Risk Response

ISO 31000:2018 36 Minutes

Once the Risk have been analyzed , it will be necessary to decide how to respond to the risk. Risk evaluation is the point of risk assessment where decision needs to be taken whether to respond to the risk or not to respond to the risk. To respond there is some risk threshold to cross before the organization responds to risk and this threshold is known as risk appetite. Risk appetite is the amount and type of risk that an organization is willing to take on to achieve its goals and objectives. It represents the organization’s tolerance for risk in pursuit of its mission, whether in terms of financial risks, operational challenges, reputational risks, or other types. Risk appetite is typically defined by senior leadership and is influenced by factors like organizational culture, stakeholder expectations, regulatory requirements, and the nature of the organization’s industry.

Risk response is the process of developing strategies and actions to manage identified risks effectively. It involves deciding how to handle each risk based on its potential impact and likelihood. The goal of a risk response is to minimize the negative effects of risks or maximize the benefits of opportunities. There are typically four main risk response strategies, often called the “4 T” for threats and “4 E” for opportunity.:

4 T:

  1. Transfer: Shifting the risk to another party. This might include buying insurance, outsourcing certain activities, or entering into contracts that assign responsibility to others.
  2. Treat (Mitigate): Reducing the likelihood or impact of the risk. This involves taking action to lessen the risk, such as improving controls, implementing safety measures, or enhancing employee training.
  3. Terminate (Avoid): Eliminating the risk by not engaging in the activity that introduces it. If a risk is too great, an organization might choose to avoid it altogether by changing its strategy, choosing a different approach, or abandoning certain projects.
  4. Tolerate (Accept): Accepting the risk without taking further action. This is often chosen when the risk is low or when the cost of other responses outweighs the potential impact of the risk.
Figure 1

This figure suggests that in each of the four quadrants of the risk matrix, one of the 4Ts will be dominant, as follows:

  • Tolerance will be the dominant response for low-likelihood/low-impact risks.
  • Treat will be the dominant response for high-likelihood/low-impact risks.
  • Transfer will be the dominant response for high-impact/low-likelihood risks.
  • Terminate will be the dominant response for high-impact/high-likelihood risks.

It’s important to understand that the responses shown in each area of the risk matrix are just the main or most likely approach, but sometimes a different or additional response might be needed. For example, if there are high-impact and high-likelihood risks involved in essential activities, the organization might not be able to avoid these risks. In such cases, it may not be possible to “terminate” the risk. One challenge with a simple risk matrix that shows the 4Ts (tolerate, transfer, treat, terminate) is that a slight change in a risk’s impact or likelihood could move it from one response category to another, like from “terminate” to “tolerate.” Some organizations might be forced to keep a risk that goes beyond their risk tolerance or even their capacity, as with firefighters who face critical risks that can only be tolerated, even after applying all possible safety measures. When an organization has no choice but to tolerate high-level risks, they typically increase monitoring to quickly introduce better controls as soon as they are available.

4 E

  1. Explore: Seek out and investigate potential opportunities that align with the organization’s goals. This involves scanning the environment, researching emerging trends, and identifying areas with growth potential.
  2. Expand: Once an opportunity is identified, consider ways to broaden or enhance it, possibly by developing complementary services, targeting new customer segments, or adding resources to grow the opportunity.
  3. Exploit: Fully utilize the opportunity to capture as much benefit as possible. This means implementing actions that will maximize the opportunity’s positive impact, such as increasing investment, scaling production, or accelerating market entry.
  4. Exit: Evaluate when an opportunity is no longer viable or advantageous, and plan for a structured exit. This can help limit costs or risks associated with diminishing returns and refocus efforts on more promising opportunities.
Figure 2

The 4T of hazard response

The organization should aim to implement efficient controls to minimize compliance risks, with the benchmark for significance set to reflect a meaningful impact level. After identifying priority significant risks, the organization should review current controls and decide if further actions are needed. For hazard risks, the range of responses is often referred to as the 4T (Tolerate, Transfer, Treat, and Terminate). There are various terms for risk response options. British Standard BS 31100 and ISO 31000, for instance, use the term “risk treatment” as a broad description. The British Standard defines it as the “process of developing, selecting and implementing controls,” while ISO 31000 describes it as the “development and implementation of measures to modify risk.” This text uses the Orange Book terminology for the risk response phase, identifying options as the 4T.Each of the 4T has a primary response based on where a risk falls on the risk matrix. For risks that are low likelihood and low impact, the main response is to tolerate them. For risks with a high likelihood but low impact, the response is usually to treat them. For risks that have a low likelihood but high impact, the typical response is to transfer them. And for risks with both high likelihood and high impact, the primary response is to terminate them.

  • Tolerate ( Accept/retain): The exposure may be tolerable without any further action being taken. Even if it is not tolerable, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained.
  • Treat (Control /reduce): By far the greater number of risks will be addressed in this way. The purpose of treatment is that, whilst continuing within the organization with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level.
  • Transfer (Insurance/contract): For some risks the best response may be to transfer them. This might be done by conventional insurance, or it might be done by paying a third party to take the risk in another way. This option is particularly good for mitigating financial risks or risks to assets.
  • Terminate (Avoid/eliminate):Some risks will only be treatable, or containable to acceptable levels, by terminating the activity.

Example of Key dependencies and significant risk For Financial, Infrastructural, Reputational and Marketplace.

