We have learned notable lessons in recent years, some captured in the IRM’s guidance and some that are new. A lesson with broad consensus: there is tremendous opportunity for organizations to realize true value from effective risk-taking through definition, management and measurement of appetite. But, according to the EY Global Governance, Risk and Compliance Survey 2015, only 16% of companies consider the link between risks and the attainment of business goals to be close enough to enable them to effectively and efficiently respond to the sort of risk drivers that can emerge and evolve quickly, including shifts in the economy, technological changes and cybersecurity.
Particularly in the Transformative Age, the case for change is being driven by shifting organizational models, industry convergence and, of course, technology. The winners are organizations that have mastered appetite and risk-taking and are operating in systems of trust by design ̶ those that are exploiting both downside risks and threats as well as the rewards and upside risks to reap value.
Organizations are managing evolving consumer expectations, new partnerships, dynamic ecosystems, changing industry boundaries, disruptive business models and new competitive domains. The lingering questions are: “How do we realize value from effective risk-taking?” “How do I maximize return on investment from my ERM program?” and, for the more cynical, “Is the matter simply theoretical?”
In this article, we aim to provide a consistent, standard definition of appetite and its associated concept, “tolerance,” that can be understood and embraced by executives, boards and risk practitioners alike. We will also provide a standard implementation framework for application of appetite in an organization based on proven examples and using a pragmatic, common-sense approach.