The majority of risk practitioners believe that risk appetite is useful at all levels of the business, according to our recent benchmark.
In the benchmark Risk appetite implementation and optimisation, we asked 120 risk leaders at large non-financial organisation a series of questions about the use of risk appetite in their organisations. There were a range of maturities:
-1.png?width=618&height=286&name=risk%20appetite%20organisations%20(1)-1.png)
Executive level
Appetite is agreed with the exco, audit and risk committee and board before being socialised through leadership committees.”
CRO
FTSE Metals and Mining Company
At most companies, risk appetite is set at the top of the organisation, before cascading down to business functions through risk owners.
The board approves risk appetite statements and ensures that they are aligned to pillars of the corporate strategy. In many companies, appetite statements are aligned to specific goals or objectives under the corporate strategy:
In most cases, reporting to the board or executive committee requires an up-to-date view of where the business' principal risks are sitting, relative to the appetite settings agreed by the board.
Whether this is based on qualitative assessment of the risks, or is backed up by metrics and quantitative data, risk appetite provides a framework for senior leaders to determine if going in a particular direction will expose the organisation to too much risk.
|
Risk appetite optimisation and implementation
A number of Risk Leadership Network members flagged risk appetite implementation and optimisation as a key priority. Allowing them to benchmark against other organisations is our first step in supporting them. This 2024 benchmark explores how 120 large non-financial organisations in a range of geographies and sectors are setting risk appetite, embedding an understanding of risk appetite within the business, and using it to guide decision-making at different levels of the organisation. Find out more about the report here. |
Second line
Statements and KRIs are owned by group functions; they have responsibility for embedding and monitoring controls to meet appetite.”
CRO
ASX Telecommunications organisation
Second-line business functions, where the majority of risk owners typically sit, compile data about risk appetite, metrics, limits and tolerances and report this to the board. However, they also use risk appetite to trigger management action when risk exposure exceeds tolerance.
Risk appetite is embedded in the enterprise risk assessment methodology at more than 70% of organisations. This enables risk owners (and more broadly, their departments) to validate their key risks against the organisation's appetite limits. In one organisation, for example, all departments validate key risks at least three times a year.
At some companies, risk appetite is also used in management incentive systems, with the goal of promoting more proportionate decisions. Appetite then, if backed up by qualitative metrics and data, can provide a framework for assessing risk management performance.
.jpg?width=1080&height=1080&name=Risk%20Leadership%20Network%20combination%20logo_RGB(2).jpg)
“We train first-line managers on our appetite statements and encourage them to refer back when making decisions, especially in 'grey' areas”
Head of Risk
multinational privately-owned retail company
Risk appetite tends to get less traction the further down the business you go; in fact, risk appetite is only used in the first line at 13% of companies. Does this mean risk appetite is simply a leadership tool?
At those companies who have embedded risk appetite in the first line, a key action has been to obligate all staff to review and attest to reading risk appetite statements. The value here lies in the increased risk awareness organisation-wide.
By familiarising the overall business with risk appetite statements you can emphasis the key principle: that risk and opportunity work together. It's not enough to simply mitigate risks; in order for the business to be successful, it has to take calculated risks as well.
Helping first-line business units to use risk appetite more independently — i.e. through training sessions — can also be valuable from a risk-team perspective. While risk appetite would still be overseen centrally, first-line familiarity with, and use of, appetite, will free up the risk team's time and resources, allowing them to focus on strategically important issues.
Where to next?
Our Risk appetite implementation and optimisation benchmark was created in response to the priorities raised by a number of Risk Leadership Network members — all looking to embed risk appetite throughout their organisation.
Benchmarking against other organisations was our first step in supporting them. Now, we're continuing to support each member in their specific priorities by facilitating peer-to-peer collaboration via:
- 1-to-1 calls with practising risk leaders who have successfully embedding risk appetite within a similar organisation;
- Virtual workshops allowing risk leaders to share ideas, lessons learned, and validate their approach prior to implementation;
- Bespoke benchmarks, tools, and templates that solve specific issues and challenges.
We allow prospective members to get involved in one collaboration as a guest. Fill in this form to request to collaborate with leading CROs and heads of risk on risk appetite.
Share this
7 approaches to setting risk appetite for cyber security
How has risk appetite evolved in the past 3 years?