1 Financial

  • Availability of funds– Insufficient funds available from the parent company
  • Correct allocation of funds- Inadequate profit because of incorrect capital expenditure decisions
  • Internal control- Fraud occurs because of inadequate internal controls
  • Liabilities under control- Higher than expected liabilities arise in the pension fund

2 Infrastructure

People- Failure to achieve/maintain health and safety standards
Premises- Damage to key location caused by insured peril
Processes- IT control systems not available because of virus or hacker activity
Products- Disruption because of failure of the supplier

3. Reputational

Brand– Product recall causes damage to product image and brand
Public opinion- Lost sales or revenue because of change in public tastes
Regulators- Regulator enforcement action causes loss of public confidence
CSR– Allegations of unethical product sourcing causes loss of sales

4. Marketplace

Regulatory environment- Change in tax regime results in unbudgeted tax demands
Economic health- Decline in world or national economy reduces consumer spending
Product development- Changes in technology reduce product appeal and sales
Competitor behavior-Competitor substantially reduces prices to win market share

The table above shows examples of key risks linked to the FIRM risk scorecard. By assessing each risk, the organization can map it on a risk matrix. This position on the matrix will suggest the best response for managing that risk. If the risk assessment is based on the current level of risk, it means the impact of existing controls has already been taken into account as part of the assessment.Here are examples of each of the 4Ts (Tolerate, Treat, Transfer, Terminate) responses to production loss risk in an oil and gas company. Each of these approaches helps manage the potential production loss in ways aligned with the company’s risk tolerance and objectives.

  • Tolerate: The company may decide to tolerate minor production losses due to regular equipment maintenance. Since these losses are expected, low impact, and cannot be entirely avoided, the company accepts them as part of routine operations.
  • Treat: To minimize production loss, the company could improve maintenance protocols, upgrade equipment, or introduce predictive maintenance technology to identify potential issues early. This treatment reduces the risk of unexpected breakdowns causing significant production downtime.
  • Transfer: The company might transfer some of the financial impact of production loss by purchasing business interruption insurance. This way, if production is interrupted due to an unforeseen event (e.g., equipment failure), the insurance will cover a portion of the financial loss.
  • Terminate: For a high-impact risk, such as a production stoppage caused by a location vulnerable to severe weather events, the company might decide to terminate this risk by relocating production to a safer, more stable area. This eliminates the risk of production loss due to extreme weather in that location.

Tolerate risk

Tolerating risk means deciding to accept a risk without taking any further action to reduce it. This approach is usually chosen when:

  1. The risk level is low, and any potential negative impact is minor.
  2. The cost or effort required to reduce the risk outweighs the benefits of doing so.
  3. There are already sufficient controls in place, and the organization believes the risk is manageable.

In cases of tolerating a risk, the organization might monitor the risk closely to ensure it remains acceptable, but it won’t actively work to eliminate or reduce it. This approach allows resources to be focused on more significant risks that need attention. Risk tolerance is how much risk an organization or its stakeholders are willing to accept after managing risks, to reach their goals. This tolerance can be affected by legal or regulatory demands, meaning that sometimes organizations must accept certain risks due to these rules, even if they’d rather not. Tolerance applies to specific risks, while “risk appetite” is the broader level of risk an organization is generally willing to take. The terms “tolerating risk” and “risk tolerance” can sometimes be confusing. To “tolerate” a risk means being willing to keep a risk, even if it’s higher than what the organization would ideally accept. On the other hand, “risk tolerance” is often used to describe the acceptable range of risk. An organization may need to tolerate risks that are above its comfort level or even beyond its capacity, but this is usually temporary, as it makes the organization more vulnerable. When a risk fits within the organization’s appetite, it becomes more tolerable. Generally, organizations will accept low-probability risks with low impact, or even higher risks if they are tied to profitable activities or core processes. Usually, hazard risks aren’t accepted until all reasonable controls are in place, which makes the risk tolerable at its current level. Controls aim to lower the risk’s likelihood and impact. Sometimes, organizations balance one risk with another, such as through risk hedging or partnerships. For example, an electricity company operating in the northern U.S. might partner with a company in the south. This partnership would balance the risk of seasonal demand changes, allowing each company to benefit from steady sales across different climates and seasons.

Treat Risk

Treating risk means taking steps to manage or reduce it to an acceptable level. This can include actions like implementing safety measures, creating contingency plans, improving processes, or using insurance. The goal of risk treatment is to minimize the likelihood or impact of potential risks, so they are less harmful to the organization. Risk treatment is part of the larger risk management process, and it usually involves deciding whether to avoid, reduce, transfer, or accept the risk based on the organization’s risk tolerance and objectives. When the likelihood of a risk happening is high, but the potential damage is low, the organization will want to manage or treat the risk. Risk treatment usually happens with the current risk level in mind, so that once the treatment is applied, the new risk level may become acceptable. Risk management actions are always being reviewed. For example, wearing a seatbelt while driving or installing a security alarm in a home are ways of reducing risk. In terms of physical risks, improvements like adding sprinklers to buildings, upgrading security, or vetting employees are examples of actions to better manage risks. When choosing the right way to treat a risk, the organization must consider how the treatment affects the likelihood of the risk happening and what the impact would be if it does happen. Cost-effective solutions should be chosen, and their effect can be shown on a risk matrix. The term “treat risk” can be understood in different ways. ISO 31000 sees “treating risk” as the main category, with several options, such as:

  • Avoiding the risk by not starting or continuing the activity
  • Taking on more risk to pursue an opportunity
  • Removing the risk source
  • Changing the likelihood or impact of the risk
  • Sharing the risk with others
  • Accepting the risk by making an informed decision

Other risk management standards use the term “risk response” instead of “treat risk,” and this chapter follows that approach, which includes options like tolerating, treating, transferring, or terminating the risk. The organization should define its own risk-related terms, making sure they are consistent with its internal and external context. In some cases, external rules may dictate the terminology, such as for banks and financial institutions. If an organization already has its own terminology, it’s usually better to stick with that, rather than introducing new terms that might not match existing practices.

