Tuesday, January 7, 2014

From Risk Appetite to Risk Attitude

Risk Attitude needs to be Proactive, not Reactive; Risk Attitude needs to be Information-Oriented, not Emotion-Driven. 

If risk appetite implies some ability to actually measure risk level, then risk attitude is to determine the company’s attitude and strength to deal with risks appear.

Risk Attitude starts with the right attitude to communicate. Regardless of what methods or indicators are used, the key is to express risk in business terms that can really make an impact. It’s the management ability to communicate the extent to which it wants to take on risk relative to a specific objective. Management can usually communicate this with the positive attitude, for example, management may say that it is acceptable to take on higher levels of risk when developing a strategy to move into a totally new business line. On the other hand, it may be unacceptable to take on risk when it comes to employee safety. These are both examples of how management can communicate its risk attitude and is much easier and more practical.

Perform risk assessments to understand what the impact, as well as the likelihood of FUTURE events, will be, and take risk attitude accordingly. The future is uncertain and no amount of quantitative analysis can accurately predict what harm or opportunity lies ahead. Generally, there are two types of risks: negative (loss of value, money, and business) & positive (opportunity to make money, expand the business, and create value). Some risks can be quantifiable; some can only be approximated, which is not good enough and the main reason why management may choose to forego mitigating such a risk. 

Risk Attitude is a critical element in collecting, analyzing, synthesizing information to ‘influence’ decisions. Businesses have to acknowledge a level of subjectivity to determine risk appetite and risk tolerance in real life, and it varies depending on the organization's strategy, culture, and business orientation. To quantify risk is one of the most challenging aspects of risk management and the risk manager's job is to collect and collate information to 'influence' that decision. The qualitative and quantitative analysis will complement each other, the method and kind of information to quantify risks really depend on what the risk is about, so 'risk attitude' is a critical element in orchestrating information, to make a touch upon systematic risk management approaches. 

Risk Attitude shall meet 'prioritization and escalation criteria'. The purpose of assessing risk against consequence criteria is to determine what risk must be managed, and who needs to be involved in that management. At certain risk severity levels, the risk must be managed but corporate management does not want to get involved. At other levels, the corporate management wants to specifically know what is being done to manage the risk. This removes the 'acceptability' of any deviation from the target. Defining risks this way enables corporate management to define what degree of consequence (assuming the risk is highly likely to occur) does corporate management need to be informed about (escalation) and what degree of consequence from a single event do they believe is the threshold that requires their management to divert some of their time from other business activities, to the management of this specific risk, but they don’t want to be informed about (prioritization). 

Risk attitude of the company is also dependent on varying factors: 1). Business nature, 2). What are the history risks lesson being learned 3). What are the predictable facts base on history, current status quo and risks clue? Technically, It's kind of risk model needs to be built for consideration. Further, the organization is not always the one paying for the risk. Stakeholders ranging from investors to customers, to ordinary citizens, to peer companies might all benefit or suffer from the Risk Attitude of a company. If the company's risks have victims outside the organization, the organization will have less control over the consequences. One thing they better have is data backing up their decisions. The board ultimately is accountable for the policies and their requirements

The proper measure of risk management needs to be considered. Risk Attitude is just the starting point for the enterprise to further their attention in the risks they have tolerated, and the appropriate measure will be then considered with the cost in terms labor, finance etc of the measure, though there are relatively few opportunities to really measure quantifiable risk in a consistent and meaningful way. 

From risk appetite to risk attitude, better take the positive and proactive approach, not negative or reactive,  to make risk management more practical and less emotional, and risk management professional shall continue to brainstorm & experiment the best and next practices and drive risk management maturity.   


Post a Comment