WEBVTT 00:00:00.000 --> 00:00:02.040 Welcome back to the Deep Dive. We're here to 00:00:02.040 --> 00:00:04.540 take that stack of sources you send us, all the 00:00:04.540 --> 00:00:06.780 articles, the academic models, the really dense 00:00:06.780 --> 00:00:09.300 standards, and just pull out the vital knowledge. 00:00:09.740 --> 00:00:12.160 We want to give you a serious shortcut to being, 00:00:12.199 --> 00:00:16.019 well, truly well informed. Today, we are wading 00:00:16.019 --> 00:00:18.879 into a subject that sits right at the nexus of... 00:00:19.199 --> 00:00:22.079 you know, strategy, finance and culture. It's 00:00:22.079 --> 00:00:24.719 all about how organizations make decisions about 00:00:24.719 --> 00:00:27.300 uncertainty. Right. And every single organization 00:00:27.300 --> 00:00:30.059 from the tiniest startup trying to get funding 00:00:30.059 --> 00:00:32.880 to a massive multinational, they're constantly 00:00:32.880 --> 00:00:35.299 facing these choices. Absolutely. From innovation 00:00:35.299 --> 00:00:38.219 budgets to safety protocols. And we all, you 00:00:38.219 --> 00:00:39.759 know, we all think we know what risk is. But 00:00:39.759 --> 00:00:41.619 the moment you step into a boardroom or a project 00:00:41.619 --> 00:00:43.859 management office, you realize there's this whole 00:00:43.859 --> 00:00:46.960 other formal specific language they use to manage 00:00:46.960 --> 00:00:49.960 it. And that language is. Often incredibly confusing. 00:00:50.079 --> 00:00:52.359 It's maybe the ultimate source of ambiguity in 00:00:52.359 --> 00:00:54.719 corporate governance. I can see that. Organizations 00:00:54.719 --> 00:00:57.780 just need a central guiding principle that tells 00:00:57.780 --> 00:01:00.340 them, you know, how much pain are we willing 00:01:00.340 --> 00:01:03.439 to accept for a potential gain? They need to 00:01:03.439 --> 00:01:06.879 know where to draw the line on security, on financial 00:01:06.879 --> 00:01:10.439 exposure, on how fast they roll out a new product. 00:01:10.680 --> 00:01:12.959 And that central concept. That's risk appetite. 00:01:13.180 --> 00:01:15.780 That's the one. It's the centerpiece of all modern 00:01:15.780 --> 00:01:18.859 enterprise risk management. But if you, our listener, 00:01:19.000 --> 00:01:21.140 have ever sat through a presentation on this 00:01:21.140 --> 00:01:24.280 or tried to read a policy document, you've probably 00:01:24.280 --> 00:01:27.579 hit that jargon wall. You're asked to distinguish 00:01:27.579 --> 00:01:32.099 between appetite tolerance threshold. And they're 00:01:32.099 --> 00:01:34.000 used interchangeably all the time. All the time. 00:01:34.060 --> 00:01:36.359 But in practice, they are radically different 00:01:36.359 --> 00:01:38.340 concepts that actually define the acceptable 00:01:38.340 --> 00:01:40.840 boundaries of how a company can behave. So our 00:01:40.840 --> 00:01:43.319 mission today is just that, absolute clarity. 00:01:43.439 --> 00:01:45.739 For you, the curious learner, we're going to 00:01:45.739 --> 00:01:48.079 unpack the formal definitions that govern this 00:01:48.079 --> 00:01:49.879 whole field. And where are we pulling this from? 00:01:50.019 --> 00:01:52.680 We're drawing on really rigorous sources. So 00:01:52.680 --> 00:01:55.519 we have established academic models, like the 00:01:55.519 --> 00:01:58.840 RRRA framework, for example. And then... The 00:01:58.840 --> 00:02:01.680 definitive global standards. Yeah. Specifically, 00:02:01.939 --> 00:02:06.060 ISO 31000. The big one. The big one. And these 00:02:06.060 --> 00:02:08.819 sources, they help us cut through all that operational 00:02:08.819 --> 00:02:11.479 ambiguity. And they really provide the authoritative 00:02:11.479 --> 00:02:13.719 distinction between these terms that seem to 00:02:13.719 --> 00:02:15.400 overlap. And we're going to make sure that you 00:02:15.400 --> 00:02:18.020 know not just what the definitions are, but more 00:02:18.020 --> 00:02:20.759 importantly, why these distinctions matter. What's 00:02:20.759 --> 00:02:23.180 the advantage this clarity gives you in a strategy 00:02:23.180 --> 00:02:27.319 meeting or a resource debate? Okay, let's unpack 00:02:27.319 --> 00:02:29.240 this. I think we need to start with the core 00:02:29.240 --> 00:02:31.800 philosophy, with the definition of risk appetite 00:02:31.800 --> 00:02:34.240 itself. So when we talk about risk appetite, 00:02:34.439 --> 00:02:37.039 at its heart, we are really talking about acceptance. 00:02:37.460 --> 00:02:40.139 Acceptance. At its most fundamental level, risk 00:02:40.139 --> 00:02:42.759 appetite is the level of risk an organization 00:02:42.759 --> 00:02:46.000 is prepared to accept or, and this is the crucial 00:02:46.000 --> 00:02:49.060 part, prepared to retain in pursuit of its objective. 00:02:49.360 --> 00:02:51.659 Ah, that framing retained risk. That's really 00:02:51.659 --> 00:02:54.099 insightful. It is. It immediately shifts the 00:02:54.099 --> 00:02:56.120 mindset, doesn't it? It tells us this isn't about 00:02:56.120 --> 00:02:58.560 creating some kind of zero risk environment. 00:02:58.719 --> 00:03:00.900 Which is impossible anyway. impossible and it 00:03:00.900 --> 00:03:03.520 would be paralyzing. It's about making a deliberate 00:03:03.520 --> 00:03:06.620 choice to, you know, live with a certain amount 00:03:06.620 --> 00:03:09.139 of uncertainty because that uncertainty is the 00:03:09.139 --> 00:03:11.560 cost of doing business or maybe more importantly, 00:03:11.719 --> 00:03:15.080 the cost of innovation. Exactly right. The International 00:03:15.080 --> 00:03:18.379 Organization for Standardization, ISO 31000, 00:03:18.580 --> 00:03:20.599 which is, you know, the global benchmark for 00:03:20.599 --> 00:03:23.819 risk management, it formally defines it as the 00:03:23.819 --> 00:03:27.680 amount and type of risk that an organization 00:03:27.680 --> 00:03:30.800 is willing to pursue or retain. Amount and type. 00:03:31.819 --> 00:03:34.120 And it's worth pausing on why a standard like 00:03:34.120 --> 00:03:36.400 that is so necessary. I mean, without a formal 00:03:36.400 --> 00:03:39.219 recognized definition, every organization just 00:03:39.219 --> 00:03:41.419 invents its own vocabulary. Which leads to total 00:03:41.419 --> 00:03:43.319 confusion when you're dealing with regulators 00:03:43.319 --> 00:03:46.139 or international partners or even your own subsidiaries. 