An effective risk appetite statement matches risks to an organisation’s actual strategic and business objectives, writes the general manager of risk and compliance at BAI Communications Andrew Potter
Anyone who is in the risk management profession should strive to have a risk appetite statement. It clarifies their organisation’s position and illustrates the views of the board and shareholders on risks. However, some risk managers would argue that you do not need a risk appetite statement if you do risk management well. They simply go without one because there is no real alternative. But a well-formed risk appetite statement can be a simple yet effective piece of contemporary risk management.
So, why do many organisations not have a risk appetite statement? And, if they do, why doesn’t it reflect reality? There are many factors that contribute to this state of affairs. They include differences of opinion between senior management and the board, a lack of understanding of the purpose of a risk appetite statement (or how to articulate it), and the chief risk officer not being consulted (or their guidance not taken on board). In addition to this, there are several different risk appetite definitions that make it more difficult to put the concept into practice. For example, to the Financial Services Authority (FSA), risk appetite is the amount of risk that one is prepared to accept, tolerate or be exposed to at any point in time. For the Institute of Risk Management, risk appetite can be defined as the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives.
When I started at BAI Communications, it was a greenfield opportunity. I developed the risk management framework, including the risk matrices for board approval. After the framework was approved, I went about getting a risk appetite statement approved at the next board meeting. I sat down with some former colleagues, someone I know and respect at EY and external auditors to discuss my proposal. They all thought it sounded like a relevant and effective concept. Some people were wondering why it had not been done before.
When people are writing a risk appetite statement, they too often base it on a financial aspect, or health and safety. For example, a business might say it has no appetite for death. However, although that may be true, it might not match the reality and the nature of the industry it operates in, and the practical business decisions it is making in the real world. Or it might state it has no appetite to risk a million dollars. However, the following week it invests in a new business and spends $20 million. The statement does not correspond with the realistic risks or opportunities that the business faces.
I based our risk appetite statement at BAI on risk rating, which might not work for everyone. We classify risks as ‘extreme’, ‘high’, ‘medium’ or ‘low’, and rate them against all the consequence categories. All risks rated high or extreme are considered to be outside the risk appetite of the company, unless the risk has been mitigated as much as possible and subsequently accepted and approved. High and extreme risks that are not accepted are to have approved mitigation plans in place to reduce the exposure and subsequently bring the risk rating down.
When I took the risk appetite statement to the board, there were many questions on the concept because they had not seen it before. We talked about it for more than 45 minutes, which was great because the board was so engaged. They achieved a better understanding, based on the consequence matrix, of the levels of risk the company is willing to accept.
My main advice when forming a risk appetite statement is to keep it relevant to what you do in practice. Be pragmatic, don’t overcomplicate it, and don’t create what is essentially a fictional statement. For those with fully fleshed-out risk matrices, use them as the basis for risk appetite statements. It will help to articulate what you are willing to accept in terms of risk.
It is important to know what strategic objectives the organisation’s executives have set. You can take that down to the next level and see what the departmental business objectives are, then align these with the risks that can impact those objectives. This makes it more relevant to people, rather than just putting a finger in the air and listing whatever comes to mind.
So, when creating a risk appetite statement, match the risks to your strategic and business objectives, and what you do in reality. This will improve the engagement of the board and the company’s risk management maturity.