To turn risk appetite from a simple statement into an operational tool, it must be integrated into the very foundations of the risk framework.
In this article we reveal some key advice for handling this task, as shared by risk leaders with experience of using risk appetite statements to guide better decision-making.
1. Make it integrated
When attempting to operationalise risk appetite, boards will often try and get risk functions to run before they can walk, but it is no use creating a list of metrics to put appetite statements into practice if they don't share the direction in which the business is headed.
The risk appetite statements and the risk profile need to link back directly to the business strategy and should be reflective of the key risks, which in turn reflect the business objectives. Risk appetite must be implemented in a way that's unique to a business.
While risk appetite has traditionally focused on downside risks, remember the opportunities facing a business as well. When defining the key risks, it is important to identify the critical success factors that are integral to an organisation’s development.
And this extends to choosing performance indicators too. You should look to develop both key risk indicators and key opportunity indicators.
Bear in mind, however, that not all risk appetite statements are suited to quantitative performance indicators, and board expectations regarding this should be managed from the outset.
As such, these indicators should not be the sole judge of whether or not an organisation is in or outside of risk appetite; professional judgement is needed on this at all times. (You might find this list of six FAQs on operationalising appetite statements useful.)
3. Define your controls
The final stage of operationalising risk appetite is introducing controls and assurance processes to help the business remain within its appetite range. To maximise the effectiveness of these controls, it is often useful to sort the risk appetite statements into five categories: adverse, minimal, cautious, receptive and embrace.
Risks in the adversarial category, such as health and safety, will usually have robust controls in place that are focused on prevention and are most commonly procedural in nature.
This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.
At the other end of the scale, risks in the embrace category are much more likely to be subjective in their nature and rely more on professional judgement in the decision-making process.
At Risk Leadership Network, we believe other practising leaders are best placed to help inform and validate your team's approach. Our insight is carefully collated from virtual meetings, benchmarking studies and one-to-one interviews with our 60+ member organisations.
This article is just a fraction of the knowledge shared between risk leaders in our network in a series of meetings we held on risk appetite.