00:03:46.300 --> 00:03:48.439 Complete confusion. And that specific phrase, 00:03:48.599 --> 00:03:51.979 pursue or retain, that is the strategic crux 00:03:51.979 --> 00:03:54.060 of the whole thing. Right. It changes the conversation 00:03:54.060 --> 00:03:56.620 from a purely defensive posture, you know, let's 00:03:56.620 --> 00:03:59.719 avoid bad things, to an offensive strategy. We're 00:03:59.719 --> 00:04:01.719 talking about deliberately pursuing risk because 00:04:01.719 --> 00:04:03.960 it offers a potential reward. It's a balancing 00:04:03.960 --> 00:04:07.409 act. It's the organizational sweet spot. You 00:04:07.409 --> 00:04:09.509 know, if you're excessively cautious, if your 00:04:09.509 --> 00:04:12.550 appetite is way too low, you just stagnate. You're 00:04:12.550 --> 00:04:14.810 safe, but... You're safe, but your competitors 00:04:14.810 --> 00:04:16.730 are innovating all around you, and they're going 00:04:16.730 --> 00:04:18.930 to capture the market. And on the other hand, 00:04:18.949 --> 00:04:21.370 if your appetite is too high... You risk total 00:04:21.370 --> 00:04:25.060 failure. Catastrophe. So risk appetite, when 00:04:25.060 --> 00:04:27.980 it's defined correctly, is that measurable point 00:04:27.980 --> 00:04:30.300 where the potential benefits of growth finally 00:04:30.300 --> 00:04:33.100 outweigh the inevitable threats that come with 00:04:33.100 --> 00:04:35.810 change and competition. And that leads us right 00:04:35.810 --> 00:04:38.649 into, I think, the first major intellectual challenge 00:04:38.649 --> 00:04:41.129 here, which is the relationship between risk 00:04:41.129 --> 00:04:44.410 appetite and risk management. Ah, yes. Intuitively, 00:04:44.430 --> 00:04:47.250 they feel sequential. One feels like the cause 00:04:47.250 --> 00:04:49.550 and the other feels like the effect. The classic 00:04:49.550 --> 00:04:51.930 chicken or the egg debate in all the risk literature. 00:04:52.230 --> 00:04:54.810 And if you poll a room full of managers, most 00:04:54.810 --> 00:04:56.930 of them will argue that risk appetite has to 00:04:56.930 --> 00:04:58.930 come first. That's what I would assume. They 00:04:58.930 --> 00:05:01.750 assume that strategy dictates the appetite. And 00:05:01.750 --> 00:05:03.410 then you go and set up the management systems 00:05:03.410 --> 00:05:06.970 to monitor that chosen level of risk. Yeah, that's 00:05:06.970 --> 00:05:09.670 certainly the intuitive argument. I decide how 00:05:09.670 --> 00:05:12.490 hungry I am for profit. That's my appetite. And 00:05:12.490 --> 00:05:15.029 then I manage my investments to match it. The 00:05:15.029 --> 00:05:17.410 appetite dictates the management strategy. Right. 00:05:17.529 --> 00:05:20.350 It seems logical. If the board says we're a high 00:05:20.350 --> 00:05:23.550 risk, high reward organization, that attitude 00:05:23.550 --> 00:05:25.910 should surely inform everything else that follows. 00:05:26.069 --> 00:05:28.379 It seems like it should. But when you look at 00:05:28.379 --> 00:05:30.819 the most rigorous modern analysis that comes 00:05:30.819 --> 00:05:33.319 from our sources, the relationship is actually, 00:05:33.379 --> 00:05:36.160 well, it's counterintuitive. When the analysis 00:05:36.160 --> 00:05:39.259 is truly rigorous and quantitative, the risk 00:05:39.259 --> 00:05:42.000 appetite is actually a consequence of a deep 00:05:42.000 --> 00:05:44.800 risk management analysis. It is not the precursor. 00:05:44.819 --> 00:05:46.779 Wait, hold on. Let's dig into that because that 00:05:46.779 --> 00:05:48.720 completely flips the script on what I think most 00:05:48.720 --> 00:05:50.839 people assume. You're saying the organization 00:05:50.839 --> 00:05:52.920 doesn't just start by stating we want to be high 00:05:52.920 --> 00:05:55.579 risk. They start by analyzing their capacity 00:05:55.579 --> 00:05:58.240 for loss. Precisely. We have to make a distinction 00:05:58.240 --> 00:06:00.259 here between simple risk management and rigorous 00:06:00.259 --> 00:06:03.240 risk management. Okay. Simple RM, it identifies 00:06:03.240 --> 00:06:06.060 a hazardous event, a fire, a cyber attack, whatever, 00:06:06.240 --> 00:06:08.360 and it looks at how to minimize its immediate 00:06:08.360 --> 00:06:10.860 impact. Rigorous RM has to account for something 00:06:10.860 --> 00:06:14.360 way more complex. Collateral effects, secondary 00:06:14.360 --> 00:06:17.459 losses, cascading failures that just compound 00:06:17.459 --> 00:06:20.420 the initial problem. So it's not just... Did 00:06:20.420 --> 00:06:22.899 our server crash? No. It's, okay, if the server 00:06:22.899 --> 00:06:25.839 crashes, what's the ripple effect on our compliance 00:06:25.839 --> 00:06:28.199 obligations, our competitive position in nine 00:06:28.199 --> 00:06:31.399 months, the potential regulatory fines, the drop 00:06:31.399 --> 00:06:34.579 in investor confidence, all of it? Exactly. Rigorous 00:06:34.579 --> 00:06:37.079 risk management involves things like stress testing 00:06:37.079 --> 00:06:40.220 and probabilistic modeling that analyzes the 00:06:40.220 --> 00:06:42.579 total loss exposure against the organization's 00:06:42.579 --> 00:06:45.180 structural reserves. It asks the really hard 00:06:45.180 --> 00:06:48.060 question. Can we survive the absolute worst case 00:06:48.060 --> 00:06:51.379 scenario? And if we can, what's the cost of that 00:06:51.379 --> 00:06:53.920 survival? And this is where the competitive context 00:06:53.920 --> 00:06:56.160 becomes so crucial. The sources talk about this 00:06:56.160 --> 00:06:59.480 concept of cover. Can you explain how an organization's 00:06:59.480 --> 00:07:01.620 cover determines its appetite? Yeah, think of 00:07:01.620 --> 00:07:04.500 cover as your financial and your strategic insulation, 00:07:04.879 --> 00:07:07.420 your padding. It includes your available capital, 00:07:07.579 --> 00:07:10.680 your insurance, any redundant supply chains you 00:07:10.680 --> 00:07:13.839 might have, your reputational goodwill, the technological 00:07:13.839 --> 00:07:16.879 lead you have over your competitors. The amount 00:07:16.879 --> 00:07:19.579 of risk an organization can responsibly put on 00:07:19.579 --> 00:07:22.600 the table depends entirely on the financial and 00:07:22.600 --> 00:07:25.699 strategic cover they have if that loss actually 00:07:25.699 --> 00:07:28.199 happens. And this is always analyzed relative 00:07:28.199 --> 00:07:31.339 to the competition. Ah, I see the strategic move 00:07:31.339 --> 00:07:33.740 here. So if a company is in a really competitive 00:07:33.740 --> 00:07:36.459 market and they determine through this rigorous 00:07:36.459 --> 00:07:38.639 risk management that their cash reserves and 00:07:38.639 --> 00:07:41.060 their operational redundancy are just way greater 00:07:41.060 --> 00:07:42.639 than their rivals. Then they have a strategic 00:07:42.639 --> 00:07:44.680 advantage in risk taking. They can afford to 00:07:44.680 --> 00:07:48.220 be bolder. Yes. If you have ample cover, the 00:07:48.220 --> 00:07:51.339 logical, strategically sound move is to adopt 00:07:51.339 --> 00:07:54.560 a hungry appetite for risk because you can sustain 00:07:54.560 --> 00:07:56.500 the market downturns or the project failures 00:07:56.500 --> 00:07:58.339 that are going to wipe out your less protected 00:07:58.339 --> 00:08:01.449 rivals. Your appetite isn't a choice made in 00:08:01.449 --> 00:08:04.610 a vacuum. It's determined by the cold, hard analysis 00:08:04.610 --> 00:08:07.310 of your survival capacity compared to everyone 00:08:07.310 --> 00:08:09.949 else. The rigor of the management analysis, the 00:08:09.949 --> 00:08:12.569 stress testing that dictates the boldness of 00:08:12.569 --> 00:08:15.170 the final strategic appetite declaration. So 00:08:15.170 --> 00:08:17.370 instead of risk appetite being the starting gun 00:08:17.370 --> 00:08:19.589 for the race, it's actually the end product of 00:08:19.589 --> 00:08:21.990 this really sophisticated organizational health 00:08:21.990 --> 00:08:25.089 check. It's the logical conclusion you draw from 00:08:25.089 --> 00:08:27.490 the question. What's the maximum we can strategically 00:08:27.490 --> 00:08:30.829 afford to lose relative to the market to gain 00:08:30.829 --> 00:08:33.350 an advantage? That is the key insight. The declaration 00:08:33.350 --> 00:08:35.490 of appetite, whether it's high or low or somewhere 00:08:35.490 --> 00:08:37.690 in the middle, that's the formal mechanism for 00:08:37.690 --> 00:08:40.210 aligning that analytical inclusion with the strategic 00:08:40.210 --> 00:08:42.250 goals of the organization. Okay, so now that 00:08:42.250 --> 00:08:44.129 we've established that core definition of appetite, 00:08:44.330 --> 00:08:47.309 as a strategic consequence, we have to wade into 00:08:47.309 --> 00:08:49.750 that vocabulary minefield. Because this is where, 00:08:49.830 --> 00:08:52.830 in practice, most organizational policy just 00:08:52.830 --> 00:08:55.690 becomes a mess of confusion. We have these three 00:08:55.690 --> 00:08:58.929 supporting terms, threshold, attitude, and tolerance, 00:08:59.210 --> 00:09:01.669 that sound like they're synonyms, but they serve 00:09:01.669 --> 00:09:04.210 these distinct critical functions. Let's start 00:09:04.210 --> 00:09:06.740 with risk threshold. If risk appetite is the 00:09:06.740 --> 00:09:09.980 overall strategy, the risk threshold is the hard, 00:09:10.080 --> 00:09:12.679 measurable limit of that strategy. How should 00:09:12.679 --> 00:09:15.039 we visualize that? What's a good analogy for 00:09:15.039 --> 00:09:17.860 the threshold? Imagine risk appetite is a road, 00:09:17.980 --> 00:09:20.730 and it has a clearly marked speed limit. That 00:09:20.730 --> 00:09:22.629 speed limit is the threshold. Okay, so it's the 00:09:22.629 --> 00:09:24.809 upper boundary. It is the upper limit of the 00:09:24.809 --> 00:09:27.649 defined risk appetite. If appetite is the entire 00:09:27.649 --> 00:09:30.549 menu of acceptable choices, the risk threshold 00:09:30.549 --> 00:09:33.110 is the single most aggressive, the maximum cost 00:09:33.110 --> 00:09:35.230 item on that menu that the organization allows 00:09:35.230 --> 00:09:38.350 itself to order. Formally, the threshold is the 00:09:38.350 --> 00:09:40.590 maximal exposure before risk treatment is deemed 00:09:40.590 --> 00:09:43.450 necessary. And risk treatment just means action. 00:09:43.750 --> 00:09:47.799 Action. Intervention. allocating resources to 00:09:47.799 --> 00:09:51.539 reduce the risk, something has to be done. So 00:09:51.539 --> 00:09:53.860 if your project's potential cost overrun, for 00:09:53.860 --> 00:09:57.039 example, crosses that dollar threshold, the project 00:09:57.039 --> 00:09:59.519 manager loses their authority to just keep going. 00:09:59.700 --> 00:10:02.679 They need immediate corrective action or escalation. 00:10:02.820 --> 00:10:04.740 And this is where the ambiguity starts creeping 00:10:04.740 --> 00:10:07.179 in during real -world meetings, isn't it? Absolutely. 00:10:07.440 --> 00:10:10.179 One of the most common practical inconsistencies 00:10:10.179 --> 00:10:12.740 is that professionals will often use the term 00:10:12.740 --> 00:10:16.289 risk appetite. When what they actually mean is 00:10:16.289 --> 00:10:18.809 risk threshold. They just focus on that one hard 00:10:18.809 --> 00:10:21.809 boundary. Exactly. They look at the maximum acceptable 00:10:21.809 --> 00:10:24.470 level and they call it the appetite. But while 00:10:24.470 --> 00:10:26.490 the threshold defines the appetite's upper limit, 00:10:26.610 --> 00:10:28.970 it's only one point on the spectrum. It's not 00:10:28.970 --> 00:10:31.629 the entire range of acceptable risk. So understanding 00:10:31.629 --> 00:10:34.029 that distinction that the appetite covers all 00:10:34.029 --> 00:10:37.129 acceptable levels up to that threshold is essential 00:10:37.129 --> 00:10:38.970 if you want to sound like you really know what 00:10:38.970 --> 00:10:40.990 you're talking about. Precisely. The key to clarity 00:10:40.990 --> 00:10:44.440 is just remembering. Threshold is a single quantifiable 00:10:44.440 --> 00:10:47.399 boundary, while appetite describes the entire 00:10:47.399 --> 00:10:50.200 acceptable area below that boundary. Got it. 00:10:50.259 --> 00:10:51.820 Okay, now let's talk about the cultural element. 00:10:52.259 --> 00:10:55.580 Risk attitude. This term, especially when you 00:10:55.580 --> 00:10:58.120 pair it with appetite, it sounds almost identical. 00:10:58.580 --> 00:11:01.720 It does, but the difference is profound. Attitude 00:11:01.720 --> 00:11:03.860 is the mindset. Appetite is the measurement. 00:11:04.200 --> 00:11:07.039 And this is where that RRA model risk attitude 00:11:07.039 --> 00:11:10.360 and risk appetite becomes so useful, right? It's 00:11:10.360 --> 00:11:12.779 invaluable. It's the best tool for separating 00:11:12.779 --> 00:11:15.279 the subjective culture from the objective measurement. 00:11:15.519 --> 00:11:18.159 So risk attitude is the organization's approach 00:11:18.159 --> 00:11:21.240 to risk. It's a qualitative cultural disposition. 00:11:21.659 --> 00:11:24.879 It describes how the organization assesses, pursues, 00:11:24.960 --> 00:11:28.720 retains, or turns away from uncertainty. So like, 00:11:28.799 --> 00:11:31.500 is the company inherently pessimistic or optimistic 00:11:31.500 --> 00:11:33.620 when they're estimating future events? That's 00:11:33.620 --> 00:11:35.879 attitude. That's attitude, exactly. So if attitude 00:11:35.879 --> 00:11:38.120 is the organizational personality, cautious, 00:11:38.279 --> 00:11:40.740 aggressive, reactive, how does that connect to 00:11:40.740 --> 00:11:42.419 appetite, which we said is about the amount? 00:11:42.679 --> 00:11:44.759 Think of attitude as the gravitational pull of 00:11:44.759 --> 00:11:47.419 the company culture. And appetite is the measurable 00:11:47.419 --> 00:11:49.960 speed limit on the highway. Risk attitude influences 00:11:49.960 --> 00:11:52.039 the choice of the risk thresholds. Oh, I see. 00:11:52.159 --> 00:11:54.259 If the cultural attitude is highly cautious, 00:11:54.539 --> 00:11:57.419 the governance body, the board, will naturally 00:11:57.419 --> 00:12:00.740 choose to set a very low, easily reachable threshold. 00:12:01.480 --> 00:12:04.580 Meanwhile, risk appetite is the amount and type 00:12:04.580 --> 00:12:07.279 of risk. It's a quantification or the categorization. 00:12:07.360 --> 00:12:09.379 The attitude helps you choose the number. The 00:12:09.379 --> 00:12:11.039 appetite is the actual number written down in 00:12:11.039 --> 00:12:13.759 the policy. They're symbiotic, but they're not 00:12:13.759 --> 00:12:16.320 interchangeable. That distinction really clarifies 00:12:16.320 --> 00:12:18.240 the willingness element of all this. But now 00:12:18.240 --> 00:12:20.419 we have to introduce the most critical constraint, 00:12:20.620 --> 00:12:23.340 the term that stops willingness from becoming 00:12:23.340 --> 00:12:26.820 just pure recklessness, risk tolerance. Yes. 00:12:26.899 --> 00:12:30.259 This is where we move from desire to actual capability. 