Today’s business environment is evolving at a fast pace, driven by rapidly emerging technologies, geopolitical upheaval, and other unpredictable events, making it increasingly difficult for leaders to navigate risks effectively. Organizations need to make risk-related decisions within a clearly defined risk appetite that is well understood across both strategic and operational levels. In this Viewpoint, we share how leaders can ensure they are well positioned to seize opportunities and take controlled, informed risks to increase the chances of meeting their business objectives.

THE ROLE OF RISK APPETITE IN CORPORATE STRATEGY

An organization’s risk appetite is the amount of risk it is willing to take in pursuit of its objectives. It is a key component in a proactive and adaptable corporate strategy, especially in times of global turbulence. Organizations can navigate uncertainty more effectively by using risk appetite as a guiding set of principles as they make strategic decisions that position them for success in today’s unpredictable world.

Clearly defining risk appetite enables an organization’s leaders to identify and prioritize potential risks, establish limits and thresholds, and allocate resources effectively. Risk appetite is closely related to other concepts and components within an organization’s risk universe:

• Risk capacity — quantifies the maximum amount of risk an organization can prudently handle, given its resources and financial capabilities

• Risk tolerance — reflects the organization’s threshold for bearing risk and its capacity to endure potential losses

• Risk target — sets an organization’s desired risk level, ideally striking a balance between risk and reward

• Risk limits — provide clear boundaries that specify the upper extent of risk exposure, ensuring that it remains within acceptable parameters

When taken together, these elements align strategic aspirations with risk-taking capabilities to create a comprehensive framework that guides an organization’s approach to risk management. Figure 1 shows how the above considerations interact within a large organization.

The rise of emerging technologies such as ChatGPT and other artificial intelligence (AI) tools has rapidly accelerated the pace of change around the world, triggering continuous and significant disruptions across social, political, and economic landscapes. By incorporating risk appetite frameworks, organizations can better grasp the significance of their risk profile and make informed decisions about which risks to take and which to avoid in a constantly changing global environment.

Incorporating risk appetite into corporate strategy is an ongoing process that requires collaboration between multiple departments, from finance and operations to marketing and legal.

THE POWER OF A RISK APPETITE FRAMEWORK

Implementing a risk appetite framework supports an organization by aligning risk taking with the organization’s objectives and goals, which enables leaders to make better decisions while ensuring resources are effectively allocated. A risk appetite is agreed upon by leadership and decision makers and is more than any one individual’s subjective judgment.

The risk appetite statement is a key component of an effective framework. However, on its own, a simple statement fails to link to business objectives or cover the entire risk universe of an organization. It cannot provide leaders with something tangible to use at the board or executive level, and it cannot be used in isolation to cascade down the organization to drive action.

A well-balanced risk appetite framework is supported by both qualitative and quantitative information. By establishing limits and thresholds, organizations can see when they are approaching the upper limits of their risk tolerance. They can reduce their exposure to risk and operate within agreed-upon limits by distributing resources more effectively. In a complex business, one risk appetite statement will not be sufficient — indeed, the framework in which risk appetite is defined will have many dimensions (e.g., political, geographical, operational, financial, legal) requiring appropriate statements and tolerances to make them meaningful.

In an ever-changing business landscape, an effective risk appetite framework that uses a dynamic approach can help companies stay ahead of the curve. By embracing this concept and building a supportive digital platform, organizations can better manage their risks, improve the chances of achieving their goals, and take risks from a controlled and informed perspective.

WHY RISK APPETITE FRAMEWORKS FAIL

While the benefits of establishing and implementing a risk appetite framework are clear, many organizations struggle to do so effectively. It is relatively easy to create a risk appetite statement to meet a short-term need or to tick a box for a particular stock exchange listing, a corporate governance requirement, or regulatory compliance.