Transfer Risk

Transferring risk involves shifting the potential impact of a risk to a third party, so the organization is less affected if the risk occurs. Common ways to transfer risk include purchasing insurance, outsourcing certain activities, or creating contracts that pass responsibility to another entity. For example, an organization might buy insurance to cover potential financial losses from property damage, or it might outsource certain operations to another company that specializes in managing specific risks. Transferring risk doesn’t eliminate it, but it reduces the burden on the organization by sharing or moving the risk elsewhere. When the likelihood of a risk happening is low but the potential damage is high, the organization may want to transfer the risk. A common way to do this is through insurance, which helps cover the financial loss caused by risks. In some cases, transferring the risk is closely tied to the goal of completely eliminating or ending the risk. However, some risks can’t be transferred to insurance because the premiums are too expensive or the risks aren’t insurable. Risk transfer can also be done through contracts or by finding a partner to share the risk, like in a joint venture. Risk hedging or neutralizing can also be considered as ways to transfer risk, as well as treat it. The cost of transferring risk is part of risk financing, which involves setting aside funds to cover the financial impact if the risk happens. This is usually done through insurance. Risk financing covers the cost of making financial arrangements in case a risk occurs. The cost includes funds needed for treating the risk. ISO 31000 suggests that risk sharing should be preferred over risk transfer because no risk can be fully transferred, no matter the intention.

Terminate Risk

Terminal risk refers to a risk so severe or critical that, if it materializes, it could result in the failure or collapse of an organization, project, or system. It represents the type of risk that poses an existential threat, leaving no room for recovery or continuity.

Examples of terminal risks include:

  • Bankruptcy due to unsustainable financial losses.
  • Reputational damage so significant that it leads to the loss of all stakeholder trust.
  • Regulatory violations that result in the closure of operations.
  • Catastrophic system failures in critical industries like healthcare or transportation.

Organizations typically aim to eliminate terminal risks through preventive actions, contingency planning, or by avoiding the risky activity altogether. If the risk cannot be eliminated, significant control measures are implemented to minimize its impact as much as possible.When a risk is both very likely to happen and could cause serious harm, the organization will aim to eliminate it. For example, risks from trading in certain regions or using harmful chemicals might be considered unacceptable by the organization or its stakeholders. In such cases, the organization might stop the risky activity, find a safer alternative, or outsource it to reduce the risk. However, there are times when the activity causing the risk is essential for the organization’s operations. In these situations, it might not be possible to completely eliminate the risk. Instead, the organization will need to put in place other measures to manage it. This challenge is common in public services, where certain activities must continue because they are legally required. Even if the risks are high, public service organizations may not have the option to stop the activity. Instead, they must find cost-effective ways to control the risks. These controls often involve a mix of risk treatment and risk transfer. As the controls are applied, the risk level can be reduced to a point where it becomes manageable. However, not all risks can be reduced to within the organization’s comfort zone. In some cases, the organization may need to accept risks that exceed its usual limits to keep essential activities running.When a risk is both very likely to happen and could cause serious harm, the organization will aim to eliminate it. For example, risks from trading in certain regions or using harmful chemicals might be considered unacceptable by the organization or its stakeholders. In such cases, the organization might stop the risky activity, find a safer alternative, or outsource it to reduce the risk. However, there are times when the activity causing the risk is essential for the organization’s operations. In these situations, it might not be possible to completely eliminate the risk. Instead, the organization will need to put in place other measures to manage it. This challenge is common in public services, where certain activities must continue because they are legally required. Even if the risks are high, public service organizations may not have the option to stop the activity. Instead, they must find cost-effective ways to control the risks. These controls often involve a mix of risk treatment and risk transfer. As the controls are applied, the risk level can be reduced to a point where it becomes manageable. However, not all risks can be reduced to within the organization’s comfort zone. In some cases, the organization may need to accept risks that exceed its usual limits to keep essential activities running.

Strategic risk response

Strategic risk response is the process of managing risks that could significantly impact an organization’s long-term goals, competitive position, or overall strategy. It involves making deliberate decisions on how to handle risks in a way that aligns with the organization’s objectives, risk appetite, and resources. Strategic risk responses aim to address risks at a high level, often focusing on opportunities and threats that arise from market changes, regulatory shifts, technological advancements, or other external factors. Types of Strategic Risk Responses:

  • Avoid the Risk: Stop or avoid activities that expose the organization to unacceptable risks. Example: Exiting a market with unstable political conditions.
  • Accept the Risk: Decide to proceed with an activity despite the risk, often because the potential rewards outweigh the risk. Example: Expanding into a new market despite uncertainty.
  • Mitigate the Risk: Take actions to reduce the likelihood or impact of the risk. Example: Diversifying suppliers to reduce dependency on a single source.
  • Transfer the Risk: Shift the financial or operational burden of the risk to another party, such as through insurance or partnerships. Example: Using insurance to cover potential losses.
  • Exploit Opportunities: Treat some risks as opportunities, leveraging them to gain a competitive advantage. Example: Investing in innovative technology that competitors hesitate to adopt.

