Risk appetite statements are key for the successful running of any project. They empower a business to pursue strategic opportunities, but what does ‘good’ look like? And how do you ensure a project includes the right trade-offs to stay within appetite?
There is an old saying that a ship is safe in a harbour, but that is not what it was built for – and the same goes for risk management.
Risk leaders are increasingly pushing their organisations to see the upside opportunities that risks present. This is part of the wider goal to have the business take a risk-based approach to strategic decision-making.
Risk appetite is at the heart of allowing an organisation to do that, but getting it right can be a challenge – particularly when it comes to managing projects within an organisation, both small and large-scale ones.
You’re looking to establish a risk appetite that allows for alignment across the different outcomes of a particular project, while being mindful of the cost it will take to get there.
Projects are generally a trade-off between risks and opportunities to reach certain goals. Having the right risk appetite statements helps you monitor uncertainty, implement the right controls, and stay within the desired appetite range.
1. Get your taxonomy right
You have to effectively categorise and organise the major buckets of risk your organisation faces. Until you get that right, you can't define where you have appetite to take risk and where you don't have appetite to take risk. This is the most important step in managing risk appetite, but it is also often the most commonly overlooked one.
Organisations often default to a generic set of categories that do not work – a taxonomy must be unique to your organisation, and based on your value chain and operational model.
As a rule of thumb, there should be two levels of risk, with around 10 top-level risks aligned to your value chain and operational model. Then, below each of those top-level risks, there should be three to five subcategories of risks.
2. Building the qualitative components
This could involve building something such as a three-point scale running from risk avoidant, through balanced, all the way to risk-seeking. You can then articulate this appetite for risk to each of the top-level risks defined in your taxonomy.
This can then be built into a statement that details, for each category, what the organisation is looking to achieve for each of those risks. Each project should progress in line with the statements related to the risks applicable to the project.
Once the categorisation has been built, you can then start to apply metrics to each of the different risks facing the organisation. The difficulty here is that, if you create key risk indicators (KRIs) for each and every risk, then you could be left with 100s or 1,000s of different metrics, which quickly becomes unmanageable.
Instead, you might want to focus on building KRIs for the top 10 risks being faced.
These can then be built into a risk matrix that allows you to see when you are taking too much or too little risk, and have therefore moved out of the organisation’s risk appetite range for that particular risk.
4. Operationalising risk appetite
Operationalising all of the above can come in the form of risk evaluation schemes, which include things like severity and likelihood tables.
It is important to remember that these need to be consistent with appetite, so that the actions during the project that get driven post-risk assessment are in line with the organisation's appetite. You can then start to build this thinking around risk appetite into things like investment committees, key investment decisions, and corporate planning cycles.
This advice came from risk leaders in some of the largest companies in the world...
These organisations are members of the Risk Leadership Network, who discussed this topic at a private member meeting, as part of our series on risk appetite.