A 10-step process for operationalising risk appetite

Embedding risk appetite across a business can represent a serious challenge for risk managers. Despite the time and effort invested by companies to develop risk appetite statements, they need to be integrated into the broader risk framework of an organisation in order to be useful.

View our full guide: What is risk appetite and how do you implement it?

Tackling this problem with a staged process offers a practical and manageable solution for risk managers to implement, and our members are collaborating to determine how best to go about this.

Members agree that steps towards operationalising risk appetite fit into three broad stages:

1. Define, Design, Determine: Forming the nucleus of risk appetite
2. Providing the right context for risk appetite within an organisation
3. Align, Communicate, Monitor: Integrating risk appetite appropriately

Step 1: Define risk appetite purpose

This is a fundamental question that needs to be answered: what is the purpose of risk appetite and why should your company develop its risk appetite?

Many of our members base their risk appetite framework on two key drivers:

1. The need to create a stronger alignment between business decisions and strategy
2. The creation of a stronger risk management culture within the organisation that goes beyond box-ticking to provide the business with an indication of what risk-taking behaviour is, from the board’s perspective. That is, showing where to take more risk and where there is no appetite for more risk.

Step 2: Design risk appetite framework

You likely want to create a dynamic and flexible framework with a defined methodology.

It can be useful spending time interacting with both the executive committee and the board to develop this framework. At the same time, discussing principal risks with the exco and board, and linking them to appetite can help gain their buy-in.

You can demonstrate to them the clear link between risk appetite statements and the organisation’s underlying risk profile.

(Check out our latest insights into how to get risk appetite risk for projects.)

Step 3: Assign roles and accountabilities

Linking your risk appetite framework to your organisation’s 3 lines model can help determine accountability and ownership of risks.

Risk appetite statements should be owned by executive committee members, but are challenged by the committee as a collective.

This supports buy-in by getting the executive committee and board heavily involved so they see risk appetite as a business tool and not just another level of bureaucracy. Make sure you are asking the right questions when assessing your risk appetite statements.

Similarly, it is useful to use existing structures to assign accountabilities, rather than adding another layer of bureaucracy.

Another approach to assigning accountability that our members are discussing involves looking at the organisation’s value chain and strategy; creating a taxonomy from the top-down and then aligning risk appetite to that.

Step 4: Determine material risk categories

Identify the real, overarching categories that impact both strategy and operation. Of course, these categories will evolve over time, and there will likely be an element of opportunity to each category, as the company strives to achieve strategic growth (and so must determine the level of risk to take on as the company grows).

Step 5: Design breach procedures

How do we determine when the organisation is in or out of appetite? What are the escalation triggers, in terms of when specific risk limits are breached?

One organisation defined specific risk limits for the business by building a set of breach procedures with escalation thresholds, which were attached to accuracy indicators. Their risk limits fell into three buckets:

• Expected: maintaining performance
• Shifting: slight change to performance - need to understand why
• Out of comfort zone: immediate action required to bring performance back to an acceptable level.

The breach procedures were defined around notification timelines for the executive committee and the board. They must be notified within a certain time frame of a breach becoming known.

Step 6: Define context, draft statements, identify key risk indicators and risk limits, and reporting on them

Work out who has the authority to change risk appetite settings, how often change should take place, and whether it could happen out of cycle. 

Step 7: Approval and alignment with policies, standards and procedures

Often, the risk team does not want to own this process; instead the business needs to take responsibility for constructing and developing it with the board. Therefore it's important to define specific roles and accountabilities at board and subcommittee level in terms of responsibility for approvals and monitors.

You should also definite who the risk appetite owners are and their responsibilities, as well as who is owning and taking responsibility for identifying and monitoring KRIs. 

It is important to ensure that, if there is a high level of appetite, the control environment is not constrained so the organisation can remain flexible. 

Step 8: Communication and awareness

This should apply across the organisation, not just among the executives – risk appetite needs to be clearly communicated to the real control owners and the front line, who are the drivers of risk performance. 

Put together a communication plan, targeted at different audiences using different messaging and platforms. This will likely take place over a period of time, with a view of stripping out the complexity; go back to simple terms to ensure that the business can understand their role.

Step 9: Integration with key decision-making processes

For example, one organisation started working with four key business areas: capital allocation, business planning, technology R&D, and M&A/country entry. This helped them to test the framework and establish a way to tailor the integration to the various needs of different business areas.

Step 10: Monitoring and reporting

From an assurance perspective, this can be used by internal audit to frame the annual plan, but also provide assurance that control environments are in line with risk appetite settings. 

This provides an independent view to the board as to whether the risk appetite framework is actually operating and working as it should.