With risk teams increasingly involved in conversations about the strategic direction of their organisations, aligning risk frameworks and business objectives has emerged as a priority item for risk leaders. To ensure that their business is on course to meet those objectives, risk managers are introducing and optimising risk appetite.
Whether you are new to a risk role, an established CRO, or part of a risk team looking to ensure risk management adds real value, how can you make risk appetite work for your business?
This article addresses key questions you may have about risk appetite – with all of the insights and approaches shared based on the constantly-evolving knowledge and experience of practising risk leaders in our network. Just jump to the relevant section to get started.
1. Risk appetite definition
|The term risk appetite refers to the amount of risk a business is willing to take in order to achieve its objectives, encompassing both an upper limit (i.e., too much risk being taken to achieve objectives) and a lower limit (not enough risk being taken). In a more formal sense, the setting of risk appetite occurs when the business establishes a specific measurable threshold for the risk it is willing to take.|
There are several different factors which will help determine the risk appetite of an organisation. For example, a business that is more heavily regulated, such as a nationalised utility company, will generally have a lower appetite for risk.
Appetite will also be influenced by the importance of objectives, as well as the organisation’s risk maturity and its overall level of risk management capability. If achieving a certain objective or attaining a certain level of performance is a priority for an organisation, it may be willing to take more risk in that area to ensure the goal is met.
Risk appetite ultimately reflects the two-sided nature of risk – while a risk can pose a threat to an organisation, it may also present an opportunity.
For example, investing in a new product takes time, resource and money, presenting a financial risk. However, that product could open doors to new markets and customers for the business, which may be a risk worth taking. Keeping this balance in mind, and using it to set the right upper and lower limits for risk-taking, is crucial to implementing risk appetite successfully.
Featured resource: How to operationalise risk appetite: four key steps
2. Risk appetite vs risk tolerance
|If risk appetite is the level of risk that a business is willing to take to achieve its objectives, risk tolerance describes the amount of variation from risk appetite that the business is willing to accept.|
Put simply, tolerance is the amount of loss – often described as “pain” – an organisation is willing to bear, while appetite describes the amount of risk an organisation is willing to take.
Typically, risk tolerance is more tightly defined and aggregated across a set of principal risks. It can also be described as the level of risk a business will accept after it has implemented all the relevant controls at its disposal.
Read our 6 risk appetite FAQs, where we address the question: How useful are risk appetite and tolerance anyway?
3. What is a risk appetite statement?
We've already discussed how the setting of risk appetite occurs when the business establishes a specific, measurable threshold for the amount of risk it is willing to take, as well as a minimum level of risk it needs to take in order to progress.
This measurable threshold can be documented in the form of a risk appetite statement, which will typically focus on a specific category of enterprise risks (e.g. Health and Safety).
These statements (there may be several) cover the context behind the risk – for instance, how sub-risks under this category could impact business strategy – and set upper and lower limits for the level of risk the business should take.
How do you know what to include in your risk appetite statement? Jump to the section “Draft risk appetite statements”.
4. Why is risk appetite important to a business?
There are many reasons why a business may value risk appetite:
- Risk appetite serves as a bridge between risk management and the desired outcomes of the business, connecting the two by highlighting how different levels of risk-taking can either support or hinder long-term objectives.
- Risk appetite is a mechanism that allows for a more meaningful assessment of the risks that are relevant to the business. Without the framing provided by risk appetite, it is harder for the risk team to drive the right level of action needed within the business through reporting, while people around the business are left without the necessary information to make optimal decisions aligned with desired outcomes.
- By helping to drive action and ensure desired outcomes are met – and by encouraging employees to take informed and appropriate risks and not just simply avoid risk altogether – the stigma that risk managers are merely “policy police” can also be overcome, cultivating more cordial and valuable working relationships between the risk function and the rest of the organisation.
REPORT: Common goals; diverse approaches
To address the priorities of the members in our corporate network, Risk Leadership Network collated insights from 130 practising risk professionals around the world to create the report Risk appetite – common goals; diverse approaches.
More than half (52%) of risk managers we spoke to about risk appetite described it as an important part of any ERM framework, while a further 27% believe it is pivotal to successful risk management.
5. Who is responsible for risk appetite?
There first needs to be an understanding of who is responsible for what, so that clear roles and accountabilities can be assigned in the development and setting of risk appetite. If there are already structures in place within the business to assign accountabilities for risks themselves, it may be helpful to use these rather than creating another layer of bureaucracy.
While some organisations may assign the setting and implementation of risk appetite to the risk team alone, if it is done within a silo it is unlikely to fulfil the needs of the business, nor will it support appropriate risk-taking or effective risk oversight.
