Risk appetite checklist

Kin Ly
3 min read
Jan 22, 2021

We recently conducted a global survey on risk appetite practices and found that 90% of risk managers plan to work on appetite this year.

When we delved deeper – surveying and conducting extensive one-to-one interviews with more than 130 risk leaders from across the world – we identified 8 different approaches that have all been proven successful at integrating risk appetite and business objectives, and operationalising appetite, across different industries and types of organisations.

These along with the survey results and associated analysis are outlined in our comprehensive report, Risk appetite – common goals; diverse approaches.

We have also hosted (and continue to host) a range of member meetings on risk appetite.

These virtual meetings bring together risk managers from around the world to share knowledge, pool resources and tools, and collaboratively solve common challenges.

Below is a brief summary of our most recent member meeting on risk appetite – a checklist of things to consider when constructing your appetite statement. And they have come directly from risk leaders who have ‘been there and done it’.

The result? Risk appetite that encourages stakeholder and management discussion about risks; and a framework that helps aid business decisions.

Start with your risk profile

The best starting point for risk appetite is risk profile – an articulation of the risks that matter to the business, pitched in a way that helps directors understand which risks are needing to be managed further and which risks are there but being managed reasonably well.

At that level, there’d typically be around 12–15 risks, which is a number directors can consume generically before they start getting lost in the weeds of the business.

Categorise and sub-categorise your risks

These risks often then serve as risk categories against which to map operational risks.

There might be some strategic risks around the availability of your core retail business, or risks around navigating the regulatory environment, and some around being workforce ready for the future, for example. 

Granular operational risks would sit underneath that – recruitment, retention, performance management, technology and the like.

It is then possible to start to apply a common approach to risk management, setting risk appetite at a strategic level with any risk that sits underneath it managed and measured in the same way.

Take a forward, backward and performance view

From there it’s about looking at two things: what does the forward position of the risk need to look like? And what does the performance of the risk look like?

The forward looking view of the risk is really around where we want the risk to sit from an overall likelihood or impact point of view.

Some found the heat map to be a useful visual tool for boards to understand the overall risk environments. But the point was made that typically the only way to really control risk is reducing likelihood.

There’s going to be some impact mitigations – largely through disaster recovery, business continuity planning and crisis management, but the majority of the control environment is typically geared towards reducing likelihood. So a great forward looking position might set the aim as reducing likelihood of the risks that really matter to ‘unlikely’ or ‘possible’.

The performance view is using the data in the business to help understand where it is you’re going, what’s working, what needs refinement and what’s gone off base, which is really the watch limit for action.

Using risk appetite for decision making

Risk appetite done well can also be a source of advantage by putting the right delegations in place and enabling nimble and quick decisions and actions without imposing additional approval layers which costs time.

There is, however, a struggle among some organisations to use risk appetite to make decisions as opposed to attempting to retrofit existing practices to meet requirements.

One alternative approach is to start with the organisation’s mission statements – what the organisation is in business for.

Underneath that should sit all the things that the organisation does to support the mission, then below that, the things that could affect those outcomes and if particular scenarios came to pass whether it would put the mission at risk.

Underneath that then sits how to maximise the probability of the good outcomes and minimise the chance of the bad outcomes and how to decide on trade-offs.

Eight tried-and-tested approaches

Our full risk appetite report, available exclusively to Risk Leadership Network members, contains eight featured case studies collected from our global risk community. Between them, they address all of the major priorities for appetite identified by risk managers for the coming year, and more.

They also include detailed steps to guide risk managers through the implementation process, and handy output summaries to help risk managers find an approach that suits their organisation’s maturity level and needs.

Want to know more?

If you’d like to request a copy of our abridged risk appetite report and find out more about Risk Leadership Network membership, talk to us about becoming a member today.

Get new posts by email