There is unfortunately no shortage of examples of such cases. Oil companies have invested in drilling in certain areas without taking a full accounting of the environmental risks involved. "In the Gulf of Mexico, oil companies knew the risk existed, but these risks exposed and damaged their brands. If they had considered the actual risk level, they could have said, 'No, we don't have the capacity to manage that risk,' or, 'Let's do it and increase our capacity to manage that risk,'" says Faris. (See the Gulf Oil Spill Tracker for an idea of the frequency of these events.)
In the consumer products industry, companies release products without thinking through their exposure. One examples is products that are intended for small children but that pose a choking hazard. "Companies often do not contemplate their risk, which can go way beyond their desired appetite to include legal risks," says Faris.
Companies experience risks in foreign nations, including places where the C-suite the company had assets. "We help clients where their people have been kidnapped and the C-levels did not know they had people in that country. There is a misalignment between risk taking and risk appetite," says Gray.
Gray's firm addressed an expropriation issue in Venezuela, where President Hugo Chavez's government had nationalized a foreign business. Executives at the business's European headquarters were surprised that they had exposed themselves to this risk.
"The fact that these organizations are unaware they have such risk suggests a breakdown in governance of risk management," Gray says.
There are also cases where companies discover that their risk appetite is too small. "A healthcare organization had a CEO who felt that his company was too conservative and that his business leaders were not taking full advantage of the opportunities facing their industry," says Shinkman. In this instance, the CEO asked internal leadership about risk appetite and whether the company was taking on enough risk.
"In the end, they invested more aggressively into another line of business, using an increased risk appetite to seek out greater opportunity," says Shinkman.
In another instance, Shinkman relates, a large bank grew its risk appetite after asking itself, 'How do we want to run the business, and what do we want our portfolios to look like?'
"When the bank's middle-eastern portfolio took a big loss, the bank executives decided they were comfortable with that level of risk," he says.
Articulating and Addressing Risk Appetite
To articulate risk appetite, the CSO should gather the company's strategic ambitions at the highest level. "The CSO needs to determine the risks the organization must take to achieve those ambitions, the risks that are unacceptable, and the risks the company has to take as a part of executing in the given market," says Faris. The CSO should engage the C-suite and the board in making these determinations.
Sign up for Computerworld eNewsletters.