00:12:30.759 --> 00:12:33.500 This is the defining differentiator. And it has 00:12:33.500 --> 00:12:35.860 to be hammered home for any decision maker. It 00:12:35.860 --> 00:12:38.600 is so important. So to reiterate, risk appetite 00:12:38.600 --> 00:12:40.799 is how much risk the organization is willing 00:12:40.799 --> 00:12:44.279 to take on. It's a strategic choice. Risk tolerance 00:12:44.279 --> 00:12:47.240 is fundamentally structural. It is how much risk 00:12:47.240 --> 00:12:49.700 the organization is capable of taking on, and 00:12:49.700 --> 00:12:52.100 this is determined not by choice or desire, but 00:12:52.100 --> 00:12:55.000 by hard structural constraints. Things like regulatory 00:12:55.000 --> 00:12:57.679 mandates, think capital requirements in banking 00:12:57.679 --> 00:13:00.779 contractual obligations, available capital reserves, 00:13:01.200 --> 00:13:04.080 insurance coverage limits and market constraints 00:13:04.080 --> 00:13:07.299 like your ability to access liquidity during 00:13:07.299 --> 00:13:10.200 a crisis. So my appetite might be dictated by 00:13:10.200 --> 00:13:12.320 my ambition, but my tolerance is dictated by 00:13:12.320 --> 00:13:14.299 the regulations I have to follow and the actual 00:13:14.299 --> 00:13:17.220 money I have in the bank. Precisely. And this 00:13:17.220 --> 00:13:20.740 leads to the absolute defining rule of all risk 00:13:20.740 --> 00:13:24.019 management. An organization's risk threshold, 00:13:24.259 --> 00:13:27.220 their chosen maximum appetite, must always be 00:13:27.220 --> 00:13:30.700 lower than or equal to its risk tolerance, its 00:13:30.700 --> 00:13:33.379 maximum structural capacity. But doesn't the 00:13:33.379 --> 00:13:36.220 regulation, the tolerance, often just become 00:13:36.220 --> 00:13:38.240 the appetite? I mean, how do companies avoid 00:13:38.240 --> 00:13:40.440 just adopting the lowest common denominator that's 00:13:40.440 --> 00:13:43.100 mandated by law? If a regulator tells me I have 00:13:43.100 --> 00:13:45.259 to have X amount in capital reserves, doesn't 00:13:45.259 --> 00:13:47.539 that reserve level just become my de facto appetite 00:13:47.539 --> 00:13:49.580 since it sets the limit? That is a brilliant 00:13:49.580 --> 00:13:51.460 challenge, and it highlights the operational 00:13:51.460 --> 00:13:53.960 reality for a lot of firms. For heavily regulated 00:13:53.960 --> 00:13:57.159 industries, finance especially, tolerance often 00:13:57.159 --> 00:13:59.360 constrains appetite so tightly that they can 00:13:59.360 --> 00:14:01.720 look almost identical. However, the distinction 00:14:01.720 --> 00:14:05.419 remains strategic. A mature, well -governed bank 00:14:05.419 --> 00:14:07.940 might have a regulatory tolerance that allows 00:14:07.940 --> 00:14:11.500 it to run, say, a 10 to 1 leverage ratio. But 00:14:11.500 --> 00:14:14.610 its board... exercising strategic choice, might 00:14:14.610 --> 00:14:17.409 set its appetite threshold at a very cautious 00:14:17.409 --> 00:14:20.129 5 to 1 ratio. So they're providing a massive 00:14:20.129 --> 00:14:23.009 buffer against unexpected volatility. A massive 00:14:23.009 --> 00:14:25.129 buffer. They're choosing to be significantly 00:14:25.129 --> 00:14:27.929 less risky than their capacity actually allows. 00:14:28.250 --> 00:14:30.929 They're sacrificing potential return, their appetite, 00:14:31.169 --> 00:14:33.629 to ensure maximum safety, which is their tolerance. 00:14:33.909 --> 00:14:36.730 The moment a company loses that strategic separation 00:14:36.730 --> 00:14:39.590 and tries to push its appetite past its tolerance 00:14:39.590 --> 00:14:41.610 limit, they enter the realm of unacceptable. 00:14:41.840 --> 00:14:44.940 risk can you explain unacceptable risk in this 00:14:44.940 --> 00:14:47.120 context what does that mean exposure past the 00:14:47.120 --> 00:14:49.360 risk tolerance limit is unacceptable risk because 00:14:49.360 --> 00:14:52.279 it simply won't pass the organization's own risk 00:14:52.279 --> 00:14:55.200 acceptance criteria it jeopardizes the organization's 00:14:55.200 --> 00:14:58.059 solvency it violates regulatory covenants it 00:14:58.059 --> 00:15:00.759 risks irreversible reputational damage it means 00:15:00.759 --> 00:15:03.460 the potential consequences are structurally unrecoverable 00:15:03.460 --> 00:15:05.440 and you see this in corporate history all the 00:15:05.440 --> 00:15:08.720 time Many large corporate failures, and not just 00:15:08.720 --> 00:15:11.419 because of fraud, but because of mismanaged rapid 00:15:11.419 --> 00:15:14.840 expansion. They all stemmed from leadership's 00:15:14.840 --> 00:15:18.360 appetite exceeding the organization's true stress 00:15:18.360 --> 00:15:21.240 -tested tolerance. They bit off more than they 00:15:21.240 --> 00:15:23.700 could possibly chew. Okay, let's use the practical 00:15:23.700 --> 00:15:25.879 example from the source material, the loan scenario. 00:15:26.120 --> 00:15:28.399 It ties all these terms together so well, and 00:15:28.399 --> 00:15:30.179 I think it will give maximum clarity for the 00:15:30.179 --> 00:15:32.399 listener. Perfect. Let's imagine a technology 00:15:32.399 --> 00:15:35.360 firm. They're considering a major capital investment. 00:15:35.759 --> 00:15:38.460 And they're probably going to need a loan. First, 00:15:38.679 --> 00:15:41.360 the firm does its risk management analysis. They 00:15:41.360 --> 00:15:43.500 stress test their balance sheet. They calculate 00:15:43.500 --> 00:15:45.700 their collateral. They review their debt covenants. 00:15:45.879 --> 00:15:48.659 And they conclude that structurally, they are 00:15:48.659 --> 00:15:52.059 capable of sustaining up to, say, $100 ,000 in 00:15:52.059 --> 00:15:54.480 additional debt without jeopardizing their core 00:15:54.480 --> 00:15:57.200 operations. So that $100 ,000 figure is their 00:15:57.200 --> 00:15:59.559 risk tolerance. That's the hard limit, the ceiling 00:15:59.559 --> 00:16:01.960 imposed by capability. They cannot go above that. 00:16:02.080 --> 00:16:05.000 OK, what's next? Next, the board and the strategic 00:16:05.000 --> 00:16:08.080 leadership, guided by their risk attitude, let's 00:16:08.080 --> 00:16:10.500 say they're generally cautious, they decide how 00:16:10.500 --> 00:16:12.519 much debt they're willing to take on to meet 00:16:12.519 --> 00:16:15.600 their current growth objectives. They agree that 00:16:15.600 --> 00:16:18.840 a $50 ,000 loan represents the highest prudent 00:16:18.840 --> 00:16:21.899 exposure they want to embrace. So that $50 ,000, 00:16:22.059 --> 00:16:24.100 that becomes the risk threshold. It's the absolute 00:16:24.100 --> 00:16:25.980 upper boundary of their willingness. Correct. 00:16:26.019 --> 00:16:28.019 And finally, the entire spectrum of choices. 00:16:28.490 --> 00:16:31.370 From $1 all the way up to that $50 ,000 limit, 00:16:31.529 --> 00:16:34.070 where management is defining acceptable exposure 00:16:34.070 --> 00:16:36.629 for different levels of damage or operational 00:16:36.629 --> 00:16:39.809 impact. That defines the full scope of their 00:16:39.809 --> 00:16:41.690 risk appetite. They're choosing to operate well 00:16:41.690 --> 00:16:44.110 within their structural capacity. Exactly. And 00:16:44.110 --> 00:16:46.590 what if they decided to take a $105 ,000 loan 00:16:46.590 --> 00:16:49.450 based purely on an aggressive appetite? Just 00:16:49.450 --> 00:16:52.529 because they wanted to. That extra $5 ,000, the 00:16:52.529 --> 00:16:55.330 amount past the $100 ,000 limit, is instantly 00:16:55.330 --> 00:16:57.669 unacceptable risk. It's structurally impossible 00:16:57.669 --> 00:17:00.529 for them to absorb that potential loss. And no 00:17:00.529 --> 00:17:02.549 amount of managerial willingness or ambition 00:17:02.549 --> 00:17:05.130 can change that fundamental reality. So that 00:17:05.130 --> 00:17:07.509 sequence appetite, which is willingness, always 00:17:07.509 --> 00:17:10.069 