The risk team should engage and partner with the business to develop appropriate risk appetite which reflects the strategic and operational nature of the business. Although the risk team can work with the business to determine a taxonomy of principal/material risks and align appetite with this, risk appetite statements should be owned and approved by those with ultimate responsibility for the risks.
Securing the buy-in and, more importantly, the involvement of executives is crucial, as this will encourage them to view risk appetite as a powerful business tool and an enabler, rather than an unnecessary administrative layer they would rather avoid.
Looking for practical ways to achieve this? Take a look at the section below: engaging the board on risk appetite.
Where does this insight come from?
At Risk Leadership Network, we believe other practising risk leaders are best placed to help inform and validate your team's approach. Our insight comes from collaboration between risk leaders in some of the largest multinational corporations around the world. Learn more about our members here.
It is one thing getting the board to understand the value of risk appetite, but convincing the rest of the business that it is important is another matter. In order for risk appetite to be successfully implemented and followed throughout the organisation, employees at all levels need to be engaged and feel part of an organisation that encourages “good” risk-taking as part of their jobs.
How do you set risk appetite?
1. Determine principal/material risk categories
Before setting risk appetite, you need to determine what principal (or material) risk categories the business should focus on – these will typically be those overarching risks that have the potential to impact both the strategy and operations of the business.
Equally, you may want to look at the challenge from another angle and apply risk appetite to specific opportunities that the business wants to pursue – for example, if a company believes developing new technologies will support its strategic growth, it can decide how much risk in this area (e.g. cost of failed development) it is willing to accept.
It is also important to consider the stakeholder landscape and consult with key external parties such as regulators and major partners when developing risk appetite. For those organisations operating in the ”third sector” (charities), engaging with communities would also be an essential part of the risk appetite process.
3 approaches to deciding what your principal risk categories are:
Engage with senior leaders/the board to work out what is important to them. In order to realise their vision for the future of the business, two questions should be asked:
To help get the right answers, some risk leaders use risk appetite surveys of their board of directors.
The risk team goes out to the business and collates all the risks that matter to employees (via surveys or other means). While these risks are more likely to be operational in nature, they will still need to be managed and, more often than not, filtered and aggregated up to higher levels of the business.
The joined-up approach
Brings together the top-down and bottom-up by mapping the risks highlighted by the board and senior management. Where there is overlap between the two, there are the risks with the potential for greater impact on the whole business.
2. Decide the upper and lower limits for each risk
It is important to remember that the risk appetite across a set of principal risks does not have to be entirely consistent – while there are risk categories such as health and safety for which there is usually no appetite for risk, there may be other areas in which the business wants to take more risk.
The question is: how do you know what thresholds to set for each risk? The key is finding a green zone for each risk category. This is the balance between too much risk being taken and not enough risk being taken.
Using a risk matrix
You can see the major risks in the top right-hand corner of the matrix – i.e. the risks that present the greatest risk to the organisation and therefore take priority.
The closer the proximity of a risk to this part of the matrix, the more tightly controlled it will usually be to retain the risk within acceptable levels (within or close to appetite).
While key risk indicators (KRIs) are useful for monitoring the likelihood of a risk (as well as velocity i.e., how fast a risk is approaching), impact can be looked at through several lenses, which often intersect. For example, there are financial impacts of a risk, but also reputational impacts which could affect the business for a longer period and in ways that are more difficult to predict.
There's more about building a set of key risk indicators later on in this article.
3. Design approaches for managing risks
When setting risk appetite, it is important to outline the actions that the business will take when it is operating within risk appetite, approaching the edge of risk appetite and operating outside of risk appetite. Typically, breach procedures will fall into these three buckets:
- Expected – This means the business is operating within risk appetite; no immediate action is necessary, but it is important to monitor risks and keep an eye out for changes in the internal or external environment that could trigger changes.
- Shifting – When a change in performance is noted, with indicators suggesting that the business is moving closer towards appetite thresholds, it is time to investigate and understand why a risk is becoming harder to manage (e.g.: Is there a deterioration in trading conditions?; Are there changes in behaviour or performance of staff?; Are there unforeseen events occurring which make it more likely?; etc.).
- Out of comfort zone – In this scenario the appetite for a specific risk has been exceeded and immediate action is necessary to bring the risk back within acceptable levels.
To ensure the right level of response, risk responses and actions by risk owners should be defined to ensure effective communication and notification timelines for risks to the executive committee and the board – i.e., how long it will take to notify these parties once a breach has become known? Equally, procedures should also involve a clearly defined risk treatment action plan that indicates how the risk and business teams will report on progress as the issue is managed.