Strategic risk response is critical for ensuring that risks are managed proactively, enabling the organization to remain resilient and adaptable while pursuing its goals. Managing control and opportunity risks is similar to managing hazard risks, but there are some key differences in the options available. These differences are important enough to be explained separately. It’s also helpful to remember that projects are usually the actions taken to implement a broader strategy. The “4Ts” framework (Tolerate, Treat, Transfer, Terminate) is commonly used for managing hazard risks, with specific controls linked to each approach. On the other hand, the “4Es” framework (Exist, Explore, Exploit, Exit) outlines responses for managing opportunity risks. To develop and execute an effective strategy, an organization must assess both the risks and the potential rewards of each option. The 4Es relate closely to the organization’s stage of development:

  1. Exist: The organization establishes itself in the market.
  2. Explore: Entrepreneurial opportunities are pursued, but risks and rewards remain high.
  3. Exploit: During growth, the organization achieves higher rewards while reducing risk, aiming to maximize gains until competition increases.
  4. Exit: If growth slows or risks remain too high, the organization may choose to leave certain operations.

In the mature phase, the organization continues to exploit opportunities, balancing lower risks with steady but reduced rewards. Over time, mature operations may decline, but some organizations choose to remain in these markets because both risks and rewards are low.

Figure 3.

The use of the 4Es (Exist, Explore, Exploit, Exit) to manage strategic, opportunity, or speculative risks aligns with the relationship between risk and reward shown in Figure 3. For many organizations, focusing on opportunity risks and setting strategic goals are top priorities. However, the input of risk management into strategic decisions is often less structured and thorough compared to its role in operations and projects. In Figure 2, the main responses and controls for each quadrant are similar to how the 4Ts are used in hazard risk management. For example:

  • Operating in a mature or declining market (Exist) is like accepting uncertainty and tolerating hazard risks.
  • Exploring new opportunities (Explore) is similar to finding ways to treat hazard risks.

The key differences emerge when managing opportunities during the Exploit and Exit stages, compared to managing hazards and uncertainties. Figure 4 refines Figure 2 by analyzing the high-risk, high-reward zone in more detail, considering the associated risks more carefully.

Figure 4

Exiting an opportunity might be the right choice if the organization lacks the appetite, capacity, or resources to pursue it and can’t or won’t find a partner to share or buy into it. Still, most organizations with a promising opportunity aim to benefit from it in some way. Selling the opportunity can provide a profitable way out, but partnering in a joint venture might be a better long-term option. A joint venture reduces the organization’s risk but also means sharing the rewards. The decision depends on the organization’s strategy, risk appetite, capacity, and the availability of suitable partners. Beyond joint ventures, organizations can share risks through outsourcing, distributing some risk to others in the supply chain. Figure 4 outlines a flow from exploring opportunities (start-up), to expanding (growth), to exploiting opportunities (maturity), and eventually existing in a declining phase. While similar to Figure 3, Figure 4 adds an option to exit during the growth phase if pursuing the opportunity exceeds the organization’s risk appetite or capacity. This approach adjusts the 4Es framework to a “5Es” model, reflecting this added flexibility. An example of this extended approach is shown, although it uses slightly different terminology, as is common in risk management.

Opportunity evaluation and response: The goal of evaluation and response is to determine which opportunities need action and decide on the best way to respond. Here are the main strategies to consider, which can be used individually or together:

  • Enhance: Similar to mitigating a risk, this involves increasing the likelihood or impact of an opportunity to make it more beneficial.
  • Exploit: Like avoiding a risk, this approach ensures the opportunity is fully realized.
  • Ignore: Similar to accepting a risk, this means taking no specific action and letting the opportunity play out naturally, reacting only if needed.
  • Share: This involves partnering with someone who can better manage or maximize the opportunity, increasing the chance of success.

Risk appetite

Risk appetite refers to the amount and type of risk an organization is willing to accept or take on in pursuit of its goals and objectives. It reflects the organization’s tolerance for uncertainty and potential negative outcomes, balanced against the potential rewards of its actions or decisions. Risk appetite defined as per ISO Guide 73 is “The amount and type of risk that an organization is willing to pursue or retain” . As per orange book “The amount of risk that an organization is prepared to accept, tolerate or be exposed to at any point in time “. As per CIIA it is “The level of risk that is acceptable to the board or management. This may be set in relation to the organization as a whole, for different groups of risks or at an individual risk level “. IIR states Risk appetite as the amount of risk that an organization is willing to seek or accept in the pursuit of long-term objectives. Key Characteristics of Risk Appetite:

  • Strategic Alignment: It is tied to the organization’s mission, vision, and strategic goals, ensuring that the level of risk taken aligns with its overall priorities.
  • Varies by Risk Type: Different areas of the organization may have different levels of risk appetite. For example, a company may have a high risk appetite for innovation but a low risk appetite for regulatory compliance breaches.
  • Dynamic: Risk appetite can change over time due to internal factors (e.g., financial health, leadership changes) or external factors (e.g., market conditions, regulatory shifts).
  • Stakeholder Consideration: It often incorporates the expectations and perspectives of stakeholders, including investors, customers, employees, and regulators.

Examples of high, moderate, modest, and low risk appetites specifically for an oil and gas company.

  1. High Risk Appetite
    • Deepwater Exploration in Unstable Regions: Investing in drilling projects in politically unstable or environmentally sensitive regions, despite high costs and potential regulatory backlash, due to the possibility of significant oil and gas reserves.
    • Adopting Unproven Extraction Technology: Experimenting with cutting-edge techniques such as enhanced oil recovery (EOR) methods to maximize production, despite uncertain success rates.
  2. Moderate Risk Appetite
    • Expanding into Emerging Markets: Entering developing countries with growing energy demands and moderate geopolitical risks to establish a market presence.
    • Developing Renewable Energy Projects: Investing in solar, wind, or hydrogen energy projects to diversify energy portfolios, balancing risks with long-term sustainability goals.
  3. Modest Risk Appetite
    • Incremental Upgrades to Facilities: Modernizing existing refineries or pipelines to improve efficiency and safety while avoiding major new capital expenditures.
    • Partnerships with Local Operators: Collaborating with regional oil companies to reduce risk exposure in exploration and production projects.
  4. Low Risk Appetite
    • Focusing on Core Operations: Prioritizing stable, mature oil fields with established production rates rather than exploring new, high-risk sites.
    • Compliance and Safety First: Investing heavily in regulatory compliance, environmental safety measures, and worker safety protocols to avoid legal and reputational risks.
    • Hedging Against Market Volatility: Using financial instruments to protect against fluctuations in oil and gas prices, ensuring stable revenue streams.

