There is a link between risk preference and preferred risk response. The more risk adverse the Board of an institution is, the higher the chances the organisation will resort to risk avoidance, risk mitigation or risk transfer.
Risk avoidance is the most straightforward concept: “should we accept this risk?” is answered with “Yes” or “No”.
This decision does not have to be quantitatively justified. Indeed, as expressed by FSB, this part of the Risk Appetite Statement involves “(…) qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk”. This makes it an obvious candidate for easy definition and clear communication within the company.
However, avoiding risk is not neutral from a business perspective; in fact, systematic risk avoidance will ultimately lead to a form of loss (e.g. market share, profitability or reputation). Avoidance of risks, despite apparent simplicity, should be the last resort option, when all mitigation options are ruled out. Cases where the decision would have an immediate negative impact on the company’s image (e.g. politically exposed individuals, recourse to short sales or investment in embargoed products or markets) are exceptions.
The more risk-adverse company can opt for risk mitigation or risk transfer.
Either as a requirement for the institution to accept additional risky exposure, or a consequence of sudden changes in the macroeconomic environment or the portfolio / business risk profile.
In a Risk Appetite Framework perspective, this becomes a balancing act: in search for additional revenues (or any other reward for the risk taken), the institution aware of its risk profile can estimate its risk capacity and tolerance, with all exposures outside of the tolerance range having to be neutralised, through risk mitigation or transfer.
Application of risk mitigation measures usually requires an existing organised market and open interests. Mitigation (bringing the risk down to a residual level that is within tolerance) through e.g. guarantees or swaps, or transfer (passing ownership and reward of the risk on to another player) through e.g. securitisation or (re)insurance requires access to an active market. Additionally, regulatory bodies scrutinise quite intensely risk mitigation procedures, no matter what form they take. Therefore, defining the mitigation measures prior to building up the risky exposure is a best practice.
Preparing the mitigation strategies also ensures that costs for mitigation - or the decrease in expected return in the case of a risk transfer, are lower than the gains from accepting the risk at origination. Otherwise, the unsuspecting institution could end up subsidising other market players to the detriment of its own survivability.
Conversely, risk-seeking institutions will accept that certain risks will be quantified, maintained at low materiality, but not actively managed (acceptance / contingency).
Risk acceptance and contingency require extensive analysis of the risks at hand; risk acceptance needs backing by measurements and monitoring to ensure the risk-reward relationship of a new risk is sufficient, while risk capacity and tolerance allow the additional risk to be taken on a standalone basis. Contingency ensures that, for risks deemed non-material, potential costs of the realisation of the risk are properly estimated and provisioned.
Eventually, risk taking decision and its operational requirements remain driven by the strategy, perceived net gain, risk tolerance, profile, capacity and limits. An organization must consider its risk appetite at all time, as it decides which goals or tactics it pursues.
This is where a risk appetite that is developed and formalised, communicated and monitored closely comes into play.