We believe risk appetite is maturing across the profession. Of course, organisations remain at all stages of the journey and we know that many of the high-level challenges of risk appetite have not changed.
However, we've noticed small, yet meaningful, shifts in execution and thinking, during collaborations that we've facilitated over the past few years:
1. Anchoring risk appetite to categories
The majority of companies now align their risk appetite statements to categories under their risk taxonomy, not specific risks.
There is also greater clarity as to what these categories should be and, more importantly, what warrants a risk appetite statement to begin with.
For example, many of our members no longer include Reputation as a risk (or category of risk) under their taxonomy. Instead, Reputation is most often considered a potential consequence of multiple other risks materialising.
2. Distinguishing "appetite" from "tolerance"
Risk appetite and risk tolerance go hand-in-hand, but now practitioners in our network are making more of a special effort to define the two, and communicate to the business how they differ.
This feeds into reporting, with several risk leaders now displaying a continuum for appetite and tolerance in the visuals they prepare for the board and the audit and risk committee (ARC).
These graphics include a traffic light system to indicate where the business is currently sitting in relation to any given appetite or tolerance position; often, what is outside of appetite is not, necessarily, outside of tolerance.
Risk leaders are increasingly recommending a "no new metrics" strategy for measuring a risk's position relative to appetite.
Although some practitioners have always done this, many others appear to be joining them:
We introduced new key risk indicators (KRIs) but it created too much complexity for the business and made reporting buy-in a struggle. Now we use existing business metrics to monitor the organisation's performance in relation to appetite.
CRO
Risk Leadership Network member
4. Appetite becoming the focus of risk reports
The question of whether risk appetite should be part of existing risk reporting, or a standalone report, is changing. Now risk leaders are pondering whether risk appetite will become their risk report.
As risk registers, matrices and other complex tools become less popular, the ability to distil the status of top risks using straightforward appetite and / or tolerance continuums could prevail, focusing the attention of the business on areas where performance is in the red, or shifting towards it.
Parallel to the rising prevalence of more straightforward appetite visuals is a growing focus on high quality commentary in risk reports, balancing the big picture view with an additional layer of granularity, particularly where appetite may be aggregated.
|
Where does this insight come from? Since the launch of Risk Leadership Network, we've addressed hundreds of specific member priorities on risk appetite — from introducing a risk appetite framework, to embedding risk appetite throughout an organisation, getting buy-in from senior leadership on appetite and many more. Through targeted peer collaboration, we've addressed each individual priority by facilitating 1-to-1 in-depth calls, producing bespoke benchmarks, organising group virtual meetings, or collating peer templates and case studies. This article distils some of the trends we've noticed over the course of those collaborations with our members — practising corporate risk leaders at large multi-national organisations — over the past three years in particular. To find out more about how we work with our members, watch this short video or request to collaborate with peers on risk appetite. |
5. Using appetite as a means of prioritisation
Beyond reporting, one of the biggest challenges for businesses remains operationalising risk appetite. Furthermore, there seems to be little consensus of what "operationalisation" involves in this context.
That being said, risk leaders in our network have been discussing, in practical terms, how they are using appetite as a basis for prioritising the allocation of resources and deciding where to apply the greatest assurance effort.
This brings challenges too, of course, with many of our members noting that their leadership is a long way from being comfortable with the idea of winding back existing controls or deliberately "doing less risk management" in some areas. However, the conversation is taking place.
.jpg?width=1080&height=1080&name=Risk%20Leadership%20Network%20combination%20logo_RGB(2).jpg)
6. Linking appetite to budgets
An issue many practitioners are struggling with is that board-approved statements for risks with either "zero" or "very low" appetite (i.e. Cyber) are not being supported by the necessary level of investment. To mitigate these risks to the lowest level, time, money and resources are essential.
While this is an ongoing problem for a lot of our members, some risk leaders have shared case studies of business teams successfully using appetite to gain approval for increased spending in key areas. At these companies, appetite-focused reporting is making a difference.
What's next?
Making risk appetite truly operational is high on the agenda for many risk leaders; for most, it's an ongoing iterative process of improvement. We facilitate numerous peer-to-peer collaborations each month, for risk leaders to share approaches and lessons learned on the specific challenges they face within risk appetite.
To find out more how about we could support you with a specific challenge you're facing with risk appetite in your organisation, please fill in this form or book an introductory call.
Share this
How can risk appetite add value throughout the whole organisation?
Five ways to partner with the business to develop KRIs
