8 tips for embedding your risk appetite across all levels of your organisation

Categorise and sub-categorise, define your metrics, know your limits, and make executives accountable. These were some of the tips offered by Members of the Risk Leadership Network in a series of private meetings held about risk appetite.

So, how do you embed your risk appetite across all levels of your organisation?

1. Categorise your risks

Risks need to be split into categories (level 1) and further split into sub-categories (level 2). These should be closely aligned to the business’s operations. It is no good having a set of risk categories that are separate to the way the organisation is structured.

2. Ditch the risk jargon

Risk appetite statements need to avoid the language usually associated with risk management, and instead should be kept at a high level using common business language to formulate objective-based statements akin to messaging that would normally make up board-level instructions.

3. Provide clear instructions on tier 2 risks

In the risk appetite statement, there should be one sentence relating to each of the level 2 categories, including direct instructions for those staff who own each particular risk. 

4. Define your metrics

Tip 3 can then help get the right metrics in place so the organisation is more proactive in its approach to risk management, enabling the business to take appropriate risks and avoid unnecessary risk aversion.

These risk metrics can either be qualitative or quantitative, depending on the business unit or people that will be using them within the organisation and how they respond to such information. Without these clear metrics, it is easy for an organisation to end up with people focusing on their own individual risks, leading to staff using their own judgement and personal risk appetite, without any regard for the corporate strategy around the level of risk appetite they want the organisation as a whole to take.

For board-level reports, these metrics are normally quantitative in nature.

5. Clarify your risk limits

Each risk metric needs to be aligned to the risk appetite statement that comes down from the board and relates to that particular level 2 risk.

These metrics should also have appropriate limits that allow the organisation to take appropriate levels of risk, including a lower limit that prevents the organisation from not taking enough risk in a particular area.

By getting these metrics right, the organisation can become more proactive in its management of risk appetite within a set of clearly defined boundaries.

6. Define your executive ownership

Once these metrics and limits have been defined, they need to be taken back to the executive team in order to establish clear accountability at the executive level for the management of risk.

7. Ensure reporting reflects your appetite performance

Reporting templates that are used to report information back to the relevant members of the executive team can then be updated to take account of the performance of the different business sectors against the risk appetite limits for each risk category. This then helps to create a clear mechanism for executive accountability and their responsibilities for the oversight of each particular risk category.

Mapping such a mechanism to the structure of the organisation should then allow issues to be escalated to different management levels before it becomes a problem that warrants board-level attention.

8. Review the framework

This framework then needs to be reviewed as part of an annual corporate planning cycle that not only updates the risk appetite, but also the structure around it that facilitates the reporting mechanism and allows for proper accountability and oversight.

This executive oversight also allows the executive team to take control of the risk appetite of the organisation, meaning it can be driven by business strategy rather than the risk itself.