Risk appetite theory and reality can often diverge. You may only learn what really works (and doesn't) for your organisation once you've implemented it.
1. Remind yourself of risk appetite's purpose
If you are leading a refresh of risk appetite, a powerful starting point can be to review the reason (or reasons) for having risk appetite in the first place.
Being aware of this can help inform the choices you make about when and where risk appetite should be used, what you anchor your risk appetite to (e.g., individual risks or categories) and who should be accountable for risk appetite statements.
Your purpose can also guide the selection of risk appetite metrics, if this is something you are renewing or adding for the first time.
Finally, consider how the purpose of risk appetite might split into both strategic and operational actions, as highlighted below:
| Strategic actions | Operational actions |
|
Link risk appetite to discussions about emerging and external risk. |
Align risk appetite thresholds more closely with safety, revenue and productivity metrics. |
|
Apply appetite to major decisions like capital investments, M&A and the commissioning of major projects. |
Cement the ability to aggregate and escalate breaches, responding before they become strategic issues. |
|
Use appetite to prioritise resources and investment. |
Unlock aligned assurance and prioritise risk resources. |
2. Connect your risk appetite statements
Risk leaders are in agreement about the interconnected nature of risk appetite when it is "put to work" in the business, and this should be reflected in the writing of appetite statements.
Risk appetite statements have to tangibly interconnect. In many cases, you can't increase your appetite in one area without also increasing appetite for financial, reputation or even safety risk, depending on the nature of a new venture or market"
Risk Leadership Network member
An option some members have explored is including trade-offs in risk appetite statements and explicitly acknowledging where certain types of risks can be taken, in pursuit of key objectives. This approach may also help companies to rationalise core operations or strategic goals that seem directly at odds with appetite targets.
In one case, a member described how they have adopted high-level, responsive controls in their statements. This tacitly recognises that although certain events may occur, they are not "accepted" by the company and are swiftly dealt with. Naturally, legal teams are consulted for advice when developing an approach like this.
3. Refine and develop metrics
Issues with key risk indicators (KRIs), according to practitioners, fluctuate from "we can't get the business to agree upon a single indicator" to "we have hundreds of metrics and no idea which ones matter".
Discussing the challenge, members shared some key lessons from their experience with risk appetite metrics.
4. Embed appetite into business processes
Whether the purpose of risk appetite for your organisation is primarily operational or strategic (or both), identifying the right processes and templates in the business through which to embed and communicate risk appetite is a key step towards operationalising it.
As a rule of thumb, companies must first establish quantitative thresholds and KRIs — a tangible expression of appetite that can be incorporated into documents.
Next, think about the language you want to use. At an operational level, for instance, it may not be necessary to actually reference "risk appetite".
Finally, once you have decided upon thresholds and syntax, make sure to update policies and procedures with thresholds and relevant explanation so that the business is well aware of the trigger points for your various risk appetite statements.
People probably won't read the appetite statement, but they will follow their procedure."
Risk Leadership Network member
At a strategic level, embedding appetite usually means incorporating relevant thresholds into business case templates, financial risk assessments and so on. There is also a 'cultural element' of enforcing risk appetite considerations as one step of many in the decision-making process.
What's next?
Throughout the entire process of reviewing and refreshing risk appetite, optimisation must be front of mind. In essence, how do you refine the wording, format and categorisation of appetite to meaningfully impact implementation success?
To support our members through this journey, and help shape their approaches, we facilitate bespoke collaborations between risk leaders.
If you would like to collaborate with peers on the topic of risk appetite, and find out how we can support you with your risk priorities, please book an introductory call.
Meanwhile, take a look at some more resources we've developed from recent collaborations on risk appetite:
- 5 templates for setting risk appetite
- Using risk appetite to support decision making: three case studies
- 7 approaches to setting risk appetite for cyber security
- How to build an effective suite of key risk indicators
- Risk appetite statement templates
- A 10-step process for operationalising risk appetite
- Risk appetite statement flowchart
- How has risk appetite evolved in the past 3 years?
To find out more about getting involved in upcoming collaborations with experienced peers, request an exploratory call, or explore membership here.
Share this
How has risk appetite evolved in the past 3 years?
Setting risk appetite: 5 approaches from practitioners
