Risk appetite statements are a fundamental tool for any business that is serious about risk management. But when it comes to practical applications, these statements do little on their own.
To turn risk appetite from a simple statement into an operational tool, it must be integrated into the very foundations of the risk framework.
1. Make it integrated
When attempting to operationalise risk appetite, boards will often try and get risk functions to run before they can walk, but it is no use creating a list of metrics to put appetite statements into practice if they don't reflect the direction in which the business is headed.
Therefore, risk appetite statements and the overall risk profile need to link back to business strategy and should be reflective of the key risks, which in turn reflect the business objectives. Risk appetite must be implemented in a way that's unique to a business.
Also, as one risk leader raised while presenting their risk appetite process to the network, companies need to define the context of their risk appetite statements and connect them to the value model of the organisation, so they reflect the corporate values of the business.
In order to align risk appetite with business values and strategic direction, risk leaders must consult with the relevant stakeholders, especially those at board level. Don't forget to embed risk appetite across all levels of the business, too.
2. Remember the upside
While risk appetite has traditionally focused on downside risks, remember also the opportunities facing a business. When defining the key risks, it is important to identify the critical success factors that are integral to an organisation’s development.
Bear in mind, however, that not all risk appetite statements are suited to quantitative performance indicators, and board expectations regarding this should be managed from the outset.
As such, indicators should not be the sole judge of whether or not an organisation is in or outside of risk appetite; professional judgement is needed on this at all times. (You might find useful this list of six FAQs on risk appetite basics).
Finally, risk leaders agree that regularly reviewing the indicators an organisation has in place, according to a timeline established with the board from the outset, is important. This faculty to make adjustments will improve the adaptability of the business and allow for a realignment to take place where necessary.
3. Define your controls
Another key stage of operationalising risk appetite is introducing controls and assurance processes to help the business remain within its appetite range. To maximise the effectiveness of these controls, it is often useful to sort risk appetite statements into five categories: adverse, minimal, cautious, receptive and embrace.
Risks in the adversarial category, such as health and safety, will usually have robust controls in place that are focused on prevention and are most commonly procedural in nature.
This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.
At the other end of the scale, risks in the embrace category are much more likely to be subjective in their nature and rely more on professional judgement in the decision-making process.
4. Establish roles and responsibilities
In order for risk appetite statements to work within an organisation, people at all levels of the business need to take ownership: particularly at the level of senior management and the board.
For example, one risk leader explained that in their company, each of their board subcommittees has a suite of risk appetite statements they are responsible for. Their role involves monitoring statements on a monthly basis and making any amendments as necessary.
This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.As well as getting the buy-in of senior leaders, it’s important to encourage people throughout the organisation to be proactive on risk appetite by communicating effectively and providing opportunities for training.
On the topic of training, one member highlighted three key factors that risk leaders should consider when raising awareness about appetite: keep it simple; relate it to everyday business activities, and make sure people are clear on what role they play in the risk appetite framework.
What are your risk management priorities?
This advice was collated from a series of member meetings facilitated by Risk Leadership Network on operationalising risk appetite. The series took place because a number of our members raised this topic as one of their big priorities for the year ahead.
We work with each of our 60+ member organisations to help them collaborate with peers on their specific priorities, as well as respond to unexpected challenges as they arise. Take a look at the meetings we have coming up and get in touch with us to get involved.