Governance, Risk and Compliance (GRC) sounds quite a complicated subject to a number of people. I felt the same way when I started my career in this exciting field of Risk & Security. Just like me you must have heard two terms, “Integrated GRC Framework” and “Risk Appetite”, used quite a lot in your organisation. Integrated GRC Framework is a complicated subject; it’s quite difficult to explain this in one blog post so I will cover the first concept –“Risk Appetite” – that is really important to understand. I heard about this popular term few years back. This term puzzled me for quite some time before I could get understand clearly what this really means in simple terms.
To understand this term, I went to our friend Google to ask him “What is Risk Appetite?” Google responded with 2.3 million results. There were so many blog posts, article and publications around this topic and I struggled to understand which one is the best answer.
I read a number of documents and posts but still, I did not feel confident enough to be able to explain this to a common person in simple terms. Then, I went to another source, Wikipedia. Wikipedia defines Risk Appetite as, “The level of risk that an organization is prepared to accept, before action is deemed necessary to reduce it. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings on”. Now that does not help either, is it?
- An instinctive desire, especially one for food or drink
- A strong wish or urge
When you apply this meaning to Risk Appetite, it translates to “An instinctive desire or A strong urge To Take On Risk”. I will try to explain this with a simple example. Every weekend when I decide to take my family out in our car, I know in my head that I am taking a risk. We can have an accident which could harm me and my family. But I decide to take that risk, why, because
- All of us will be wearing seat belts
- My car has airbags
- My car has good security features
- I am a good driver
- I have good reflexes
- I am not going to cross speed limit
- I am going to be careful
- There are laws and regulations that every other driver has to abide to
Now, what this means is that it’s within my appetite so I decide to “Take That Risk”.
Now consider an alternate scenario, my car has gone to the garage, and a friend offers to drive us to our destination. However, in this scenario, I have to take following points in to consideration:
- I know he has a history of speeding
- His car does not have good security features
- He does not maintain his car well
- He has been disqualified once and
- He appears to be under the influence of alcohol
In these circumstances, it is NOT within my appetite so I decide to “Avoid Taking That Risk”.
All of us practice risk management knowingly or unknowingly in our daily lives. We adjust our Risk Appetite based on various factors, for example, surrounding environment, place, time of the day etc. When we are walking down a known street during the day time, we might be less cautious of our surroundings. However, if we are walking on an unknown street during the night and there are not many people around, we become more attentive and aware of our surrounding and take appropriate steps to stay within our risk appetite.
So put it simply, Risk Appetite is “An instinctive desire or A strong urge To Take On Risk”.