Organizations face four common challenges when trying to design and implement a risk appetite framework:

1. The organization has cultural barriers to effective risk management. Organizations can promote a culture that rewards risk taking and innovation, but this often leads to a lack of discipline and oversight around risk and reveals a lack of clarity about how much risk should be taken in different situations. Here, a risk appetite statement would likely be seen as an obstacle that impedes the desired entrepreneurial culture that is important to the organization’s success. Overcoming these barriers requires effective alignment of risk appetite mechanisms with strategic objectives, while rewarding corporate behavior that emphasizes informed, risk-conscious decision-making. Defining a risk appetite framework should be seen by leaders as similar to putting high-performance brakes on a car, allowing the car to go faster when road conditions permit.

2. The organization fears documenting the risk appetite framework. Organizations under extreme levels of external stakeholder scrutiny sometimes have concerns about documenting their risk appetite framework. They fear that the level of scrutiny imposed on the framework by external stakeholders could cause reputational damage or obstruct effective decision-making.

3. A coordinated effort is required to ensure that risk appetite is meaningful to everyone throughout the organization and adopted at all levels. This will result in effective communication and collaboration in relation to risk taking; in particular, the risk appetite statement must be well understood and applicable at operational and project levels. Arthur D. Little (ADL) recently worked with a global construction organization that successfully integrated corporate risk appetite for commercial risk into its day-to-day activities. The integration was achieved through setting group minimum commercial expectations, which covered topics such as contingencies and liquidated damages. All the teams involved in negotiating contracts clearly understood these expectations (and by extension, the commercial risk appetite) but were unlikely to think of it as risk appetite. This level of integration should be the goal for all types of risk. If risk appetite awareness is still lacking, it can be built through regular training and education. Merging risk appetite into key strategic decision-making mechanisms and processes, such as scenario analysis and stress testing, can also make a difference. In another example, ADL worked with a multinational transport operator whose CEO set a clear appetite for no fatalities and to make a positive and measurable difference to safety in every country it operated. This drove behaviors throughout the entire corporation down to drivers and mechanics.

4. The rapid pace of change and evolution in the business environment makes it difficult to maintain a relevant appetite framework. Risk appetite statements have, rightly, come under heavy criticism in the past for being generic, boilerplate mechanisms with limited impact and value. As such, leaders need to ensure risk appetite reflects the reality of the business environment and characteristics of their organization, which can be achieved through the proactive monitoring and horizon scanning of changes in their operating environment and revising the risk appetite as needed. This requires ongoing risk evaluation as well as agile reviews of the framework to ensure it remains relevant and effective, as opposed to a document that is dusted off once a year.

To overcome the above challenges, organizations need to balance qualitative and quantitative information and incorporate the findings into a framework that facilitates clear decision-making and does not create a barrier to getting things done. The framework must include a thorough assessment of the type of risks facing the company and access to an extensive set of underlying data. When complete, it should be implemented using a comprehensive and systematic approach.

Underpinned data needs to be accurate, up to date, and relevant to create a meaningful, effective risk appetite statement. Specific requirements will vary depending on the nature of the organization, the industry, and the complexity of the risks involved but are likely to include:

• Strategic and organizational data

• Risk data

• Financial data

• Regulatory and legal data

• Scenario-analysis data

• Benchmarking data

Of course, in most organizations, substantial data will already be available, with existing dashboards for measuring performance, so little will need to be invented or started from scratch. However, it is necessary to use this data within a more structured framework, so that it functions within the context of risk appetite, risk tolerance, and risk targets to better drive decision-making. Finally, organizations must commit to maintaining effective communication and collaboration across all levels; as the business model changes, it will call for ongoing dynamic monitoring and adapting the risk appetite framework.

DESIGNING A SUCCESSFUL RISK APPETITE FRAMEWORK

There is no one universally defined template that will work for all. We have identified typical features of risk appetite frameworks (see Figure 2) from best practices across different sectors and from organizations of different scales to illustrate possible formats:

• A set of key risk categories that encompass an organization’s entire risk universe — what it is facing today and what may occur in the short to medium term.

• A clear link to business objectives.

