Do I need a risk appetite statement and what are the benefits?

2017-10-20T04:40:00+01:00

No comments

An effective risk appetite statement matches risks to an organisation’s actual strategic and business objectives, writes the general manager of risk and compliance at BAI Communications Andrew Potter

Anyone who is in the risk management profession should strive to have a risk appetite statement. It clarifies their organisation’s position and illustrates the views of the board and shareholders on risks. However, some risk managers would argue that you do not need a risk appetite statement if you do risk management well. They simply go without one because there is no real alternative. But a well-formed risk appetite statement can be a simple yet effective piece of contemporary risk management.

So, why do many organisations not have a risk appetite statement? And, if they do, why doesn’t it reflect reality? There are many factors that contribute to this state of affairs. They include differences of opinion between senior management and the board, a lack of understanding of the purpose of a risk appetite statement (or how to articulate it), and the chief risk officer not being consulted (or their guidance not taken on board). In addition to this, there are several different risk appetite definitions that make it more difficult to put the concept into practice. For example, to the Financial Services Authority (FSA), risk appetite is the amount of risk that one is prepared to accept, tolerate or be exposed to at any point in time. For the Institute of Risk Management, risk appetite can be defined as the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives.

When I started at BAI Communications, it was a greenfield opportunity. I developed the risk management framework, including the risk matrices for board approval. After the framework was approved, I went about getting a risk appetite statement approved at the next board meeting. I sat down with some former colleagues, someone I know and respect at EY and external auditors to discuss my proposal. They all thought it sounded like a relevant and effective concept. Some people were wondering why it had not been done before.

When people are writing a risk appetite statement, they too often base it on a financial aspect, or health and safety. For example, a business might say it has no appetite for death. However, although that may be true, it might not match the reality and the nature of the industry it operates in, and the practical business decisions it is making in the real world. Or it might state it has no appetite to risk a million dollars. However, the following week it invests in a new business and spends $20 million. The statement does not correspond with the realistic risks or opportunities that the business faces.

I based our risk appetite statement at BAI on risk rating, which might not work for everyone. We classify risks as ‘extreme’, ‘high’, ‘medium’ or ‘low’, and rate them against all the consequence categories. All risks rated high or extreme are considered to be outside the risk appetite of the company, unless the risk has been mitigated as much as possible and subsequently accepted and approved. High and extreme risks that are not accepted are to have approved mitigation plans in place to reduce the exposure and subsequently bring the risk rating down.

When I took the risk appetite statement to the board, there were many questions on the concept because they had not seen it before. We talked about it for more than 45 minutes, which was great because the board was so engaged. They achieved a better understanding, based on the consequence matrix, of the levels of risk the company is willing to accept.

My main advice when forming a risk appetite statement is to keep it relevant to what you do in practice. Be pragmatic, don’t overcomplicate it, and don’t create what is essentially a fictional statement. For those with fully fleshed-out risk matrices, use them as the basis for risk appetite statements. It will help to articulate what you are willing to accept in terms of risk.

It is important to know what strategic objectives the organisation’s executives have set. You can take that down to the next level and see what the departmental business objectives are, then align these with the risks that can impact those objectives. This makes it more relevant to people, rather than just putting a finger in the air and listing whatever comes to mind.

So, when creating a risk appetite statement, match the risks to your strategic and business objectives, and what you do in reality. This will improve the engagement of the board and the company’s risk management maturity.

No comments

Developed in partnership with Zurich, StrategicRISK's Knowledge helps risk managers answer the industry's big questions. Since StrategicRISK's Asia-Pacific launch in 2012 we've kept a database of frequently asked questions. Working with experts from across the region the Knowledge explores the steps risk professionals can take to answer them.

Knowledge
How can I start to move risk from being an operations focused function into a strategic decision-making tool?

2018-02-15T05:15:00Z

Former Scentre and Westfield CRO, Eamonn Cunningham tells risk managers exactly what they need to do step-by-step to implement a new way of working
News
Case study: how Network Rail reduced safety-critical errors and near-miss incidents

2023-12-05T11:30:00Z

Working with EY, Network Rail created an ambitious digital transformation strategy that has improved railway safety and created sustainable, long-term benefits.
Features
How to manage people-risk and win the war for talent

2023-12-01T16:22:00Z By Sara Benwell

The war for talent rages on as we continue to grapple with the post-COVID work landscape and fall out from the Great Resignation. At our roundtable, four risk experts shared how they attract and retain the best talent and future-proof against people-related threats.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from The Knowledge

News
16 essential questions to ask for effective scenario planning

2019-07-26T02:27:00Z

Scenario planning can help executives better understand the impacts of new goals and objectives set out in the organisation’s strategic plans. Here’s how you can optimise your scenario planning, writes Carol Williams, enterprise risk management consultant and founder of ERM Insights
Knowledge
What value is risk management ultimately bringing a company?

2019-06-07T01:54:00Z

What value is risk management ultimately bringing a company? This is the fundamental question we are all asking. If it can be answered, then the role of risk manager will take on a different meaning and level of influence writes Adrian Clements, international enterprise risk manager
Knowledge
What can I do as a risk manager to make a difference?

2019-05-07T01:45:00Z

Dealing with the c-suite is becoming one of the most critical components of a risk manager’s job. And to play a bigger role in their companies, risk managers need to develop critical soft skills, says François Malan, chief risk officer at Nexity

Do I need a risk appetite statement and what are the benefits?

Related articles

How can I start to move risk from being an operations focused function into a strategic decision-making tool?

Case study: how Network Rail reduced safety-critical errors and near-miss incidents

How to manage people-risk and win the war for talent

No comments yet

Only registered users can comment on this article.

More from The Knowledge

16 essential questions to ask for effective scenario planning

What value is risk management ultimately bringing a company?

What can I do as a risk manager to make a difference?