being constrained by tolerance, which is capability, 00:17:10.450 --> 00:17:13.349 that is the most important lesson in this entire 00:17:13.349 --> 00:17:15.950 deep dive. It absolutely is. The loan example 00:17:15.950 --> 00:17:18.910 really grounds the theory brilliantly. But as 00:17:18.910 --> 00:17:21.470 we've noted, organizational risk isn't always 00:17:21.470 --> 00:17:23.789 financial. You can quantify debt. That's easy. 00:17:23.930 --> 00:17:26.029 But how do you measure your appetite when the 00:17:26.029 --> 00:17:29.029 risk is, say, reputational damage or the failure 00:17:29.029 --> 00:17:31.690 of a disruptive new product or the morale impact 00:17:31.690 --> 00:17:34.450 of a major restructuring? That is precisely why 00:17:34.450 --> 00:17:37.430 precise quantitative measurement isn't always 00:17:37.430 --> 00:17:40.180 possible. When we deal with these non -financial 00:17:40.180 --> 00:17:43.019 risks, organizations have to rely on broad strategic 00:17:43.019 --> 00:17:45.900 statements or a system of qualitative categories 00:17:45.900 --> 00:17:48.039 to define their risk approach. And this gives 00:17:48.039 --> 00:17:50.960 us the risk appetite spectrum. Yes. It provides 00:17:50.960 --> 00:17:53.400 a personality framework for risk -taking. And 00:17:53.400 --> 00:17:56.160 this spectrum is where the organizational culture 00:17:56.160 --> 00:18:00.039 towards WISC really, really shines through. It 00:18:00.039 --> 00:18:02.359 gives specific language for aligning action with 00:18:02.359 --> 00:18:05.220 strategy. And it's critical for making sure that, 00:18:05.279 --> 00:18:08.000 say, a project manager isn't acting in total 00:18:08.000 --> 00:18:10.420 opposition to the board's overarching philosophy. 00:18:10.920 --> 00:18:13.299 Let's walk through the five qualitative levels, 00:18:13.519 --> 00:18:16.339 starting at the lowest, most extreme end. Okay, 00:18:16.400 --> 00:18:18.460 we begin with the organization that adopts an 00:18:18.460 --> 00:18:21.539 averse appetite. For this group, the avoidance 00:18:21.539 --> 00:18:23.599 of risk and uncertainty isn't just a preference. 00:18:23.759 --> 00:18:27.019 It is a key organizational objective. Their whole 00:18:27.019 --> 00:18:29.720 mission is defined by absolute stability and 00:18:29.720 --> 00:18:31.740 predictability. And what's the archetype here? 00:18:31.819 --> 00:18:33.500 Who has to be averse? You have to think about 00:18:33.500 --> 00:18:36.039 organizations dealing with irreversible, high 00:18:36.039 --> 00:18:39.240 -impact consequences. A regulatory body that 00:18:39.240 --> 00:18:41.539 oversees the safety of air traffic control, for 00:18:41.539 --> 00:18:43.359 example. Or a nuclear power station operator. 00:18:43.619 --> 00:18:46.220 Failure is not an option. Not an option. Their 00:18:46.220 --> 00:18:49.000 mandate is failure prevention above all else. 00:18:49.119 --> 00:18:52.519 They must tolerate zero deviation from strict 00:18:52.519 --> 00:18:55.519 protocol. And their appetite for any uncertainty 00:18:55.519 --> 00:18:59.019 is effectively nil. Every single decision has 00:18:59.019 --> 00:19:00.579 to be filtered through the lens of minimizing 00:19:00.579 --> 00:19:03.799 likelihood and minimizing impact, even if it 00:19:03.799 --> 00:19:06.000 means sacrificing huge amounts of operational 00:19:06.000 --> 00:19:09.539 efficiency or profit potential. OK, moving up 00:19:09.539 --> 00:19:13.000 just a little bit from that, we find the. Minimal 00:19:13.000 --> 00:19:16.940 means the organization prefers ultra -safe, low 00:19:16.940 --> 00:19:19.720 -risk options. They're seeking preservation and 00:19:19.720 --> 00:19:22.160 continuity over growth, and they know this approach 00:19:22.160 --> 00:19:24.539 only offers the potential for very limited rewards. 00:19:24.980 --> 00:19:27.259 They're willing to accept some unavoidable risk, 00:19:27.420 --> 00:19:30.039 but they actively resist any path that introduces 00:19:30.039 --> 00:19:32.759 unnecessary volatility. What does that look like 00:19:32.759 --> 00:19:35.220 in the real world? Consider a large, mature, 00:19:35.380 --> 00:19:37.740 regulated utility company, one that maintains 00:19:37.740 --> 00:19:39.680 critical public infrastructure, like a power 00:19:39.680 --> 00:19:42.259 grid or water system. Their core business provides 00:19:42.259 --> 00:19:45.200 stable, limited returns. They're only going to 00:19:45.200 --> 00:19:47.799 invest in necessary, proven upgrades to their 00:19:47.799 --> 00:19:50.180 infrastructure, and they will only approve new 00:19:50.180 --> 00:19:53.079 projects that adhere to an ultra -low probability 00:19:53.079 --> 00:19:56.180 of failure. The objective is just to maintain 00:19:56.180 --> 00:19:59.019 service continuity and generate reliable, if 00:19:59.019 --> 00:20:02.390 unexciting, quarterly returns. The next step 00:20:02.390 --> 00:20:04.970 up from that is cautious. And this feels like 00:20:04.970 --> 00:20:07.289 where a lot of large established companies tend 00:20:07.289 --> 00:20:09.970 to live. What's the key difference between minimal 00:20:09.970 --> 00:20:12.910 and cautious? The cautious organization is a 00:20:12.910 --> 00:20:15.730 bit more proactive. They still prefer safe options 00:20:15.730 --> 00:20:18.410 and a low degree of risk, but they are actively 00:20:18.410 --> 00:20:21.049 looking for limited potential for reward. The 00:20:21.049 --> 00:20:22.990 key difference is really their approach to innovation. 00:20:23.309 --> 00:20:25.809 How so? A minimal company avoids new technology 00:20:25.809 --> 00:20:27.950 unless they're forced to by aging infrastructure. 00:20:28.939 --> 00:20:30.799 Akash's company, on the other hand, will adopt 00:20:30.799 --> 00:20:33.259 a new technology, but only after extensive piloting, 00:20:33.259 --> 00:20:35.240 vendor vetting, and proof that their competitors 00:20:35.240 --> 00:20:37.710 have already successfully deployed it. So a cautious 00:20:37.710 --> 00:20:40.710 organization might expand into a new adjacent 00:20:40.710 --> 00:20:43.529 geographical market, but they're going to hedge 00:20:43.529 --> 00:20:46.109 their bets heavily. They'll enter through joint 00:20:46.109 --> 00:20:49.650 venture maybe and only deploy proven non -disruptive 00:20:49.650 --> 00:20:53.009 business models. They take calculated low stakes 00:20:53.009 --> 00:20:55.910 risks where the payoff, even if it's small, is 00:20:55.910 --> 00:20:58.210 highly probable. That is the strategic profile. 00:20:58.369 --> 00:21:01.029 Exactly. Then we reach the middle of the road, 00:21:01.170 --> 00:21:03.519 the open appetite. This is the appetite of the 00:21:03.519 --> 00:21:06.720 actively competitive organization. An open appetite 00:21:06.720 --> 00:21:09.319 signals a willingness to consider all viable 00:21:09.319 --> 00:21:11.880 options, including some that involve moderate 00:21:11.880 --> 00:21:14.640 uncertainty, and then choose the one most likely 00:21:14.640 --> 00:21:16.920 to succeed while providing an acceptable level 00:21:16.920 --> 00:21:19.460 of reward and value for money. So it's a very 00:21:19.460 --> 00:21:21.579 rational approach. Very rational. They're not 00:21:21.579 --> 00:21:23.500 chasing moonshots, but they're also not paralyzed 00:21:23.500 --> 00:21:26.579 by caution. They embrace measured uncertainty 00:21:26.579 --> 00:21:29.480 as just part of the competition. This could describe 00:21:29.480 --> 00:21:32.059 a major software company that's focused on iterative 00:21:32.059 --> 00:21:35.220 improvements, not radical shifts, or a manufacturer 00:21:35.220 --> 00:21:37.900 focused on optimizing its existing global supply 00:21:37.900 --> 00:21:40.579 chain. They're seeking the best route, not just 00:21:40.579 --> 00:21:43.000 the safest one, but they need the math to back 00:21:43.000 --> 00:21:46.480 it up. And finally, we hit the top of the spectrum. 