As discussed in The risk of okra, every company is in business because they are willing to do something that other guys aren\u2019t.\u00a0 It is really important for an organization to keep track of this thing they are willing to do and not confuse it with other risky behavior they aren\u2019t. This is called determining the company\u2019s risk appetite.\u00a0When it comes to risk appetite, there are three categories:On-strategy: Risks that are aligned with the businessParameterized risks: Risks that may be necessary but need to have boundaries setOff-strategy: Risks that are never aligned with the businessYour job is to help the company identify which risks fit into each category.On-strategyRisks that are aligned with the business are those we intend to take as a normal part of doing business. These are called on-strategy risks.\u00a0 If your business is a grocery store, purchasing okra is an on-strategy risk.\u00a0 If your company is a financial institution like a bank, approving an individual for a home equity loan is an on-strategy risk.\u00a0 All risks have parameters within which operation is determined to be acceptable, even on-strategy risks. Clearly, if you are a small grocery store you don\u2019t want to buy ALL the okra.If you are a bank, you have parameters for approving a loan.\u00a0 On-strategy risks are at the core of a business.\u00a0 These are the risks you must take in order to be considered a viable player in the market.\u00a0 Sometimes on-strategy risks result from the need to innovate your product or service in the marketplace. The risk associated with innovation is a major part of on-strategy risk and is a major business driver.In many industries customers will pay the business to be innovative.\u00a0 When we look at the software industry for example, customers pay a license or maintenance fee.\u00a0 This fee frequently is paid annually and provides customers with bug fixes and new releases of the software.\u00a0 It is a fee that customers pay for the software developer to be innovative.\u00a0 As a result, software companies must be particularly aware of, and open to, the cost and risk of being innovative because for them, innovation is a risk that customers pay for directly.\u00a0 It is important for your business to be aware of on-strategy risks, because it relates directly to revenue or business goals.ParameterizedThe second category isn\u2019t a list of risks but contains the risk parameters or boundaries used to evaluate risk going forward. This is the largest group and includes strategic, financial, operational, quality, and other risk types.\u00a0 Under financial risk, you might want to have a parameter for investment limits.\u00a0 The amount would depend on your business.\u00a0 For example, the grocery store might say that no single capital investment shall be larger than $500,000, while the bank might say that capital investments need to be sized so the company is able to maintain their cash flow target of $500 million.The point is there are different strategies and different types of parameters for different companies.\u00a0 Other common risk parameters in this area include self-sustaining growth (minimum amount of working capital), financial strength (minimum profit margin), loss exposure, project parameters, and customer dependence.\u00a0 By identifying boundaries, you can help the business evaluate opportunities and challenges in a changing environment and still stay true to the risk appetite boundaries set by senior management.\u00a0Off-strategyRisks that are never aligned with business objectives are called off-strategy risks.\u00a0 These risks are deemed so dangerous to the ongoing nature of the organization that a company would never knowingly take on the risk.For many organizations, risks to reputation fall in the off-strategy category.\u00a0 A good example of this is the brand image impact associated with a data breach.\u00a0 We have seen many examples of companies that haven\u2019t approached data breaches properly and have lost ground in the market as a result.\u00a0 Immediately after the Equifax breach the company offered credit monitoring services to people who were impacted.\u00a0 This credit monitoring was to be done by TrustedID Premier \u2013 an Equifax company.\u00a0 The perception issues of Equifax suffering a data breach and then hiring themselves to monitor consumer credit were not positive for the Equifax brand.The reputation hit Equifax took in their share price as a result of the breach and subsequent PR debacle was significant. \u00a0Equifax announced the breach on Sept. 7, 2017.\u00a0 It is interesting to note that the people whose data was compromised are not customers of Equifax.\u00a0 Equifax didn\u2019t suffer a significant customer impact.\u00a0 The damage was done purely because of reputation, not because of customers leaving.The reason it is so important for an organization to formally understand their own risk appetite is that your employees are making risk\/reward decisions every day.\u00a0 From the guy stocking the grocery shelves, to the software engineer, to the bank loan officer, employees make decisions that affect the business.\u00a0 If your employees don\u2019t know the boundaries, they behave based on where they perceive those boundaries to be.\u00a0 Your company might unknowingly take on unwanted risk or miss an opportunity because of these decisions. By identifying risk appetite and communicating it to your team, they will make better decisions.