions”. This really demonstrates that while a risk appetite statement adds value, it is imperative to set up a strategic framework for risk to make well informed business decisions that may require you to take a controlled step outside of your stated risk tolerance.
When asked about how she works cross functionally to set her risk appetite and define her risk tolerance, Merline revealed that “The way you engage stakeholder groups has to be relevant to the output you are seeking”. She believes the best way to engage the board is to run “workshops” and ask the board specific questions, she added, “This is where trade-offs can typically be shown. Whereas, when you talk to lower levels of the organisation who are at the forefront of decisions, you want to assess the current risk appetite. Then you’ll have 2 perspectives of the organisation, one where leadership wants to go in terms of risk, and one where the organisation is, in terms of its response and attitude and towards risk”.
Merline added this approach will “Definitely highlight the areas, that are important to measure and track via targets and tolerances. I also suggest leveraging workshops, surveys and tools to engage dialogue and insight”.
Merline highlighted the importance of leveraging an “Emerging risk framework to bring into focus uncertainties, that may become opportunities, or risks”. She suggested “Using these insights in the strategy setting phase”. Getting visibility as early as possible will help businesses to remain agile, and mitigate risks before they become critical, or take advantage of upcoming opportunities.
When it comes to managing her career, Merline recognised that she is a “calculated risk-taker”, while paying homage to her unshakable confidence in her learning ability, and core competencies. That has allowed her to be successful in the field without a formal background in ERM. She added “I understood my bands of tolerance, of what I could and wouldn’t accept in a role. Staying true to my core beliefs has given me the confidence to take the risks within my ‘risk appetite’” and this has helped her to build a successful career in the ERM space.
Tamika Puckett
Corporate Risk
Willis Tower Watson
Tamika shared the view that ‘’Ultimately, risk appetite is a critical tool for effective decision making. It’s tied to the organisation’s business objectives, and certain metrics are defined and monitored in order to ensure compliance within those parameters”. Tamika thinks of risk appetite like a “Matrix”, she added, “You have different levels of appetite and tolerance depending on the function that you are assessing”. It is certainly true that not all risks are equal, and risks must be rated according to their severity and likelihood to get an overall view of your risk appetite.
Tamika noted that she witnesses more businesses ‘Utilising ERM principles such as ‘Risk Appetite’ and tolerance more strategically all the way up to the board level”. She thinks “Organisations are starting to realise the strategic benefit of recognising and anticipating the impacts of risk, but also using that same methodology to identify areas of opportunity”. It is certainly true that taking some calculated risk can certainly open up opportunities for businesses to grow. Risk management is essentially looking at what might happen, and we must remember that some decisions will lead to opportunity, not all risk should be mitigated. The key is to have access to data to help you make those decisions in an informed, safe way.
Tamika had this to say about the importance of working cross-functionally to set an organisation’s risk appetite and define an organisation’s risk tolerance. She believes that establishing risk appetite and risk tolerance “Should be done at the board level” as part of ERM. She added, “Only board members can make a determination of the amount of risk they are willing to accept in any pillar of the organisation. She added that businesses must share information across departments to “Consider those cross functional impacts of various risks, and that’s why ‘Risk’ absolutely has to be a cross-team function”.
Tamika advised to ‘Not only discuss a risk that arises in a pillar of the organisation with that particular owner, but also discussing that risk with the other pillars of the organisation”. She added that “Departments can be very task orientated and biassed and they may not look outside the boundaries of their department”. She quipped “What happens if I turn the light off in the next room?” Businesses should work to share risk information and fully understand the impact of risk on other departments.
Personally, Tamika noted that she has a strong appetite for taking risks when it comes to her professional career, and she has been known as the ‘Queen of Risk Taking!”. She added, “I love trying new things and being exposed to challenges and new environments, which pushes me to learn and grow”.
It was fantastic to hear from these accomplished risk leaders. It is clear from our discussion that a well-defined and thought-out risk appetite that links strategic goals with defined tolerance levels, encourages organisations to take measured risks and seize the right opportunities to generate value, and avoid intolerable losses. The panellists highlighted the importance of aligning stakeholders, encouraging the entire organisation to understand risk, discussing and acting on excessive levels of risks that could lead to adverse consequences, and more importantly to utilise available risk intelligence for value creation in a more efficient way.
To hear more from these inspirational female leaders in risk, we invite you to listen to our full on-demand webinar – Let’s Talk Risk Appetite
On the live session of this webinar, we were inundated with questions from the audience who were keen to get even more insights from our accomplished panel. Although we ran out of time in the live session, we recently had the opportunity to sit down virtually once again with our panel of female risk leaders and get those all-important answers to your questions. Check out this Q&A session where they answered your real-life questions relating to risk appetite statements, risk tolerance, KPI’s and metrics.
Risk Management
Compliance & Policy Management
Incident & Event Reporting
Environmental, Social & Governance (ESG)
Workplace Health & Safety
Cyber & IT Risk Management
Third-Party Risk Management
Audit Management
BCM & Operational Resilience
Registers & Workflows
About
Leadership
Our Partner Network
Careers
Security & Hosting
News & Events
Blog
Ebooks & Reports
Webinars
Content Collections
Customer Events