00:21:47.559 --> 00:21:50.779 Hungary. This is the profile of disruption. This 00:21:50.779 --> 00:21:53.680 is Silicon Valley. Absolutely. A hungry appetite 00:21:53.680 --> 00:21:56.339 means the organization is eager to be innovative. 00:21:56.559 --> 00:21:58.720 They're selecting options that offer potentially 00:21:58.720 --> 00:22:01.500 huge business rewards despite the greater inherent 00:22:01.500 --> 00:22:04.039 risk. They understand that a high percentage 00:22:04.039 --> 00:22:06.859 of these ventures will probably fail. The breakthrough 00:22:06.859 --> 00:22:09.660 success of the few that do succeed will dramatically 00:22:09.660 --> 00:22:11.759 alter their market standing and their return 00:22:11.759 --> 00:22:14.240 on investment. And the archetypes here are obvious. 00:22:14.829 --> 00:22:17.490 The biotech startup in its Series A funding round, 00:22:17.609 --> 00:22:19.970 a venture capital fund betting on nascent AI 00:22:19.970 --> 00:22:22.569 or the research division within a huge pharmaceutical 00:22:22.569 --> 00:22:24.730 company. They aren't just accepting failure. 00:22:24.970 --> 00:22:27.690 Their risk framework actively budgets for and 00:22:27.690 --> 00:22:30.589 encourages high risk experimentation. They use 00:22:30.589 --> 00:22:33.049 failure as a necessary stepping stone to success. 00:22:33.390 --> 00:22:36.250 And the ability for an organization to place 00:22:36.250 --> 00:22:39.089 itself correctly on this spectrum and to communicate 00:22:39.089 --> 00:22:41.710 that placement clearly is what ensures internal 00:22:41.710 --> 00:22:45.170 alignment. Without these categories, how would 00:22:45.170 --> 00:22:47.329 the head of IT know whether to invest in bleeding 00:22:47.329 --> 00:22:49.849 -edge security software, which is a hungry choice, 00:22:50.049 --> 00:22:53.130 or stick with a decade -old proven system, a 00:22:53.130 --> 00:22:55.750 minimal choice? That distinction between the 00:22:55.750 --> 00:22:58.769 five levels is so essential because it just dismantles 00:22:58.769 --> 00:23:01.109 the myth that a company has one single risk appetite. 00:23:01.490 --> 00:23:04.309 In reality, large organizations are intensely 00:23:04.309 --> 00:23:07.309 multidimensional. Absolutely. You cannot run 00:23:07.309 --> 00:23:09.789 an organization with a singular monolithic appetite. 00:23:09.930 --> 00:23:12.910 As we noted, a company might be averse to financial 00:23:12.910 --> 00:23:15.490 leverage, refusing to take on new debt, but at 00:23:15.490 --> 00:23:17.750 the same time be hungry for technical innovation, 00:23:18.069 --> 00:23:20.349 pouring capital into R &D that has a high chance 00:23:20.349 --> 00:23:22.529 of failure. Let's take that classic split. The 00:23:22.529 --> 00:23:24.150 Research and Development Department is encouraged 00:23:24.150 --> 00:23:27.069 to fail fast, fail offer. Their operational risk 00:23:27.069 --> 00:23:30.369 appetite is firmly hungry. Meanwhile, the Treasury 00:23:30.369 --> 00:23:32.710 Department that manages the organization's cash 00:23:32.710 --> 00:23:35.390 reserves and daily liquidity needs, they are 00:23:35.390 --> 00:23:38.470 definitively averse. They prioritize capital 00:23:38.470 --> 00:23:41.170 preservation and regulatory compliance above 00:23:41.170 --> 00:23:43.230 everything. This is a fundamental challenge. 00:23:43.470 --> 00:23:47.230 The R &D team needs a budget to run 10 expensive 00:23:47.230 --> 00:23:50.349 high -risk experiments. The Treasury team sees 00:23:50.349 --> 00:23:53.089 those 10 experiments as a direct threat to their 00:23:53.089 --> 00:23:55.250 capital preservation strategy. So what's the 00:23:55.250 --> 00:23:58.430 solution? The necessity, then, is an overarching 00:23:58.430 --> 00:24:01.529 framework set by the board that reconciles these 00:24:01.529 --> 00:24:04.049 different appetites. The framework has to articulate 00:24:04.049 --> 00:24:06.329 that the financial risk associated with all those 00:24:06.329 --> 00:24:09.859 R &D projects must never collectively violate 00:24:09.859 --> 00:24:12.380 the adverse financial tolerance set by Treasury, 00:24:12.559 --> 00:24:15.480 which itself is based on regulatory capital requirements. 00:24:15.859 --> 00:24:18.700 The hunger has to be strictly limited to the 00:24:18.700 --> 00:24:20.779 R &D sandbox. So the framework is the mechanism 00:24:20.779 --> 00:24:23.440 for ensuring that the total sum of all the individual 00:24:23.440 --> 00:24:26.119 specialized risks taken across the entire organization 00:24:26.119 --> 00:24:28.980 doesn't exceed the enterprise -wide structural 00:24:28.980 --> 00:24:32.769 capacity, the risk tolerance. Exactly. And while 00:24:32.769 --> 00:24:34.650 these qualitative categories are really useful 00:24:34.650 --> 00:24:37.250 for cultural alignment, we have to strive for 00:24:37.250 --> 00:24:40.230 quantitative measurement wherever we can. How 00:24:40.230 --> 00:24:42.970 do organizations move from a word like cautious 00:24:42.970 --> 00:24:46.450 to a concrete, actionable number? That's the 00:24:46.450 --> 00:24:48.650 key question. They align the appetite definition 00:24:48.650 --> 00:24:51.890 with their standard risk metrics, the same ones 00:24:51.890 --> 00:24:55.509 they use to define impact and likelihood. A qualitative 00:24:55.509 --> 00:24:58.509 statement is, frankly, useless to a project manager. 00:24:58.809 --> 00:25:02.309 A number is actionable. So for a major infrastructure 00:25:02.309 --> 00:25:05.210 project, instead of just stating we are cautious 00:25:05.210 --> 00:25:07.730 about schedule slippage, the organization defines 00:25:07.730 --> 00:25:09.809 the appetite by setting key performance indicators 00:25:09.809 --> 00:25:12.450 or KPIs. Give me an example. It would sound like 00:25:12.450 --> 00:25:15.150 this. Maximum acceptable project delay is four 00:25:15.150 --> 00:25:18.180 weeks for phase one. or a cost overrun exposure 00:25:18.180 --> 00:25:22.140 greater than $150 ,000. Operating past this threshold 00:25:22.140 --> 00:25:24.619 requires executive intervention. That turns the 00:25:24.619 --> 00:25:26.880 qualitative concept into a measurable metric. 