Risk appetite is a key idea in risk management but can be hard to define and apply. It is often linked to the risk criteria an organization sets, which are used during the process of ranking risks based on how likely they are to happen and their potential impact. Risk appetite refers to how much risk an organization is willing to take in the short term to carry out an activity. In contrast, risk attitude and risk criteria reflect the organization’s longer-term perspective on risk. A challenge with risk appetite is that organizations typically focus on their willingness to continue operations, start a project, or pursue a strategy, rather than having a direct appetite for risk itself. In other words, risk appetite and exposure result from business decisions rather than driving them. Risk appetite decisions are made alongside other business considerations, not in isolation. Risk management standards recommend that risks be evaluated in the context of the organization’s strategy, operations, and compliance activities. Questions about risk appetite can only be answered when these broader contexts are considered. Some businesses may achieve profits but take on too much risk or fail to use their risk-taking capacity wisely. Risk capacity is the organization’s ability to handle risk, while risk exposure is the total value of everything at risk. Risk appetite, on the other hand, is the amount of resources the organization’s leadership is willing to put at risk. Many organizations haven’t clearly defined their risk appetite, calculated their actual risk exposure, or assessed their capacity to handle risk. This gap can lead to inefficient or excessive risk-taking.

Risk appetite and Risk attitude

Risk appetite and risk attitude are related concepts in risk management, but they have distinct meanings and applications:

  1. Definition: Risk Appetite refers to the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is typically a formal, organizational-level statement that guides decision-making and strategy. Risk Attitude refers to how individuals or organizations perceive and respond to risks, influenced by their values, culture, experience, and context. It reflects their behavior and mindset towards risk. Example of Risk appetite will be “We are willing to accept a moderate level of financial risk to pursue growth in emerging markets”. Example of Risk attitude will be “A conservative manager might avoid risky investments, while an aggressive manager might embrace them.”
  2. Scope: Risk Appetite focuses on the collective, strategic approach of the organization as a whole. Risk Attitude can vary between individuals, teams, or departments within the organization.
  3. Consistency: Risk Appetite is usually well-defined, documented, and stable over time, though it may evolve based on strategic changes or external conditions. Risk Attitude can differ widely within the same organization and can change more frequently depending on personal or situational factors.
  4. Application: Risk Appetite guides high-level decisions, such as setting policies, entering new markets, or allocating resources. Risk Attitude influences day-to-day decisions and actions, such as how a project manager handles uncertainty or how a team responds to unexpected challenges.
  5. Examples in Context: Risk Appetite: An organization with a high-risk appetite may pursue aggressive growth strategies, such as expanding into volatile markets or adopting disruptive technologies. Risk Attitude: Within the same organization, some managers may be risk-seeking (favoring bold moves), while others may be risk-averse (prioritizing caution).

Risk Appetite, Risk Exposure, and Risk Capacity

  1. Risk appetite – the acceptable level for the risk, where no further action is required other than monitoring and reviewing for changes in the context, risk and controls 
  2. Risk tolerance – the level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level 
  3. Risk capacity – the level of risk that is unacceptable.  This is the tipping point that the organization cannot or does not wish to go over 

These three concepts are fundamental to understanding an organization’s approach to risk management, as they define its willingness, actual risk levels, and ability to handle risks. Risk Appetite refers to the amount and type of risk an organization is willing to take on to achieve its goals. It is set by the leadership and aligns with the organization’s strategy and objectives. Risk appetite acts as a guide for decision-making, ensuring risks are taken in a controlled and deliberate manner. An oil and gas company might have a high-risk appetite for investing in emerging markets because of the potential for high returns but a low-risk appetite for safety risks in operations. Risk Exposure represents the total level of risk the organization is currently facing. It is the cumulative value of all risks (likelihood and impact) across the organization’s operations, projects, or strategies. Risk exposure is dynamic and can change based on internal decisions or external events. The same oil and gas company might have a high-risk exposure if it is operating in multiple volatile regions with political instability, even if its risk appetite is moderate. Risk Capacity refers to the organization’s ability to handle risks, considering its resources, financial strength, and resilience. It defines the maximum level of risk the organization can bear without compromising its survival or long-term goals. Risk capacity sets a ceiling for risk-taking, regardless of the organization’s appetite for risk.

This graph visually represents the relationships among Risk Appetite, Risk Exposure, and Risk Capacity:

  1. Risk Appetite (Blue Line):
    • Represents the level of risk the organization is willing to take on.
    • Shown as a flat line, indicating a consistent willingness to accept a certain risk level.
  2. Risk Exposure (Orange Line):
    • Shows the actual level of risk currently faced by the organization.
    • Oscillates due to dynamic factors affecting risk levels.
  3. Risk Capacity (Green Line):
    • Represents the maximum level of risk the organization can tolerate or handle.
    • Shown as a higher flat line, emphasizing a limit above which the organization could face significant challenges.

Key Areas:

  • Overexposure Area (Red Shading): When risk exposure exceeds risk appetite, the organization is taking on more risk than it prefers.
  • Controlled Risk Area (Yellow Shading): When risk exposure is within or below the risk appetite, the organization is operating within a tolerable and manageable risk level.

