How to operationalise risk appetite: four key steps

7 min read
Mar 3, 2022

A good risk appetite statement can expertly articulate an organisation’s attitude to risk and opportunity, but what does that mean in practice?


Download now: Risk Leadership Network's guide to risk appetite and how to implement it


Risk appetite statements are a fundamental tool for any business that is serious about risk management. But when it comes to practical applications, these statements do little on their own.

To turn risk appetite from a simple statement into an operational tool, it must be integrated into the very foundations of the risk framework.

Make it integrated Remember the upside Define your controls Establish roles & responsibilities

1. Make it integrated

When attempting to operationalise risk appetite, boards will often try and get risk functions to run before they can walk, but it is no use creating a list of metrics to put appetite statements into practice if they don't reflect the direction in which the business is headed.

Therefore, risk appetite statements and the overall risk profile need to link back to business strategy and should be reflective of the key risks, which in turn reflect the business objectives. Risk appetite must be implemented in a way that's unique to a business.

Member case study: Setting appetite for individual risk categories

If your taxonomy is established and well understood across the organisation, this can form the basis for embedding risk appetite further down the business.

One risk leader explained that their risk taxonomy is divided into four overarching "Level 0" risk categories: Operational, Strategic, Financial and Compliance. These categories are used to bucket all of the "Level 1" risk categories that the business would describe as its principal or material risks; for example, Health and Safety would fall under Operational.

For each Level 1 category, appetite has been set and agreed with the board. In order to assess whether the correct level of risk is being taken for each of these categories, a four step process is followed:

  1. Score the risk as it is currently being managed and compare to target score (which is the risk appetite).
  2. Assess key risk indicators (KRIs) against both appetite and tolerance limits to identify whether escalation or any corrective action is necessary.
  3. Assess other risk information avialable, such as effectiveness of current controls, results of any assurance activity (e.g. audits) and external events (e.g. issues in supply chain) that could impact the company's risk profile. 
  4. Compare risk owners' assessments with appetite levels agreed by the board, consider whether they align or not.

Next steps for this organisation: To assess whether risk appetite is currently driving business decisions and ensure the business is engaged, so they understand why appetite applies to them.


Also, as one risk leader raised while presenting their risk appetite process to the network, companies need to define the context of their risk appetite statements and connect them to the value model of the organisation, so they reflect the corporate values of the business.

In order to align risk appetite with business values and strategic direction, risk leaders must consult with the relevant stakeholders, especially those at board level. Don't forget to embed risk appetite across all levels of the business, too.


2. Remember the upside

While risk appetite has traditionally focused on downside risks, remember also the opportunities facing a business. When defining the key risks, it is important to identify the critical success factors that are integral to an organisation’s development.

Member case study: Risk appetite "sliders"

While some companies adopt a whole range of appetite settings, even using a scoring system to quantify their target risk appetite, others prefer a more simple approach.

One organisation uses "sliders" - spectrum-style graphics split into different zones like the example below - within their risk appetite statements, which mark the amount of risk the company is currently taking (in black) and the amount of risk it wants to take in the future (in blue).

appetite slider

A four-level slide like the one above may be useful in terms of forcing an organisation to take a position for each of its principal risks: either it is risk-averse, or it is willing to take that risk for entrepreneurial reasons. 

The balance between opportunity and threat can also be factored into talks held with risk sponsors: for example, instead of just focusing on how external events could create risk for the business, emphasis is placed on how these events may impact the risks already identified by the business, both from an upside and downside perspective.


Bear in mind, however, that not all risk appetite statements are suited to quantitative performance indicators, and board expectations regarding this should be managed from the outset.

As such, indicators should not be the sole judge of whether or not an organisation is in or outside of risk appetite; professional judgement is needed on this at all times. (You might find useful this list of six FAQs on risk appetite basics).

Finally, risk leaders agree that regularly reviewing the indicators an organisation has in place, according to a timeline established with the board from the outset, is important. This faculty to make adjustments will improve the adaptability of the business and allow for a realignment to take place where necessary.

Member case study: Use existing KPIs as risk indicators

If your organisation is still in the early stages of maturity journey and has only just begun to operationalise risk appetite, an important next step is to collect KRIs that enable the business to more effectively measure the position of its risks relative to appetite. 

For one company that found themselves in this position, they asked the question: "what do different departments measure already that could be repurposed as a KRI to determine whether the business is inside or outside appetite?

They realised that key performance indicators (KPIs) the business was already measuring to assess its performance - for example, response time to incidents, resolution time and success rate of product testing - could double up as KRIs. The benefit of this approach is that the business is familiar with these KPIs and how to monitor them, making the process of gathering KRI data much smoother.

 


3. Define your controls

Another key stage of operationalising risk appetite is introducing controls and assurance processes to help the business remain within its appetite range. To maximise the effectiveness of these controls, it is often useful to sort risk appetite statements into five categories: adverse, minimal, cautious, receptive and embrace.

Risks in the adversarial category, such as health and safety, will usually have robust controls in place that are focused on prevention and are most commonly procedural in nature.

This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.

At the other end of the scale, risks in the embrace category are much more likely to be subjective in their nature and rely more on professional judgement in the decision-making process.


4. Establish roles and responsibilities

In order for risk appetite statements to work within an organisation, people at all levels of the business need to take ownership: particularly at the level of senior management and the board.

For example, one risk leader explained that in their company, each of their board subcommittees has a suite of risk appetite statements they are responsible for. Their role involves monitoring statements on a monthly basis and making any amendments as necessary.

This category will also usually have assurance across all three lines of defence, including things like management attestation and audits.As well as getting the buy-in of senior leaders, it’s important to encourage people throughout the organisation to be proactive on risk appetite by communicating effectively and providing opportunities for training.

“We have also begun the process of operationalising risk appetite by holding one-on-one meetings with each business unit across the group about the risks they are facing and what they hope to achieve”
risk leader
CRO

FTSE 250 organisation

 

On the topic of training, one member highlighted three key factors that risk leaders should consider when raising awareness about appetite: keep it simple; relate it to everyday business activities, and make sure people are clear on what role they play in the risk appetite framework.


What are your risk management priorities?

This advice was collated from a series of member meetings facilitated by Risk Leadership Network on operationalising risk appetite. The series took place because a number of our members raised this topic as one of their big priorities for the year ahead.

We work with each of our 60+ member organisations to help them collaborate with peers on their specific priorities, as well as respond to unexpected challenges as they arise. Take a look at the meetings we have coming up and get in touch with us to get involved.

Meanwhile, there's more risk appetite insight in our guide: What is risk appetite and how do you implement it?

Risk Leadership Network combination logo_RGB

 

Get new posts by email