You may or may not realize this yet, but every organization does have a risk appetite. The ISO 31000 defines risk appetite as the amount and type of risk that an organization is prepared to pursue, retain or take on. It’s determining if a risk posed by using a vendor’s product or service is acceptable or not. You must determine how much the product or service will benefit the organization and outweigh the risk.
Who’s Responsible for Vendor Risk?
The board of directors are typically responsible for setting the organization’s risk appetite. One of the ways they do this is by setting a dollar amount that the organization wouldn’t be willing to take on, but this will vary organization to organization.
For example, a small organization may deem a material loss to be any loss greater than $25,000, whereas a mid-sized organization may deem a material loss to be any loss greater than $4 million. As the organization grows and matures, the risk appetite may expand.
The Vendor Risk Appetite Statement
While every organization does have a vendor risk appetite, not all organizations have a risk appetite statement. A risk appetite statement is one of the first steps an organization takes to ensure they understand the threshold the organization is unwilling to cross – so, you should have one. It’s stating the acceptable risk based on quantitative and qualitative measures. It establishes set guidelines that are regularly examined and modified, as needed. The following people are usually involved in developing a risk appetite statement:
- The board
- Senior management
- Business unit leaders
- The finance department
- Anyone involved in strategic planning
6 Tips to Help You Develop a Successful Risk Appetite Statement
Here are six best practices that we recommend you implement as you develop a risk appetite statement:
- Set the tone from the top. Having board support will be critical to your successful implementation. You’ll want to ensure the risk appetite statement is shared throughout the organization and that every line of business understands what it is and why it’s important.
- Get it approved by the board. This is a must.
- Make it enterprise wide – it’s really the only way to go. Your effort to maintain a risk appetite will fall apart if every line of business isn’t onboard.
- Ensure it fits within your organization’s overall philosophy. It’s very important that the risk appetite statement fit the overall strategic plan and strategic vision of the organization.
- Match your risk appetite statement with your organization’s mission, goals and objectives.
- Create qualitative and quantitative statements for the relevant risk types. You’re going to have to work your way through the various types of risk your organization decides to address. We always counsel clients to make sure they cover the SCORE risks which are strategic, compliance, operational, reputation and expense risk.
Acceptable Vendor Risk Appetite
Now you must be wondering, “What’s an acceptable vendor risk appetite?” Well, that will depend upon your organization and your industry. As mentioned earlier, every organization has a different definition of material loss. Just like material loss, risk appetite is unique to each organization.
Different Variables: Again, it’s important to make crystal clear that there isn’t a one-size-fits-all approach to creating your vendor risk appetite. What may need to be considered in a vendor risk appetite at one organization may not need to be factored in at another organization. Let’s look at an example of how a risk appetite can vary even in the same industry:
- If you’re in the finance industry, there’s a chance you’re employed at an insurance company, or you could be employed at a financial institution, such as a bank or credit union. That said, an insurance company will have a very different risk appetite than a financial institution. The insurance company will have defined its risk appetite in terms that fit the insurance vertical, the underwriting they have in place and the underwriting they plan on engaging. The financial institution will have to take factors like the loan portfolio and the credit risk they’re willing to accept into consideration. Managing a loan portfolio and its attendant credit risk is unique to banks and credit unions. In this example, you can see how even though both organizations are in the financial services industry, they will focus on slightly different factors when creating a vendor risk appetite.
Different Sizes: Size of the organization is also a factor. Typically, larger organizations tend to have a wider or larger tolerance for risk than smaller ones. If we look at a small $25 million organization, they’ll have a vastly different view of the dollar amount and types of risk they’re willing to take on in comparison to a $50 billion organization. The dollar amounts and the type of risk will vary greatly.
It’s recommended you start small and work your way into the development process. As the saying goes, don’t bite off more than you can chew. Start with the SCORE acronym and work your way through each element beginning with strategic risk and working your way through the five components. As you complete this exercise, you’ll learn a lot about your organization and the organization’s risk appetite. Once that’s completed, you’ll have a foundation to tackle any other type of risk your organization feels it would like to develop a risk appetite statement to cover.
We understand this can be a new concept for you and your organization. Risk appetite can take some time to fully grasp. As always, be diligent in your efforts. Focus on developing your organization’s risk appetite a little at a time until you end up with the risk appetite statement that is comprehensive, fits your organization’s objectives and is fully acceptable.
Ensure you are doing the appropriate due diligence for all risk levels. Download the checklist.