This visualization helps organizations assess if their current risk exposure aligns with their risk appetite and capacity, ensuring balanced decision-making. ​​

This figure explains the concepts of risk appetite, risk exposure, and risk capacity of a risk averse organization, using a risk matrix to illustrate their relationships. Risk appetite is represented by shaded areas on the matrix, showing the level of risk the organization is willing to take. The curved line on the matrix represents the actual risk exposure, which is the level of risk the organization is currently facing. Risk capacity, on the other hand, is higher than both appetite and exposure, indicating the maximum level of risk the organization can handle. This ensures that the organization remains within acceptable risk limits while avoiding risks that could exceed its capacity. The matrix uses color zones to categorize risks. Green indicates risks that the organization is comfortable taking. Blue and yellow zones highlight risks that require careful judgment and decision-making before being accepted. Red represents critical risks that are only taken on when absolutely necessary. This structured approach helps maintain a balance between taking risks for growth and safeguarding the organization’s stability. In the past, organizations calculated the total cost of risk (TCoR) to manage hazard risks. This calculation included insurance premiums, the cost of loss-control actions, and claims not covered by insurance. These calculations helped organizations benchmark their performance against others and often supported the creation of in-house insurance solutions. However, these calculations relied heavily on historical data, which may not accurately predict future risks. While this approach aimed to minimize costs, it sometimes left organizations vulnerable to major incidents. For example, prioritizing low costs could mean taking on higher overall risks, while excessive insurance purchases might reduce risk but at a significant financial cost. Modern risk management practices have evolved. Organizations now use risk appetite as a basis to determine acceptable levels of risk. This approach compares the board’s defined risk appetite with the actual risk exposure faced by the organization. Unlike earlier methods, this updated approach considers all types of risks, not just those insurable. As market conditions become more volatile, organizations may need to take on higher risk exposure. This shift often involves strategic discussions among leadership to adjust risk levels or find ways to mitigate exposure. Risk management becomes especially important during periods of rapid change, such as in mergers or acquisitions. Organizations must carefully analyze the opportunities involved in such decisions, considering key aspects to ensure that the risks taken align with their strategy and capacity. By balancing risk appetite, exposure, and capacity, organizations can better navigate uncertainty and make informed decisions. A risk-averse organization is one that seeks to minimize uncertainty and avoid significant risks. These organizations prioritize stability, predictability, and the protection of existing assets over pursuing high-reward opportunities that come with substantial risks. They carefully evaluate potential downsides before making decisions and tend to focus on low-risk, steady-growth strategies. Their approach is often conservative, emphasizing long-term security and avoiding volatile or uncertain ventures. In contrast, a risk-aggressive organization actively seeks opportunities with high potential rewards, even if they involve considerable risks. These organizations are more comfortable with uncertainty and are willing to accept potential losses in exchange for the possibility of significant gains. They often invest in innovative or speculative projects and operate in volatile markets or emerging industries. Their strategy prioritizes rapid growth or market disruption, with a focus on achieving high returns, even if it means facing short-term instability or increased exposure to failure. The primary difference between these two types of organizations lies in how they approach uncertainty and manage risks. Risk-averse organizations focus on minimizing potential losses, favoring steady and secure growth. On the other hand, risk-aggressive organizations embrace uncertainty as an opportunity, taking calculated risks to achieve competitive advantage and substantial rewards. While risk-averse organizations value consistency and caution, risk-aggressive organizations are driven by a willingness to take bold actions in pursuit of significant outcomes. Risk-averse organizations focus on minimizing downside risks and tend to avoid decisions that could lead to significant losses. Risk-aggressive organizations focus on maximizing upside potential, often taking calculated risks to achieve higher rewards. Risk-averse organizations aim for steady, incremental growth, prioritizing long-term security. Risk-aggressive organizations aim for rapid growth or market disruption, prioritizing high returns even if it involves short-term instability. Risk-averse organizations allocate resources conservatively, often favoring proven methods or markets. Risk-aggressive organizations allocate resources more boldly, often investing in untested innovations or emerging opportunities. In essence, the difference lies in how each type of organization views and manages uncertainty. Risk-averse organizations prioritize safety and consistency, while risk-aggressive organizations embrace uncertainty as an opportunity to achieve competitive advantage and higher rewards.

This 2D line graph compares a risk-averse organization with a risk-aggressive organization:

  • The blue dashed line represents the risk-averse organization. As the risk level increases, their response sharply declines, reflecting a preference for minimizing exposure to higher risks.
  • The red solid line represents the risk-aggressive organization. Their response grows steadily with the risk level, showing a willingness to take on more risk for potential rewards.
  • The dotted black line indicates a neutral risk level for reference.

This contrast highlights the differing approaches to risk management between the two types of organizations. ​​

This figure illustrates a risk-aggressive organization that is more willing to accept risk compared to a risk-averse one. Its comfort zone for taking risks is much larger, while the cautious, concerned, and critical zones take up smaller parts of the risk matrix. In this context, the organization’s “universe of risk,” represented by the darkest squares, includes only the most significant risks that the board considers worth addressing. Because the organization has a greater appetite for risk, it views fewer risks as critical, and risks must have a very high likelihood and impact to draw the board’s attention. The organization’s ultimate risk-bearing capacity lies within the lighter-shaded zones, but its actual risk exposure is shown to be well within the darkest area. This means the organization is taking on risks that exceed its ability to handle them, making it more vulnerable. This mismatch between risk exposure and capacity creates a potential weakness. Determining an organization’s risk appetite involves judgment at various levels. At the board level, risk appetite is a strategic driver that shapes overall decisions. At the line-manager level, it serves as an operational guideline, ensuring day-to-day activities align with the board’s policies. For individual staff members, risk appetite acts as a behavioral boundary, requiring them to operate within the framework set by the board and enforced by managers.

