A good risk appetite statement can expertly articulate an organisation’s attitude to risk and opportunity, but what does that mean in practice?
Risk appetite statements are a fundamental tool for any business serious about risk management. But when it comes to practical applications, these statements do little on their own.
To turn risk appetite from a simple statement into an operational tool, it must be integrated into the very foundations of the risk framework.
Our global benchmark report on risk appetite revealed that operationalising risk appetite is a top priority for risk managers in 2021, suggesting this area of expertise is still a work in progress for many risk teams.
Here we reveal some key advice for handling this task, taken from one of a series of private meetings with a number of our network’s risk leaders on operationalising risk appetite (the full write up of which can be found by members in the Intelligence platform).
1. Make it integrated
When attempting to operationalise risk appetite, boards will often try and get risk functions to run before they can walk, but it is no use creating a list of metrics to put appetite statements into practice if they don't share the direction in which the business is headed.
The risk appetite statements and the risk profile need to link back directly to the business strategy and should be reflective of the key risks, which in turn reflect the business objectives. Risk appetite must be implemented in a way that's unique to a business (see here for some example methods).
While risk appetite has traditionally focused on downside risks, remember also the opportunities facing a business. When defining the key risks, it is important to identify the critical success factors that are integral to an organisation’s development.
And this extends to choosing performance indicators too. You should look to develop both key risk indicators and key opportunity indicators.
Bear in mind, however, that not all risk appetite statements are suited to quantitative performance indicators, and board expectations regarding this should be managed from the outset.
As such, these indicators should not be the sole judge of whether or not an organisation is in or outside of risk appetite; professional judgement is needed on this at all times. (You might find useful this list of six FAQs on operationalising appetite statements.)
3. Define your controls
The final stage of operationalising risk appetite is introducing controls and assurance processes to help the business remain within its appetite range. To maximise the effectiveness of these controls, it is often useful to sort the risk appetite statements into five categories: adverse, minimal, cautious, receptive and embrace.
Risks in the adversarial category, such as health and safety, will usually have robust controls in place that are focused on prevention and are most commonly procedural in nature.
This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.
At the other end of the scale, risks in the embrace category are much more likely to be subjective in their nature and rely more on professional judgement in the decision-making process.
This content is an excerpt from an in-depth guide on operationalising risk appetite, featured in Risk Leadership Network’s member-only Intelligence platform.