00:25:27.160 --> 00:25:29.920 It tells the decision maker exactly what level 00:25:29.920 --> 00:25:32.160 of acceptable loss they can tolerate before they 00:25:32.160 --> 00:25:34.619 have to escalate the issue or stop the work or 00:25:34.619 --> 00:25:36.859 trigger a contingency plan. And that is the difference 00:25:36.859 --> 00:25:39.000 between organizational philosophy and operational 00:25:39.000 --> 00:25:41.839 policy. So we've established the definitions, 00:25:41.960 --> 00:25:44.759 the boundaries, the measurement tools. Now let's 00:25:44.759 --> 00:25:47.890 talk about implementation. Who organizationally 00:25:47.890 --> 00:25:50.829 has the authority and the responsibility to set 00:25:50.829 --> 00:25:54.430 this critical philosophical framework? The setting 00:25:54.430 --> 00:25:57.250 of risk appetite is a foundational element of 00:25:57.250 --> 00:26:00.150 organizational governance. So it has to, I mean, 00:26:00.150 --> 00:26:02.930 it must originate at the highest level. The very 00:26:02.930 --> 00:26:06.049 top. The very top. For large publicly traded 00:26:06.049 --> 00:26:08.329 companies, the board of directors is explicitly 00:26:08.329 --> 00:26:11.710 responsible. Our sources, they reference governance 00:26:11.710 --> 00:26:13.450 structures like the UK's Financial Reporting 00:26:13.450 --> 00:26:15.869 Council, and they make it very clear that the 00:26:15.869 --> 00:26:19.069 board determines the nature and extent of the 00:26:19.069 --> 00:26:21.390 significant risks the company is willing to embrace. 00:26:21.690 --> 00:26:24.029 It has to come from the top because it is fundamentally 00:26:24.029 --> 00:26:26.769 a strategic statement about how the company intends 00:26:26.769 --> 00:26:29.049 to survive and compete and generate returns for 00:26:29.049 --> 00:26:31.329 its shareholders. It's an articulation of their 00:26:31.329 --> 00:26:34.490 competitive strategy. It is. However, the operation 00:26:34.490 --> 00:26:37.190 of the appetite is delegated. Once the board 00:26:37.190 --> 00:26:39.750 sets the broad strategic goals, the hungry or 00:26:39.750 --> 00:26:42.410 averse designation, for instance, the day -to 00:26:42.410 --> 00:26:44.690 -day decision -making is passed down. And this 00:26:44.690 --> 00:26:46.829 is where authorizing officials come in. And these 00:26:46.829 --> 00:26:48.710 are the people on the front lines making the 00:26:48.710 --> 00:26:51.549 specific risk acceptance decisions? Correct. 00:26:51.609 --> 00:26:54.529 They are empowered to accept risk, but only within 00:26:54.529 --> 00:26:58.480 clearly defined thresholds. The organizational 00:26:58.480 --> 00:27:00.920 structure has to link the severity of the potential 00:27:00.920 --> 00:27:03.839 loss to the required seniority of the decision 00:27:03.839 --> 00:27:06.440 maker. That makes sense. A mid -level IT manager, 00:27:06.579 --> 00:27:09.119 for example, might have the authority to accept 00:27:09.119 --> 00:27:12.500 a risk exposure like system downtime up to maybe 00:27:12.500 --> 00:27:16.140 a $5 ,000 threshold. If the potential loss exposure 00:27:16.140 --> 00:27:20.299 crosses a higher threshold, say $100 ,000, that 00:27:20.299 --> 00:27:23.079 acceptance criterion requires authorization from 00:27:23.079 --> 00:27:25.440 a vice president. And if it crosses the enterprise 00:27:25.440 --> 00:27:27.859 -wide financial tolerance? Then it requires CFO 00:27:27.859 --> 00:27:30.440 or even board approval. This system is what ensures 00:27:30.440 --> 00:27:32.640 that the operational reality actually adheres 00:27:32.640 --> 00:27:34.799 to this strategic appetite set at the top. And 00:27:34.799 --> 00:27:37.519 this framework is so intensely context dependent. 00:27:37.680 --> 00:27:39.480 We mentioned this earlier, but let's look at 00:27:39.480 --> 00:27:41.880 the crucial high and low appetite contexts again, 00:27:42.000 --> 00:27:44.759 just to reinforce why. the RA shifts so wildly 00:27:44.759 --> 00:27:47.339 based on the organizational objective. Let's 00:27:47.339 --> 00:27:50.259 start with a low appetite context. For organizations 00:27:50.259 --> 00:27:52.619 where public safety and irreversible consequences 00:27:52.619 --> 00:27:55.480 are paramount, the appetite has to be averse. 00:27:55.660 --> 00:27:57.880 We go back to the nuclear power station. The 00:27:57.880 --> 00:27:59.599 nuclear power station or air traffic control. 00:27:59.740 --> 00:28:02.279 In these systems, operational efficiency is secondary. 00:28:02.829 --> 00:28:05.210 Their processes have to be designed with massive 00:28:05.210 --> 00:28:08.329 redundancy and really conservative margins. They 00:28:08.329 --> 00:28:10.990 accept that this low appetite results in huge 00:28:10.990 --> 00:28:14.210 capital expenditure on safety and slower, more 00:28:14.210 --> 00:28:16.529 deliberate processes because the alternative 00:28:16.529 --> 00:28:18.730 is just catastrophic. So the objective there 00:28:18.730 --> 00:28:21.309 is preservation. But conversely, let's look at 00:28:21.309 --> 00:28:23.369 the high appetite context. We use the example 00:28:23.369 --> 00:28:26.069 of a pharmaceutical company in early drug discovery 00:28:26.069 --> 00:28:28.410 or maybe a team developing a complex disruptive 00:28:28.410 --> 00:28:31.190 computer program. Here, the objective is disruption 00:28:31.190 --> 00:28:34.049 and breakthrough. They realize that 90 % of their 00:28:34.049 --> 00:28:36.250 attempts are going to fail. Therefore, their 00:28:36.250 --> 00:28:38.990 risk appetite is hungry. They accept short -term 00:28:38.990 --> 00:28:41.529 failure and capital burn as necessary inputs 00:28:41.529 --> 00:28:43.849 to the process. The framework mandates that they 00:28:43.849 --> 00:28:46.710 fail fast, they iterate, and they use that failure 00:28:46.710 --> 00:28:49.069 to inform the next, hopefully more successful, 00:28:49.210 --> 00:28:52.049 attempt. The key difference is that the failure 00:28:52.049 --> 00:28:54.509 of one drug trial is reversible. The failure 00:28:54.509 --> 00:28:56.990 of a nuclear plant is not. The reversibility 00:28:56.990 --> 00:28:59.410 of failure heavily influences the acceptable 00:28:59.410 --> 00:29:02.119 appetite. Okay, so what's the payoff? I mean, 00:29:02.140 --> 00:29:04.980 beyond simply tracking risk, what are the measurable 00:29:04.980 --> 00:29:07.319 benefits for an organization that really commits 00:29:07.319 --> 00:29:10.319 to rigorously defining and implementing its risk 00:29:10.319 --> 00:29:12.640 appetite framework? The benefits, they touch 00:29:12.640 --> 00:29:14.299 the entire nervous system of the organization, 00:29:14.559 --> 00:29:17.240 from strategy to budget to culture. The first 00:29:17.240 --> 00:29:19.460 major benefit is balance. As we've discussed, 00:29:19.740 --> 00:29:21.759 defining RA achieves an appropriate balance. 00:29:21.940 --> 00:29:24.240 It provides a strategic, defined sandbox for 00:29:24.240 --> 00:29:26.460 innovators to play in without letting them recklessly 00:29:26.460 --> 00:29:28.859 risk the entire company's capital. It acts as 00:29:28.859 --> 00:29:30.980 a governor on strategic ambition. The second 00:29:30.980 --> 00:29:34.319 is consistency. This is so critical for preventing 00:29:34.319 --> 00:29:37.819 organizational friction. A defined appetite guides 00:29:37.819 --> 00:29:40.099 every single decision maker on the permitted 00:29:40.099 --> 00:29:43.000 level of risk, and that ensures consistency across 00:29:43.000 --> 00:29:45.740 every department and every project. Without a 00:29:45.740 --> 00:29:48.859 defined appetite, you just get chaos. One manager 00:29:48.859 --> 00:29:50.900 is aggressively pushing boundaries while their 00:29:50.900 --> 00:29:53.880 peer is paralyzed by excessive caution, and that 00:29:53.880 --> 00:29:56.539 leads to missed opportunities and a lot of internal 00:29:56.539 --> 00:29:59.490 conflict. And the third, and maybe the most practical 00:29:59.490 --> 00:30:02.190 benefit. Improved resource allocation and efficiency. 