Organisations struggling to realise value from their risk management frameworks often look to the frameworks to identify the cause of the problem.
However, the cause can often be found in people, not systems. A major contributor to the failure of risk management frameworks is often the leadership team’s inability to identify and articulate the risk appetite of the owners – whether the owners are government, shareholders, or members.
Risk management frameworks should reflect a business’s strategy – and risk appetite is the mechanism for converging strategy and risk.
The vision statement for risk
Vision is to strategy, as appetite is to risk.
Risk appetite is important as it sets expectations about how the organisation manages the risk of doing business. It is a statement of culture, behaviour, priorities and boundaries.
Risk appetite is a fundamental tool in outstanding management practice – allowing managers at all levels of an organisation to work within understood boundaries and get on with the job.
Unfortunately, most organisations do not define their risk appetite. Rather, owners trust that leaders innately understand their risk appetite, and leaders trust that managers intuitively know how to work within these assumed boundaries.
If defined at all, risk appetite is usually an after-thought by boards and executives during strategic planning.
Very rarely do boards and executives think about the risk appetite of owners prior to defining the organisation’s strategy, yet this approach is critical to meeting the expectations of owners.
Why an articulated risk appetite is so important
A carefully considered risk appetite statement forces the board and executives to consider, in detail, the requirements of the owners.
It provides universal understanding and transparency of the expectations of all parties, shining a unifying and guiding light on every management decision in the organisation.
When intelligently crafted and communicated, a risk appetite statement:
- reduces inefficiency and bureaucratic delay in decision-making
- improves accountability
- lifts engagement and empowerment
- improves performance against objectives.
Appetite vs tolerance – what’s the difference?
So is risk appetite the same as risk tolerance? No.
An organisation should only have one risk appetite statement (as it will drive consistency across the business), but should have a number of definitions of risk tolerance depending on variables in each business unit including management level, operational context, and business-unit specific risks.
Risk tolerance is a tool for triggering a decision about managing risk, to bring the risk profile of the organisation within the risk appetite of the owners.
How to articulate risk appetite?
Risk appetite may be expressed in either qualitative or quantitative terms, and is often defined in a number of categories of strategic relevance to the organisation.
Examples of risk appetite statements include:
- Compliance: We accept no risk in complying with legislative requirements of any jurisdiction we operate within.
- Project: We accept no greater than 15 per cent of approved budget risk on any project.
- Safety: We do not undertake any activity when the risk to the safety of any person is greater than the As Low As Reasonably Practical level.
- Investment: We do not undertake investment in any product with a rating of below S&P BBB+. We exit investments with a rating of below S&P BBB for longer than six months.
- Capital leverage: The capital of the organisation shall not be allowed to be leveraged to achieve growth targets to the extent that future acquisition opportunities are not able to be pursued.
Risk appetite statements are not standard, as an organisation’s risk appetite statement is unique to that business. It will vary with shareholder expectation, the environmental and competitive context, and past business performance.
However clarity, consistency, traceability and accountability are the key characteristics of risk appetite statements that are likely to be effective.
For more about crafting a risk appetite statement or assistance with your risk framework, please contact Al Armstrong, Senior Group Manager Risk Services on (07) 3229 4499 or firstname.lastname@example.org