• Scales used are the same as the organization’s risk matrix and are clear on the impact categories (e.g., financial, reputational, or regulatory).

• Quantification of risk appetite per key risk category, when possible.

• A description of the risk appetite, per key risk category, which explains the quantification and the broader organizational context.

• Identification of key risk indicators, threshold warnings, and action limits to support proactive monitoring.

• Stakeholders who understand how the key risk category fits into the organizational context; the number of stakeholders impacted by risk determines the amount of focus required.

It is important to note that many organizations will often have several of these features in place already, such as a set of KPIs to allow them to react to adverse trends, and nearly all organizations have an implicit risk appetite, even if it is not recorded in a formal framework. Usually, the process of designing and building a successful risk appetite framework involves consolidating and formalizing the elements and thinking that already exist across the organization and capturing them systematically, as opposed to starting from nothing.

So how can organizations create a robust risk appetite framework that serves as a practical tool? The above content and structure, which include key risk categories that accurately cover the current, short-, medium-, and long-term risks, offer an approach to developing a specific comprehensive framework.

Keeping the risk appetite framework as a board-level document and embedding its content into policies, standards, and specifications used throughout the organization is another approach organizations have used successfully. This strategy can support widespread decision-making that aligns with the risk appetite framework; however, any updates to the framework are much harder to implement because of the need to update multiple related documents across the organization.

A value-adding risk appetite framework must be kept up to date. For example, it needs to address both the threats and opportunities that AI technology can bring to the corporate context. Three years ago, few outside the domain of AI could have imagined how ChatGPT could have become an everyday item of casual discussion. The speedy development and widespread application of ChatGPT necessitate a clear understanding of how risk is affected and what limits need to be set. The Italian government recently demonstrated zero tolerance for AI technologies and banned their use due to negative implications for maintaining data privacy. Surprisingly, even in late 2023, we have spoken with many organizations that have not yet defined their appetite or enacted appropriate controls to address AI or considered the business opportunities it presents.

CONSIDERATIONS FOR LARGE, DIVERSE ORGANIZATIONS

A large, diverse organization is an entity that operates in various sectors, industries, markets, or geographical locations and exhibits significant variety in terms of its operations, products, and services. These organizations are typically characterized by multiple business units (BUs), a global supply chain, a complex organizational structure, and regulatory complexity. A single risk appetite statement for this type of organization may be insufficient. Its scope is more complex, with multiple BUs and a wide range of risk exposures; this necessitates extensive stakeholder engagements, granular risk assessments, and accommodation for variations across units or markets. Separate risk appetite statements for different BUs often need to be considered, provided they align with the overall corporate risk appetite. Communication, governance, and resource-allocation structures are more elaborate, and regulatory considerations are often more complex.

Certain large organizations strategically embrace higher risks in specific BUs to foster innovation and spur growth while maintaining a clear separation from core business activities. By doing so, they create a controlled environment where experimentation and creativity can thrive. These specialized units often operate with a greater degree of flexibility and autonomy, enabling them to explore emerging markets, disruptive technologies, and unconventional business models. While the core business maintains a conservative risk appetite to ensure stability and meet regulatory obligations, these dedicated BUs can have a more tolerant risk appetite and serve as innovation hubs.

The following principles for risk appetite framework development are relevant to any organization regardless of size but are of particular importance for large, diverse organizations:

• Connecting risk appetite to corporate strategy. Once potential risks have been identified and analyzed, organizations must develop clear risk appetite statements and supporting metrics that align with their goals and objectives. This requires a comprehensive understanding of risk tolerance and appetite, as well as an understanding of the impact that different risks can have on the organization’s ability to achieve its objectives. Risk appetite statements should be in place for each major risk category and communicated clearly throughout the organization.