Understanding and applying the concept of risk appetite is a significant challenge for risk management professionals. Many risk management standards, both current and those being developed, emphasize the importance of identifying an organization’s risk appetite early on. However, organizations, like individuals, do not naturally seek out risk for its own sake. This raises a contradiction in risk management, which emphasizes that risks should always be evaluated within their specific context. Similarly, determining risk appetite without considering the organization’s broader context—its strategy, operations, and compliance processes—is illogical and impractical. As the concept of risk appetite gains more attention, practitioners will need to develop a clearer understanding of what it means and how to apply it effectively. For individuals, being labeled a “risk taker” often refers to enjoying high-risk activities, not seeking risk itself. For example, someone with a high-risk hobby doesn’t necessarily take unnecessary risks in other aspects of their life, such as crossing a busy street without caution. Risk-taking, therefore, must always be viewed in the context of the activity and its rewards. Organizations are similar in that they are drawn to strategies, projects, or operations based on their business goals, not the inherent risks. A company may pursue a high-risk strategy or approve a risky project, but this is driven by business needs and objectives, not a desire for risk itself. Often, the level of risk is a byproduct of the chosen strategy, rather than the strategy being shaped by the organization’s risk appetite. This highlights the importance of understanding risk appetite within the broader framework of the organization’s goals and activities.

Risk and uncertainty

In risk management, addressing both risk and uncertainty is crucial. Risk is managed by identifying, assessing, and mitigating measurable threats or opportunities. Uncertainty, on the other hand, is addressed by improving knowledge, developing flexible strategies, and preparing for multiple potential scenarios. Uncertainty and risk are closely related but distinct concepts, each addressing different aspects of decision-making in the face of the unknown. Uncertainty refers to the lack of complete knowledge about future events or outcomes. It means we do not know what will happen or how likely various outcomes are. Uncertainty can make it difficult to predict results because information is incomplete or ambiguous. For example, a new product launch might be surrounded by uncertainty about customer preferences, competitor actions, or market conditions. Uncertainty exists when probabilities of outcomes are unknown or cannot be reliably estimated.Risk is the measurable potential for loss or gain when making decisions under uncertainty. It involves situations where the likelihood and impact of different outcomes can be estimated, even if they are not guaranteed. For example, in the same product launch, risk might include the estimated financial loss if sales fall short of projections. Risk is quantifiable; it is the known probability of specific outcomes occurring. Difference Between Uncertainty and Risk

  • Information Availability: Risk assumes enough information is available to estimate probabilities, while uncertainty arises when information is incomplete or outcomes are unpredictable.
  • Decision Approach: Risk can often be managed with strategies like mitigation, insurance, or diversification, while uncertainty requires adaptive strategies, scenario planning, or hedging to cope with unknowns.

This figure shows the range of possible outcomes for different types of risk. When investing in opportunities, outcomes can vary widely—from a complete loss of resources to significant gains. In some cases, losses can exceed the initial investment if the associated risks are not fully understood. The figure highlights the relationship between risk and uncertainty, showcasing typical outcomes for hazard risks, control risks, and opportunity risks. By combining these risk types in one illustration, it becomes clear that they are interconnected and form a continuum. The organization’s total risk appetite is the sum of its exposure to hazards, acceptance of control risks, and investments in opportunities. The curved lines in the figure represent the range of possible outcomes for each risk type, with 95% certainty (leaving a 1 in 20 chance of outcomes outside this range). For example, if the organization tolerates a hazard risk represented by point A, it understands that outcomes may fall within the range defined by the 95% certainty lines. Similarly, for an opportunity represented by point B, the organization expects a positive return but also acknowledges the risk of potential loss within that range. Organizations face hazard risks that can disrupt operations. These risks include both the cost of incidents and the expense of managing them, such as loss prevention, damage control, and insurance. For each hazard risk, there’s a range of possible negative outcomes. The organization must assess and decide how much of this risk it is willing to accept, which forms part of its overall risk appetite. However, actual hazard exposure may exceed what was anticipated, particularly for regulated risks where compliance is mandatory. Most organizations maintain a zero-risk appetite for non-compliance with laws. Uncertainty also arises from control risks, which relate to unpredictable events with uncertain outcomes. For example, removing fraud controls could save money but might lead to fraud, with uncertain losses. Control risks are embedded in the projects an organization undertakes, and the cost of these controls should be included in project budgets. Failing to account for such controls could lead to significant financial and operational consequences. The cost of controls within the budget reflects the organization’s acceptance of control risks.

Risk appetite statements

A Risk Appetite Statement (RAS) is a formal declaration that outlines the level and type of risk an organization is willing to accept to achieve its objectives. It serves as a guideline for decision-making across strategic, operational, and compliance areas. The RAS helps ensure that all parts of the organization align with its overall attitude toward risk, enabling consistent and informed decision-making.Risk appetite usually covers a range of possible outcomes. This means there is a zone around the risk appetite where the level of risk is still acceptable. This zone is often called the risk tolerance range for that specific risk. Risk tolerance can be defined as “The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives.”

Risk appetite involves different considerations depending on the nature and goals of an organization. For some organizations, particularly banks and financial institutions, risk appetite directly drives their strategy. For example, a bank’s decision to lend money to specific groups reflects its willingness to take on certain risks, which forms the core of its operations. In such cases, embracing risk is essential for gaining benefits and achieving business objectives.