4. Draft risk appetite statements
Although there is no right way to draft a risk appetite statement, there are some fundamental areas that a clear, concise and effective statement may cover:
When preparing a risk appetite statement it is important to understand the context. For example, provide a brief explanation as to how this risk relates to, and may impact, the overall strategy of the business. Are there any external drivers that should be considered?
The statement itself
This section should specify, in clear terms, what there is zero appetite for across different risk settings, what there is cautious appetite for, and why in some cases, circumstances or markets, there should be a higher level of risk appetite.
Key risk indicators and limits
The risk appetite statement should outline the key risk indicators that will be used to assess whether the business is operating within, close to, or outside of risk appetite – these indicators will also help to determine a course of action regarding the management of different risks.
Risk appetite setting
In order to develop an overall picture of how the business is performing in terms of risk appetite, some businesses may aggregate their key risk indicators to determine whether the business is mostly inside or outside of risk appetite.
For each risk category, the overall risk appetite setting could range anywhere from zero (i.e., for health and safety risks) to high. Businesses may also want to set a broader range of acceptable appetite instead of a specific setting to give themselves more flexibility – for example, there may be a certain type of risk that there is “zero to cautious” appetite for.
There's no right way to draft a risk appetite statement – but there are some key areas that a clear, concise, effective statement may cover. Use this template to guide you through each step of drafting your own risk appetite statement.
Of course, you may already have risk appetite statements in place – if so you might want to take a look at these considerations to assess the effectiveness of your current risk appetite statements.
Once you've got your draft sorted, you'll want to explore how to turn your risk appetite statement into an operational tool.
5. Your risk appetite checklist
How do you embed risk appetite in the business?
1. Build a set of key risk indicators to monitor appetite
|While key performance indicators (KPIs) look back at what has been achieved (to answer questions like, have set objectives been met?), KRIs look forward to the potential threats or opportunities that may, eventually, impact performance in the future and cause the business to exceed risk appetite.|
|Leading indicators||Lagging indicators|
The most useful KRIs, designed to give as much early warning as possible, enabling the organisation to proactively respond and stay within risk appetite.
|KRIs that look back at whether an intended outcome was achieved. They are often the common starting point for a new suite of KRIs, as they are easier to define and source data for.|
Using too many lagging indicators may force you to adopt a reactive approach, and may not provide adequate forewarning of events or circumstances which may lead to exceeding risk appetite.
In some cases, lagging indicators can be adjusted and used as leading indicators – for example, if you have gathered data for a certain risk (e.g. health and safety incidents) over a certain period of time, you can use this data to make a projection for the future. While the past is no guarantee of future performance, using lagging indicators like this can help you to formulate potential scenarios in a more rational way.
When developing KRIs it’s important to ensure they are relevant. It is more effective to have a few relevant leading KRIs than many KRIs that don’t add value to decision-making and performance, or that don’t support determining whether risk appetite has been exceeded.
It is also important to ensure that you select KRIs that can be updated regularly to allow the business to generate a ‘live’ picture of what is changing, instead of receiving a static, out-of-date view of the risk landscape.
2. Engage with the board on risk appetite
The board needs to set the tone for risk and risk taking. Senior leaders should also be aware of risk appetite and its role and purpose within the business. If senior leaders are risk-averse, then the organisation’s appetite for key risks is likely to be low.
Alternatively, do executives proactively encourage people around the business as part of developing a more dynamic, risk-aware culture capable of taking on more risk? Whilst boards’ involvement in risk appetite is typically at the sign-off stage, it pays to understand the factors that influence board-level decisions.
Engaging with the board on risk appetite is a regular topic of discussion at Risk Leadership Network's member meetings – read some of the insight they've provided in the article: How are risk leaders engaging with the board on risk appetite?
Firstly, find out whether or not they have any specific goals with regard to risk appetite and how it is used by the organisation moving forwards.
For example, the board may want to develop stronger alignment between business decisions and strategy, develop a more consistent appetite for risk across different business units, or shift the risk culture of the business away from a mere box-ticking exercise.
In terms of the development and review process for risk appetite statements, it is important to ensure they are endorsed and signed-off by people in the business rather than being an exercise conducted only by the risk team. This is a precursor to review, approval and sign-off by the board committee accountable for risk (or risk and audit), prior to final sign-off by the board.
Without that endorsement, it can be hard to sell the importance of risk appetite to the rest of the organisation.
Based on a survey we conducted with several risk leaders from across various sectors, the most popular approach is to have appetite statements endorsed by the executive leadership team before being finally approved by the board.
Risk appetite can also be covered during risk reporting to solidify its place on the board agenda. While less than 50% of risk leaders surveyed for our benchmark report Risk reporting to ARC and board feature ‘risk appetite’ as a standalone section or agenda item in either their ARC or board reporting, 70% do include an assessment of principal risks vs. appetite as part of ARC reporting (55% for board reporting).
3. Develop awareness of risk appetite within the business
According to research in our report, Risk Leaders’ Insight: Risk appetite, just under 10% of risk leaders said that appetite was currently used by a significant portion of their staff from executive through to the frontline. Drilling down further into the findings of the survey, 19% revealed that while the board and executive committee have approved risk appetite statements, these are not used by the business. There is a lot of work still to be done on risk appetite.
Although some may view efforts to keep the business operating within risk appetite as the responsibility of the risk team, the reality is that this is, or at least should be, something which is owned by the business as a whole.
Therefore, aligning your risk appetite framework with the governance structure of the organisation is key – instead of chasing employees to carry out risk activity and think about risk appetite, it should be embedded as part of the processes they follow on a monthly, weekly or even daily basis.
Another way to spread awareness and encourage people around the business to use risk appetite statements is to set up an internal marketing campaign. Common ways of delivering the message on risk appetite are via:
Another key consideration for making statements easier to use by the business is the type of language used. Risk leaders agree that the phrasing of statements must be meaningful to risk owners and business stakeholders, if the concept is to be embraced.
This is why a common language and terminology is important in risk management. In fact, some businesses may want to simplify or limit the amount of risk language they use to ensure stakeholders are comfortable using the statements.
4. Use risk appetite to support good decision-making
|Arguably the most meaningful aspect of embedding risk appetite within the business is using it to make better decisions, as this will demonstrate the value of your risk appetite framework to the entire organisation.|
Decisions that were made previously without enough information – for example, keeping an inefficient contractor on the payroll to avoid the disruption and cost of hiring someone else – can now be viewed through the lens of risk appetite. Is there appetite to take a financial risk on bringing in someone who is better suited to the role, offsetting the cost of the other contractor’s inefficiency? It’s the ability to manage the risk/reward equation that demonstrates risk appetite’s effectiveness.
The above is an example of how a good risk appetite framework can guide decision-making and help manage exposure to risks. In terms of how you then go about highlighting key risks and their alignment with appetite to the board, a dashboard like the one below can be used. This graphic provides an overview of the risks the business is facing and signals where there is the most appetite for risks to be taken.
Equally, it should be acknowledged that no risk appetite framework is black and white or without nuance; rather than providing all the answers, it can be used to support accountable decision-making and guide management in exercising better informed professional judgement. If decisions are approached in a more considered, forensic manner, it’s likely that more of them will be good decisions.
Members of the Risk Leadership Network, from leading companies around the world, came together to create a 10-step process for operationalising risk appetite.
How can you ensure future performance with risk appetite?
|For risk appetite to continue being a useful business tool in the future, and to deal with the changing nature of risks, it is crucial to review your risk appetite framework at an agreed and clearly defined time interval instead of just setting and forgetting.|
There are several situations that might prompt you to review your risk profile and appetite settings in the context of both threats and opportunities.
- Executive leaders may wish to grow the market share of the business in a particular area, which could require the business to take on additional risk.
- New threats may emerge that make the business want to take less risk; for example, the introduction of more stringent regulations on a certain type of activity which may incur severe financial penalties if not followed.
A regular review of risk registers from around the business and ongoing engagement with the board about the changing operating environment, the strategic direction of the organisation, and the risks they see, are some of the ways the risk function can maintain the dialogue on risk appetite. When launching new projects, it's important that the business takes a risk-based approach to strategic decision-making.
Having access to real-time data is also particularly useful for monitoring risk appetite and changing threat levels when necessary, although this approach does come with caveats, such as the accuracy of information.
Ultimately, like any process that is not monitored and updated regularly, risk appetite can soon be forgotten and its role as a partner in value creation and proactive risk management can become obsolete. Keeping it relevant will help to ensure it remains at the forefront of the business’s risk approach, supporting good decision-making and risk-taking for years to come.
Need more practical advice on risk appetite?
Find out more about Risk Leadership Network membership. We facilitate peer group collaboration and knowledge-sharing, enabling our members to inform and validate their approaches and improve the effectiveness of risk management in their organisations.
For more details on the projects and meetings we have planned – on risk appetite as well as culture, maturity, reporting and more – find out what's coming up at Risk Leadership Network here.