What's Your Risk Appetite?

Hoarding cash? Stifling innovation? Mark Carey of Deloitte & Touche looks at how companies do (or should) think about risk-and-reward decisions in uncertain times. Part of the Security Predictions series.

The whole concept of risk appetite is an understanding of an organization's desire to take on risk when weighed with potential reward. For most companies, this stays at an implicit level. All organizations have some type of implied risk appetite based on decisions they make as they relate to risk and value. But companies that are leading the way from a risk appetite perspective are trying to make it explicit. They provide a more explicit level of guidance to people when they make decisions.

All decisions have risk attached to them, so risk appetite framework is really a way to help people say: "I have an understanding of the value I might get from making this decision and I need to decide if the risk level is acceptable to us as an organization." Decisions range from how an organization invests capital, to budget considerations, to how to implement a strategy, to whether a strategy even fits within the overall risk appetite of an organization.

The most urgent need right now is for companies to reconsider what their appetite for risk is in light of the huge changes that have gone on in the external environment. Based on organization's position, strengths and overall ability to take on risk, do they need to make some adjustment? For some companies that are strongest in their space, this might be a good time to buckle down and take more risk. The opportunity on the upside could be tremendous. Other companies that are border line, or are potentially on the verge or major problems, might really need to dial down risk taking activities in order to stabilize the organization.

At the very highest level, when you see such extreme increase in global risk as we are seeing now, the first thing companies do is hoard their cash. We see this in play now in the way banks stopped lending to each other amid current market conditions. At the highest level, that was most extreme response from a risk-taking perspective in the marketplace. I dont know if it signifies an immediate long-term change in risk appetite for these organizations, but it certainly triggered a short-term response.

Risk appetite isn't an explicit tool. Very few companies are so good at it that they can use a programmatic approach to market conditions like we've seen in recent months. So, for most companies, I would suspect, it's been a very ad-hoc-type approach. It's not just banks that look at covering cash. All organizations pull back a little. In capital expenditures, in purchasing external services, products, technologies, etc. Everybody pulls back when you get these huge spikes in uncertainty.

Risk appetite and how often a company considers it is really tied back to how much change is going on in the environment -- whether its change that is driven by external factors, like in the market today, or if its change being driven by an acquisition, merger, or major expansion. That level of change in and around an organization is what drives the frequency with which you might reevaluate your risk appetite. I'm not suggesting every time you launch a new product, you reevaluate your risk appetite. I'm really referring to major changes in the organization.

As told to Senior Editor Joan Goodchild. Mark Carey is a Partner in the Deloitte & Touche Governance and Risk Oversight practice. Carey's focus is on enterprise risk management and his responsibilities include supporting the delivery of governance, risk and compliance related services.

Copyright © 2008 IDG Communications, Inc.

8 pitfalls that undermine security program success