00:30:02.450 --> 00:30:05.170 If an organization defines an acceptable level 00:30:05.170 --> 00:30:07.789 of retained risk for a certain category, say 00:30:07.789 --> 00:30:11.210 a maximum financial loss exposure of $50 ,000, 00:30:11.529 --> 00:30:13.509 and their current operational risk is only at 00:30:13.509 --> 00:30:16.410 $5 ,000, they have a clear signal. A signal not 00:30:16.410 --> 00:30:18.670 to spend more money. Exactly. They do not need 00:30:18.670 --> 00:30:20.549 to spend an additional million dollars to reduce 00:30:20.549 --> 00:30:23.349 that risk even further. Resources aren't wasted 00:30:23.349 --> 00:30:25.650 on mitigating risks that are already at a structurally 00:30:25.650 --> 00:30:28.180 acceptable level. And this alone can save enormous 00:30:28.180 --> 00:30:30.019 amounts of capital and prevent a lot of unnecessary 00:30:30.019 --> 00:30:32.920 bureaucracy. That focus on efficiency is a really 00:30:32.920 --> 00:30:35.039 powerful argument for formalizing these concepts. 00:30:35.460 --> 00:30:37.819 Finally, let's just briefly touch on the practical 00:30:37.819 --> 00:30:40.259 areas where these definitions are applied. The 00:30:40.259 --> 00:30:42.920 sources identify six main topical areas where 00:30:42.920 --> 00:30:45.740 organizations have to define their RA. These 00:30:45.740 --> 00:30:48.740 are the major risk domains that require an explicit 00:30:48.740 --> 00:30:51.630 strategic definition of willingness. We start 00:30:51.630 --> 00:30:54.569 with financial risk. This is the classic application 00:30:54.569 --> 00:30:57.250 defining comfort levels with debt, liquidity, 00:30:57.529 --> 00:30:59.809 investment strategies, trading positions, all 00:30:59.809 --> 00:31:03.009 of that. Next is health risk. Which is more than 00:31:03.009 --> 00:31:05.759 just hard hats. Much more. It covers not just 00:31:05.759 --> 00:31:07.940 immediate employee safety protocols and equipment, 00:31:08.099 --> 00:31:10.980 but also long -term liabilities, ergonomic design, 00:31:11.240 --> 00:31:13.500 and even mental well -being initiatives. Okay, 00:31:13.579 --> 00:31:16.140 third is recreational risk. This one might seem 00:31:16.140 --> 00:31:18.359 low priority, but it involves organizational 00:31:18.359 --> 00:31:20.339 liability in things like corporate -sponsored 00:31:20.339 --> 00:31:22.980 activities, team -building excursions. And how 00:31:22.980 --> 00:31:24.759 far are the companies willing to go to encourage 00:31:24.759 --> 00:31:28.259 specific employee behaviors, like extreme sports 00:31:28.259 --> 00:31:30.859 or high -risk travel, as part of a wellness program? 00:31:31.210 --> 00:31:33.410 The fourth and fifth are increasingly critical, 00:31:33.609 --> 00:31:37.039 ethical risk and social risk. Ethical risk defines 00:31:37.039 --> 00:31:39.240 the organization's comfort level with decisions 00:31:39.240 --> 00:31:41.359 that might push the boundaries of business practices. 00:31:41.599 --> 00:31:43.539 For example, getting involved in controversial 00:31:43.539 --> 00:31:46.180 markets or how far they're willing to push intellectual 00:31:46.180 --> 00:31:49.359 property law. Social risk is tightly linked to 00:31:49.359 --> 00:31:51.680 that. How so? It deals with reputation management, 00:31:51.940 --> 00:31:54.319 community impact, and the level of tolerance 00:31:54.319 --> 00:31:56.599 for public dissent or negative media coverage 00:31:56.599 --> 00:31:59.240 related to their operations. And this is where 00:31:59.240 --> 00:32:01.740 the appetite becomes really challenging to quantify. 00:32:02.019 --> 00:32:04.220 An organization might be hungry for a financial 00:32:04.220 --> 00:32:06.890 return. but then discover that a sudden averse 00:32:06.890 --> 00:32:09.849 attitude is necessary for social risk after a 00:32:09.849 --> 00:32:13.069 major public outcry. Absolutely. And finally, 00:32:13.150 --> 00:32:15.869 information risk. This is the contemporary critical 00:32:15.869 --> 00:32:19.430 area. It's about defining the appetite for exposure 00:32:19.430 --> 00:32:22.710 to cybersecurity threats, data breaches, and 00:32:22.710 --> 00:32:25.250 ensuring the integrity and compliance of internal 00:32:25.250 --> 00:32:27.730 data systems. A high appetite here could mean 00:32:27.730 --> 00:32:30.869 adopting new, unproven AI software for efficiency. 00:32:31.269 --> 00:32:33.769 And a low appetite means sticking to hardened 00:32:33.769 --> 00:32:36.329 proprietary... networks. Looking at those six, 00:32:36.470 --> 00:32:38.789 the multidimensional nature is crystal clear. 00:32:38.970 --> 00:32:42.089 A global bank might be completely averse in financial 00:32:42.089 --> 00:32:45.710 and information risk, but cautious or even open 00:32:45.710 --> 00:32:48.470 in recreational risk to boost employee morale 00:32:48.470 --> 00:32:51.970 and retention. That strategic juggling act must 00:32:51.970 --> 00:32:55.789 be immense. So this deep dive has really focused 00:32:55.789 --> 00:32:58.509 on turning that dense organizational jargon into 00:32:58.509 --> 00:33:01.809 actionable clarity. For you, the listener, the 00:33:01.809 --> 00:33:04.609 key takeaway is that risk appetite is a deliberate 00:33:04.609 --> 00:33:07.490 analytical choice that flows directly from rigorous 00:33:07.490 --> 00:33:10.289 risk management. It's the organization's expression 00:33:10.289 --> 00:33:12.849 of its willingness to act. And crucially, it 00:33:12.849 --> 00:33:14.829 has to be distinguished clearly from its risk 00:33:14.829 --> 00:33:17.089 tolerance, that hard limit of its capability 00:33:17.089 --> 00:33:19.789 imposed by structural constraints, and its risk 00:33:19.789 --> 00:33:21.789 attitude, which is the underlying cultural mindset. 00:33:22.269 --> 00:33:24.450 Mastering those distinctions is what allows professionals 00:33:24.450 --> 00:33:26.890 to move beyond just, you know, compliance and 00:33:26.890 --> 00:33:28.970 toward true strategic advantage. It provides 00:33:28.970 --> 00:33:30.809 the framework for smart decision making that 00:33:30.809 --> 00:33:32.890 seeks gain while avoiding structural catastrophe. 00:33:33.390 --> 00:33:35.789 And that leads us to a final provocative thought 00:33:35.789 --> 00:33:37.849 for you to consider as you reflect on all this 00:33:37.849 --> 00:33:40.670 material. We've established that complex organizations 00:33:40.670 --> 00:33:43.490 necessitate these conflicting internal appetites. 00:33:43.630 --> 00:33:46.710 A safety team has to be averse. A finance team 00:33:46.710 --> 00:33:48.829 might be hungry. The real challenge is in the 00:33:48.829 --> 00:33:50.750 coordination. So the question to leave you with 00:33:50.750 --> 00:33:53.309 is this. Given that these internal teams often 00:33:53.309 --> 00:33:55.349 compete for the exact same capital and resources, 00:33:55.710 --> 00:33:58.190 how does a global company successfully reconcile 00:33:58.190 --> 00:34:01.009 and coordinate an adverse attitude in one critical 00:34:01.009 --> 00:34:04.009 area with a hungry attitude in another without 00:34:04.009 --> 00:34:07.230 creating systemic internal conflict or accidentally 00:34:07.230 --> 00:34:10.010 allowing the sum of all its risk decisions to 00:34:10.010 --> 00:34:11.989 violate the hard tolerance limit of the entire 00:34:11.989 --> 00:34:14.309 enterprise? That overarching framework requires 00:34:14.309 --> 00:34:17.010 constant vigilance and some very difficult tradeoffs.