• Establishing measurable and actionable risk appetite limits and thresholds. Once risk appetite statements have been finalized, organizations must establish risk appetite limits and thresholds. These limits and thresholds should be based on a comprehensive assessment of different risks and their impacts on the organization’s objectives. The organization’s overall attitude toward risk (the concepts discussed earlier and shown in Figure 1) and any recent or historical loss history are also relevant. In addition, organizations must consider the emergence of a volatile environment and attempt to predict the risks and results that could arise. A comprehensive understanding of the organization’s risk exposure, as well as the effectiveness of existing risk mitigation strategies, is vital.

• Cascading risk appetite throughout an organization. To be effective, risk appetite frameworks must be shared throughout the organization through effective communication and training. If the organization is relatively homogeneous, this flow of information can follow the approach used for any business objectives or metrics. However, a more tailored approach is required when the organization is not homogenous, which could result from levels of risk that fluctuate among BUs. The cascade requires a comprehensive understanding of the organization’s risk culture and the barriers to effective risk management. Organizations must ensure that all employees understand the importance of effective risk management and that they are provided with the necessary tools and training to implement the risk appetite framework effectively.

Revisiting the earlier example of the global construction organization also shows that one country was home to a mix of BUs organized into one multi-billion-euro-per-annum strategic BU, containing:

• Civil engineering and infrastructure maintenance BUs (typically government-reimbursable contracts with known engineering risks).

• BUs working on complex building projects in the capital city. Commercial agreements were complicated by aggressive private sector clients, and operations were complicated by the use of high-risk, cutting-edge engineering technology.

• A BU focused on home building.

• An equipment-hire BU supporting other BUs.

• An infrastructure-investment business.

Each BU had different attitudes toward risk, as well as different business models and external market drivers. The challenge was to represent the risk appetite in one framework, which recognized similarities and differences and aligned with the group risk appetite. We developed a separate risk appetite for each BU, which reflected the different business models and external market drivers and showed differences from the group risk appetite. This approach informed which specific risks were escalated to senior management and allowed BU–specific thresholds to determine key risk indicators, giving deeper insight to strategic BU leaders when and where they were operating out of tolerance.

AI & THE RISK APPETITE STATEMENT OF THE FUTURE

Traditional risk management approaches struggle to handle the complexity of risk exposure for large, complex organizations in an uncertain business environment. AI and associated technologies may improve risk management, but they also pose a threat.

The size and complexity of underlying risk registers mean emerging technologies, including machine learning (ML) and AI models such as natural language processing (NLP), can be leveraged to enhance the value of risk appetite statements. These added resources can carry out risk identification, quantification, and aggregation in real or near real time and ensure that the registers constantly reflect an organization’s position with respect to its defined risk appetite.

AI, ML, and NLP can:

• Pinpoint emerging risks.

• Predict potential outcomes of different risks.

• Inform senior management when a specific risk theme is in or out of tolerance.

• Identify a new risk theme with an undefined risk appetite position.

In addition, these technologies can be used to build predictive models that can inform risk appetite decisions and automate the risk management process, reducing the risk of human error and increasing the speed and accuracy of risk assessments by developing a proactive, forward-looking capability.

Conclusion

FORMULATING AN INTERACTIVE RISK APPETITE FRAMEWORK

Our experience shows that risk appetite frameworks often exist in isolation. Executives should consider actions that contribute to a robust, value-adding risk appetite statement:

1. Recognize that risk appetite assists strategy setting, understanding future scenarios, and managing priorities.

2. Translate risk appetite for the people making day-to-day decisions by encoding it into procedures, policies, and processes.

3. Remember that no template fits all; the framework reflects the business model.

4. Choose an approach to drive corporate culture that can be properly cascaded across the organization and help people understand risk within their own domains.

5. Deliver regular updates about emerging risks at the board and executive levels. Links to horizon-scanning processes keep statements timely.

6. Consider the opportunity offered by AI to assess risk appetite tolerances and set limits based on analysis of internal and external contexts.

7. Use AI and digital platforms to monitor an organization’s operations within the set limits and tolerances; provide proactive warnings as needed.

By establishing a risk appetite framework, organizations can get a wider view of their risk profile and make informed decisions in a rapidly changing global environment.