As a consultant, I have often faced the challenge of determining what qualifies as acceptable risk. Different firms frequently pose this question to me, each time regarding different risks under varying circumstances. Frankly speaking, I always tried to avoid answering such a tricky question because, quite simply, the answer is not that straightforward.

According to the International Organization of Standardization (ISO 31000), risk is defined as “the effect of uncertainty on objectives, where an effect is a deviation from the expected. It can be positive, negative, or both, and can address, create, or result in opportunities and threats”. Traditionally, risk was viewed as an obstacle to achieving business objectives, leading to models that quantified expected, unexpected, and worst-case losses. However, in business, risk also presents opportunities. Without taking risks, there would be no potential for returns.

Generally, if a firm takes on too little risk, it may fail to capitalize on profitable opportunities, generating suboptimal returns for its shareholders and ultimately reducing its value. On the other hand, if it takes on too much risk, it may become distressed, leading to losses or defaults, which can also decrease its value. Thus, the goal of risk management is not to minimize or avoid risks but to optimize the risk/return trade-offs that outline the firm’s target risk profile and maximize its value. A firm’s Risk Profile is a snapshot of its potential risks at a specific point in time, including their likelihood, impact, and the firm’s capacity to manage them.

This brings us to the term commonly known as Risk Appetite. A firm’s risk appetite reflects its tolerance, particularly its willingness, to accept risk within its risk capacity in pursuit of its business objectives. It typically forms part of a framework that provides a clear, future-oriented perspective of a firm’s target risk profile across various scenarios and outlines a strategy for achieving that profile. It also specifies which types of risks the firm is willing or unwilling to undertake and under what conditions. In this article, we will explore its meaning and highlight some of its key principles.

Although the concept of risk appetite existed before the global financial crisis, the stable economic conditions at the time provided organizations with little incentive to focus on it. However, in 2009, the Senior Supervisors Group (SSG), consisting of senior financial supervisors from seven countries, shifted the conversation on risk appetite by publishing a report evaluating the effectiveness of certain prevalent risk management practices. The report underlined the failure of some boards of directors and senior managers to establish, measure, and adhere to an acceptable level of risk for their firms.

In response, the Financial Stability Board (FSB) conducted a peer review of governance practices and subsequently developed the “Principles for An Effective Risk Appetite Framework”, published in November 2013. Since then, numerous regulatory bodies worldwide have mandated or encouraged the application of this framework as part of sound organizational governance practices. In Saudi Arabia, both the Central Bank (SAMA) and the Capital Market Authority (CMA) expect organizations to determine and maintain an acceptable level of risk and ensure that the firm does not exceed this level.

A Risk Appetite Framework (RAF) should begin with a Risk Appetite Statement (RAS), which essentially serves as a mission statement from a risk management perspective. The statement should include qualitative guidelines as well as quantitative metrics and exposure limits. The dimensions in which risk can be quantitatively measured can be expressed relative to profitability, solvency, specific risk targets, liquidity, and other relevant measures as appropriate. In any case, both quantitative measures and qualitative statements must be designed in a way that enables them to translate into forward looking risk limits and establish some form of boundaries and Key Risk Indicators (KRIs) to enable the monitoring of risks. The framework also includes the policies, processes, controls, roles and responsibilities, and systems through which the risk appetite is established, communicated, and monitored. Below are some of the key elements in a RAF.

Risk Capacity: A key element of an RAF is the identification of the firm’s risk-bearing capacity—in other words, its overall ability to absorb potential losses or accept breaches in certain constraints, beyond which the firm is not prepared to proceed in pursuit of its business objectives. For example, a firm operating in a highly regulated industry may declare it will not tolerate any unaddressed noncompliant regulatory observations. A relevant KRI could be the number of such observations not addressed within the specified regulatory timeline. Similarly, a financing institution may state: “Our firm has a minimal appetite for credit risk, and our lending activities are based on robust underwriting standards and ‘know your customer’ principles”. The KRI metric here can be the non-performing loans to total loans ratio, which should not exceed 2.5% under normal conditions and 4% under stressed conditions.