In other organizations, risk appetite does not drive the business but serves as a tool for planning. It helps determine whether to proceed with certain tactics, projects, or changes by assessing the associated risks. Here, risk appetite helps the organization operate within acceptable limits while managing uncertainty. It guides decision-making and ensures that risk-taking aligns with broader organizational goals.

For some, risk appetite also acts as a set of operational constraints. For instance, it may define spending limits, authorization levels, or other boundaries within the organization. These constraints reflect the level of risk the organization is willing to accept, based on its size, complexity, and operations. By setting these limits, the organization minimizes risk exposure and its potential consequences. Ultimately, risk appetite is about identifying the optimal level of risk to achieve favorable outcomes while reducing uncertainty. It reflects the organization’s risk attitude, criteria, and willingness to accept specific risks. Risk appetite can be a strategy driver, a planning tool, or a set of operational constraints—or a combination of all three. Many organizations draft risk appetite statements without fully addressing whether they are focusing on strategy, planning, or constraints. A comprehensive approach that considers all three perspectives will create a more effective and nuanced statement. The stages that would be involved in developing this risk appetite statement are as follows:

  • Identify stakeholders and their expectations, making reference to the possible range of stakeholders, as defined by CSFSRS.
  • Define the company-wide risk exposure through an analysis of strategy, tactics, operations and compliance, as set out in the risk register.
  • Establish the desired level of risk exposure that will lead to a risk appetite statement, that provides a set of qualitative and quantitative statements.
  • Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.
  • Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring exposure in line with risk appetite.
  • Formalize and ratify a risk appetite statement, communicate the statement with stakeholders and implement accordingly.

Risk appetite statements should match the way risks are classified in the organization. These statements can be organized based on the sources of risk, the parts of the organization that could be affected, or the types of impacts or consequences. Examples include using the FIRM risk scorecard or focusing on the organization’s strategy, tactics, operations, and compliance (STOC). Here are risk appetite statements for an oil and gas company across high, moderate, modest, and low risk appetites:

  1. High Risk Appetite
    “We are prepared to invest in high-risk, high-reward projects, such as deepwater exploration and operations in geopolitically volatile regions, to secure access to significant untapped reserves. We accept the possibility of operational and regulatory challenges, provided the potential returns align with our strategic growth objectives.”
  2. Moderate Risk Appetite
    “We are open to pursuing opportunities in emerging markets and adopting advanced technologies that balance risk and reward. While we will actively explore new ventures, we prioritize projects with manageable geopolitical, operational, and financial risks that align with our sustainability goals and long-term profitability.”
  3. Modest Risk Appetite
    “We will focus on optimizing and modernizing existing operations, ensuring efficiency and safety while exploring low-risk partnerships. Investments will be made in stable markets and proven technologies to secure steady, predictable returns and minimize exposure to high-risk ventures.”
  4. Low Risk Appetite
    “Our priority is maintaining operational stability and compliance with all regulatory and safety requirements. We will avoid high-risk ventures and focus on established markets and mature assets to ensure steady cash flow and protect shareholder value, while continuing to meet environmental and safety standards.”

Here are examples of risk appetite statements for a manufacturing organization based on different business components:

  1. Target Credit Rating
    The organization has a low risk appetite for actions that may harm its credit rating. It aims to maintain a minimum credit rating of “A” to ensure financial stability and access to favorable funding terms.
  2. Target Capital Ratio
    The organization maintains a moderate risk appetite for capital allocation, ensuring a capital ratio of at least 25% to balance growth investments and financial resilience.
  3. Financial Strength
    The organization has a low risk appetite for financial risks that could jeopardize its liquidity or solvency. It strives to maintain cash reserves sufficient to cover six months of operational costs and uphold a strong balance sheet.
  4. Customer Dependence
    The organization has a moderate risk appetite for customer concentration. No single customer should contribute more than 20% of annual revenue to reduce dependency risk while allowing for strategic partnerships.
  5. Regulatory Compliance
    The organization has a very low risk appetite for non-compliance with regulatory requirements. It prioritizes strict adherence to all laws, environmental standards, and industry guidelines to avoid legal or reputational risks.
  6. Social Responsibility
    The organization has a high risk appetite for engaging in sustainable practices and social initiatives. It actively invests in eco-friendly technologies and community projects, even if they require upfront costs, as part of its commitment to long-term societal impact.

There is a connection between personal risk appetite and lifestyle choices. People make decisions about long-term health issues based on factors like family history and personal habits. Medium-term health decisions may focus on things like medical treatments, dieting, and managing weight. In the short term, decisions could involve exercise, alcohol consumption, or addressing recent illnesses or injuries. Individuals must consider their risk attitude, appetite, exposure, and capacity when making lifestyle choices. For example, a person might decide how much exercise they’re willing to do to stay within a healthy weight range. While people may have a certain appetite for health-related risks, their actual exposure to these risks might exceed their comfort level. For instance, someone may want to live a healthier lifestyle but still choose to smoke cigarettes, demonstrating that their risk exposure can surpass their risk appetite. People often prefer actions with immediate, positive, and certain outcomes. A smoker might enjoy a cigarette because the nicotine effect is instant and pleasurable. On the other hand, quitting smoking offers long-term health benefits, but these are delayed and uncertain, and the process of quitting involves discomfort. Risk attitudes vary greatly depending on the type of risk. For instance, a person might be cautious while driving but take significant health risks. Defining risk appetite, whether for individuals or organizations, is challenging, but having a clear risk attitude can help establish an acceptable range of risks. The willingness to take risks also depends on the nature of the risk and the ability to control it. The overall approach to managing risks—whether personal or organizational—should include embracing strategic opportunities, managing tactical uncertainties, mitigating operational hazards, and minimizing compliance risks.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply