An effective risk appetite statement is essential for properly managing the risks facing your organisation, but they can be difficult to get right.
What’s more, appetite statements should gel well together and make sense as a collection. In theory, this will make embedding them across the business easier and give risk a seat in the decision-making process.
Read our full guide: What is risk appetite and how do you implement it?
Here are four questions to help you better understand the effectiveness of your risk appetite statements:
1. Are our risk appetite statements too complex?
Risk appetite statements often lead to complex conversations, but their objectives should always be simple.
These objectives normally involve setting limits and expectations on the level of risk an organisation is prepared to accept in the pursuit of its business goals, before action is deemed necessary to reduce that risk.
The simplicity of these objectives should be remembered when defining your appetite statements, but that does not mean you cannot be too simplistic in your approach to building them.
Risk appetite statements need to consider both upside and downside risks – companies need to take risk in order to innovate and grow; risk appetite is just about how much risk the organisation is going to take to achieve those goals.
2. Are we allowing management to take enough risk?
There is no point in setting targets for management to achieve certain goals if risk appetite statements constrict them and prevent them from achieving those objectives.
In order to avoid this, risk categories associated with particular appetite statements should also be mapped to management objectives to fully understand how limits on risk-taking could leave management falling short of their targets.
3. Are we already measuring that?
Regular monitoring of risks to determine whether or not they are in the range of the risk appetite statements is vital, but it is important not to duplicate efforts when reporting to the board.
The board and executive team should already be receiving information regarding key metrics in their management reports; the important thing is to distill this information into a useful format that allows them to see whether or not the risks facing the organisation sit within or outside appetite. Some leaders have suggested creating risk appetite surveys for your board to help communication at this stage.
Risk limits, tolerances and metrics are likely already set across your business: existing board-approved policies set limits; they just don’t have “risk appetite” directly in their title. Use these policies to your advantage when getting people to better understand and adhere to risk appetite across the wider business.
4. Have we hit our risk capacity?
An organisation’s risk appetite should always lie within the limit of its risk capacity, but this is impossible to ascertain without first understanding your aggregate risk position.
It is therefore useful to identify three or four quantitative measures that can be used to assess the performance of your business and define how much downside risk you are willing and able to accept on these measures.
This then gives the organisation an aggregate risk appetite position that is measurable.
Where does Risk Leadership Network's insight come from?
These recommendations were drawn from lessons shared by risk leaders in our network, as part of a series of private member meetings on risk appetite. We've made our risk appetite guide available for free, but there's so much more collaboration taking place between risk leaders in our network every day. Find out more about we enable collaboration here.
|