Risk Appetite: Refers to the aggregate level of risk that a firm is willing to accept within its risk capacity in pursuit of its vision and strategic objectives. A firm’s risk appetite should be closely aligned with its risk profile. Intuitively, a high-risk appetite will consume a larger portion of the risk capacity, while a low-risk appetite will consume a smaller portion, providing a greater safety margin and reducing the exposure of the firm’s capital and resources. For example, a firm exposed to interest rate risk and aiming to manage it within board-approved limits may state: “Our firm’s treasury has a moderate market risk appetite for interest rate fluctuations, aiming to ensure that our interest coverage ratio remains above 3x under diverse interest rate scenarios”. The KRI metric can be the percentage change in the interest coverage ratio due to a 1% parallel shift in the interest rate curve or the coverage ratio result after a statistical stress test under a given confidence level. This can also be expressed as a profitability metric, such as ensuring that the maximum impact on income given a 1% parallel shift in rates will be below 5%.

Risk Limits (Tolerances): These are quantitative or qualitative thresholds that translate the risk appetite into tactical limits, which can be allocated to business lines, specific risk categories, concentrations, and other relevant levels. In other words, risk tolerances are the parameters within which a firm (or business unit) must operate to align with its risk appetite. It’s practically possible to set risk limits for various types of risk, including strategic, financial, operational, compliance, legal, and even reputational risks. For instance, a firm might state: “We have a low-risk appetite for reputational risk.” A relevant KRI could be the percentage of client complaints not resolved within 5 working days, aiming to keep it within a tolerable level.

Risk tolerance levels are set to ensure risk-taking remains within the risk appetite. These levels can be determined by evaluating their impact on business goals or through a variety of other methods. These include leveraging board and management insights, setting percentages of earnings or capital, complying with regulatory standards or industry norms, addressing stakeholder expectations, and employing data-driven techniques such as statistical analysis (e.g., 95% confidence level derived from historical trends) or model-based approaches like economic capital assessments, scenario analysis, and stress testing.

The development and implementation of an effective RAF is an iterative and evolving process that necessitates continuous dialogue throughout the firm to secure buy-in across the organization. To support this, the RAS should be straightforward to communicate and easily understood by all stakeholders, directly connected to the firm’s strategy, and address the firm’s significant risks under both normal and stressed market conditions.

Connecting the firm’s risk appetite with its strategy is easier said than done. However, a failure to do so results in an ineffective process where risk and business planning operate in silos. There are various approaches to establish this connection and align business strategy with risk management to balance business performance and risk-control requirements. One way to achieve this is by understanding the risks that can drive performance variability in business objectives. Business performance can be measured through Key Performance Indicators (KPIs) and the associated risks by the relevant KRIs. The result would be a set of KPIs and KRIs with their performance targets and risk tolerances, ensuring a comprehensive alignment between risk management and business objectives.

Another way is by embedding risk assessments and risk/return analysis into strategic, business, and operational decisions, such as introducing risk-adjusted returns and risk-based pricing. The rationale is that the firm will not accept risk unless it is well compensated. These methods incorporate not only the cost of production but also the cost of risk (expected and unexpected losses, hedging, insurance). By fully understanding its own risk, a firm can adjust pricing and optimize the risk/return trade-off.

Establishing an effective RAF is a collaborative effort across departments and divisions of the firm, where communicating the business and risk management benefits of adopting it is crucial. Typically, such an endeavor would be spearheaded by the firm’s executive management, often in the form of the CRO or CFO. Setting the tone at the top is essential for ensuring the message is effectively conveyed. This process involves the firm’s risk owners (business units) and the risk management unit participating in a series of workshops to develop and refine the RAS. Once a prototype is formed and approved by senior management, the board and/or its risk sub-committee with the support of internal audit plays a critical oversight role. Ultimately, the board must discuss, challenge, and approve the framework in the context of the overall firm strategy.

Under the framework, it is critically important to report and monitor key risk exposures. This can be achieved through risk dashboard reporting processes that produce consistent reports at various levels of the firm. Ensuring that the metrics used to monitor risk are appropriate for the intended users of the information is essential. Typically, the level of detail increases as one goes down the hierarchy, with the board receiving high-level metrics that represent the firm’s key risks. It is vital for the RAS to be a dynamic document, responsive to significant changes in the business environment, and subject to formal reviews at least annually. Although the primary goal of such a framework is to establish limits on risk, it also enhances decision-making, improves risk transparency, and aligns risk-taking with strategic objectives. This makes it a valuable investment, capable of increasing the firm’s value.