Defining and Using Risk Appetite


Risk Doctor Briefing

Dr. Ruth Murray-Webster

United Kingdom

There is a growing recognition that a proper understanding of risk appetite is a vital influence on organisational performance. This is supported by regulators who expect boards to understand and express their risk appetite, and some senior executives in a range of public and private sector organisations are already taking a lead in this area.

This is a good start, but there is still confusion about how to define risk appetite and then use it to ensure that the organisation doesn’t take on too much risk (or too little).

Our book “A Short Guide to Risk Appetite” * (Hillson & Murray-Webster, 2012) attempts to dispel that confusion and provide clear advice on the topic.

There are four important factors to consider when defining risk appetite:

1  Conversation. This must be two-way, listening as well as talking, building respect for alternative perspectives. Different views on risk appetite are inevitable, driven by people’s inherent propensities for taking risk, and by their previous experiences of risk-taking that influence their perceptions of risk. This diversity is valuable, and open and honest conversation will enable differing perspectives to be aired and discussed.

2  Challenge. Diversity of views on risk appetite is normal, unless group dynamics such as groupthink are affecting the way people perceive risk, or if the group has worked together for so long that they have unconsciously adopted a cohesive approach. Challenge from a neutral facilitator will help decision-makers to consider alternative scenarios, and support open discussion of how much risk would be too much in the situation.

3  Cascade. Once senior decision-makers have a shared understanding of risk appetite for the whole organisation, this can be translated into measurable risk thresholds at the level of strategic objectives, as well as for operations, programmes and projects. Some advisors think that risk thresholds at lower levels in an organisation can be derived automatically using a formula, but this is rarely the right approach. Open conversation and neutral challenge will still be needed during the cascade process.

4  Controls. Finally, leading indicators are needed, not just lagging ones, to enable managers to know when current levels of risk exposure might breach risk thresholds. This might occur if risk exposure reaches a level where the outcome could not be tolerated, or risk exposure might get to a point where investing additional resources is no longer warranted. Where upper or lower risk thresholds are in danger of being breached, senior decision-makers will need to adopt a different risk attitude to ensure that risk exposure remains within acceptable limits. This will require the same level of conversation, challenge and cascade as the initial definition of risk appetite.


To read entire article, click here



About the Author


Dr. Ruth Murray-Webster

United Kingdom


 UK small flag 2

Dr Ruth Murray-Webster
is Director of the Change Portfolio for Associated British Ports Ltd. Prior to taking up this role in 2015, Ruth has 30 years of experience in a series of roles to enable organisations in most sectors to deliver change objectives including as Director of the Risk in the Boardroom practice for KPMG LLP in the UK and 10 years as a Director of Lucidus Consulting Ltd.

Along this journey, Ruth researched organisational change from the perspective of the recipients of change for an Executive Doctorate at Cranfield School of Management. She has also taken a keen interest in risk management along the way, co-authoring four books on the people aspects of risk management with David Hillson (Understanding and Managing Risk Attitude, 2007; Managing Group Risk Attitude, 2008; A Short Guide to Risk Appetite, 2012), and with Penny Pullan (A Short Guide to Facilitating Risk Management, 2011).

Ruth was awarded an Honorary Fellowship of the Association for Project Management in 2013 for her services to risk and change.

Dr Ruth Murray-Webster can be contacted at [email protected]