In this session, we begin to introduce central concepts of risk management, starting with risk appetite. But first, we should start by stating what risk management is. To do that, we'll borrow a definition from the 2017 enterprise risk management framework, which we'll use throughout the course. And which defines enterprise risk management as the culture, capabilities, and practices integrated with strategy, setting, and performance that organizations rely on to manage risk in creating, preserving, and realizing value. Now, that's a broad definition to unpack. First, note that everything starts with culture, that sort of mission, and sense of purpose. Before managing risk, an organization has to know its values. Why it does what it does, and what sets the organization apart from its peers. And that leads to the second point. Risk management emphasizes practices at all levels of the organizational hierarchy, not just c-suite on the board. A strong risk culture affects business decisions, and determines the way the organization identifies, evaluates, prioritizes, and responds to the risks it faces. The importance of culture is also consistent with the definitions, emphasis on linking risk to strategy, and value creation. The same stakeholders who are the centerpiece of an organization strategy, should be at the center of risk management. Finally, just note that this definition is about managing risk. It doesn't say anything about eliminating risk, or even reducing it. Most of the time, risks are going to be framed in a negative manner, that's natural. But they're not always negative. Sometimes risks are opportunities, and we'll discuss this later. So if culture is the starting point, and culture determines an organization's appetite for risk, then what is risk appetite? For an answer, we'll go back to the Framework, which defines risk appetite as the types and amount of risk an organization is willing to accept in pursuit of its goals. Think appetite, how hungry is the organization for risk? It seems like a simple question, but it's not. An organization will often have multiple risk appetites. And can set different risk appetites for different categories of risk, different strategic objectives, different stakeholders who may be affected by the risk, or different operating units. For example, an organization could outline four different risk categories with different risk appetites, like the following. Long term financial health, which relates to shareholders, environmental impact that relates to broader society. Ethics and compliance, which relates to regulators in legal issues. There's often very little appetite for risk in this area. And reputation, which relates to how consumers view the organization. The risk appetite for each category could be framed as how much uncertainty are we willing to allow a business decision to impose on this particular group? And in turn, on the organization. It's worth noting that the appetite for risk is sometimes so low for a given category, that it is referred to as a third rail risk. The type of risk you don't want to touch. These are risks that could have catastrophic impact. Thus the organization has very low or zero appetite for these risks. In today's world, legal compliance, regulatory compliance, and certain cybersecurity risks would often be considered in this category. So what are the benefits of setting a risk appetite? The first big advantage, is assessing the reasonableness of an organization's strategy. Every organization has to take some risk in order to achieve its goals. And it's valuable to know whether the organization is even willing to take the minimal levels of risk necessary to achieve its key goals. If it isn't, then the organization needs to revise its risk appetite, or its strategy. Further, a risk appetite helps reinforce a common understanding of what is desirable, and what is undesirable. Senior management may know the organization's risk appetite, but middle managers, or frontline employees may not. Employee misunderstanding of risk and risk appetite can have severe impacts on the organization as a whole. For example, a driver of the 2008 financial crisis was bank managers and loan officers approving loans for borrowers who weren't creditworthy. Banks compensated these employees for increasing their loan portfolio, unless it isn't surprising that employees began to push the envelope with less creditworthy borrowers. But there weren't guardrails, stating that although the organization recognizes that defaults happen, and wants to grow the portfolio, certain activities were out of bounds. In this lecture, we introduced risk appetite. And we'll learn how appetite drives the risk management process in the upcoming lectures.
