- Customer Success
- Case Studies
- About Us
Protecht recently conducted a webinar on “Risk Appetite: Development and Operationalisation” covering our North American, EMEA and APAC markets. A range of questions were posed during the webinars, some which we were able to answer during the webinar and others not.
The following is a summary of all questions asked together with a response.
Where the questions were asked early in the webinar and were addressed later on within the presentation we have not included below. This included such questions as “What is the difference between risk appetite and risk tolerance? and “Please also explain risk capacity”.
Click on a link below to jump to that question:
Most commonly we would expect to see a risk appetite review carried out:
As a result it can be good practice to have the risk appetite as a standing item on the Board Agenda to discuss if any updates are required.
Although the financial services (FS) regulators led to way in providing guidance and implemented requirements for financial service firms a decade of so ago, the principles of risk appetite have firmly spread across every industry. This has been led by a desire for better risk management and a realisation of the importance of risk appetite regardless of the organisation – it is universally useful. In addition, corporate regulators (e.g. ASIC within Australia) have also provided requirements and guidance over the need for risk appetite within any organisation.
As a result, the majority of consulting work Protecht provides for risk appetite is now non-FS and the quality of the approach is no different to FS firms.
The underlying principle of Risk Appetite is to provide “freedom within boundaries”. Therefore if the organisation, or some of its parts, are operating outside of appetite is should be a stopper unless the organisation is willing to increase its appetite to capture these risks. This is the correct response as risk is being taken above what the board finds acceptable.
However, where the organisation, or some its parts, are operating well within risk appetite, the risk appetite can be an enabler, enabling the business to take more risk. This is the complete opposite to a stopper.
With respect to decision making, the risk appetite should act as a stopper for decisions that are outside of appetite. Equally, where business as usual risks are identified outside of appetite, this should prompt decisions to bring it back within appetite.
There is no correct answer to this. However, we have found the preferred practice which works well to be your option B. Create a group level RAS at group board level and then create “Sub RASs” or “Mini RASs” for each subsidiary which is aligned to the Group RAS but is owned by the boards of the subsidiaries.
The views on the use of surveys will differ based on the opinions of who you ask. From our perspective we do not find surveys overly useful for the following reasons:
I, for one, favour the workshop and open discussion approach for these reasons.
As there is no single definitive way to “measure” risk, we attempt to measure it in a number ways. These methods may include:
Unfortunately, if we report each of these pieces of information separately and wish to apply the risk appetite concept, you need to articulate appetite based on metrics, RCSA matrices, Control effectiveness and incident history etc. which can be very confusing for the reader. As a result, we recommend either:
As you mature, move to an integrated measure of risk such as demonstrated in the webinar based on Protecht’s Risk In Motion concept.
We need to apply Pareto’s 80:20 rule to risk management in order to ensure we focus on what really matters and avoid information overload and distraction from non-material matters.
As a result:
That said, as risk management matures, appetite should be used for a wider range of operational decisions and be built into the culture. Ideally it filters down to the informal decisions we make where those decisions factor in an understanding of appetite in order to guide behaviour.
This should be addressed by ensuring the board level risk appetite is cascaded and operationalised through the business using the various artefacts that were shown in the webinar. As a result, staff should be referred to such things as policies, codes of conduct, values and commitments which should reflect and be aligned to the board risk appetite. As you suggest, a board level statement is usually too high level to be meaningful for staff.
This is a great question. The identification of a strong and comprehensive suite of KRIs to use for risk tolerance is often a challenge. We suggest that this is dealt with when you develop your key risk indicator capability and process. We will be running a separate webinar on this later in the year.
Once a strong suite of KRIs is developed across the business, these should be used to develop a suit of metrics to use for tolerance setting and reporting to the board as part of risk reporting. These will be higher level and often involve composite or aggregated KRIs made up of several more granular KRIs in the business.
This issue is common where boards are setting risk appetite for the first time. Conservatism prevails as the major focus will be on limiting harm to the organisation.
This needs to be dealt with by:
Risk appetite is the amount of risk we are willing to take / accept in pursuit of achieving our goals.
Risk acceptance links to risk appetite in the following ways:
This is certainly one of the methods available in order to operationalise the RAS within the business. Including it in governance forums and charters makes sense. For individual KPIs, the issue will be granularity, complexity and volume. We suggest cascading metrics to a business unit level and then if the business unit wishes to link to an individual’s role as part of staff performance management, that is their option.
Yes is the quick answer. Project execution / delivery risks which lead to cost, time and quality issues can be addressed by risk appetite in the same manner as for operational risks. The cost, time and quality become the objectives and therefore tracked by KPIs and the risks that could lead to uncertainty in these desired outcomes would be tracked by KRIs. The principles are the same.
Bow Tie analysis is fit for purpose for any risk and that includes project management risks. There is no reason not to use the principle on these risks.
With difficulty! Moving from a siloed risk by risk-centric view for setting appetite and measuring risk against that appetite is difficult, particularly for non-financial risks. This is because the lack of data makes the use of statistical techniques such as Monte Carlo simulation very difficult. Statistical techniques such as Monte Carlo are the main approaches for dealing with correlation between risks within financial risk management.
Some ways that correlations between risks and as a result trade-offs of risk appetite components can be measured is to use scenario analysis where the scenario involves multiple risks. For example, running a scenario of a project failing at the worst possible time (based on multiple risks) and setting a risk appetite on the maximum financial loss that would be acceptable. This appetite by default covers the combined impact of multiple risks.
I would strongly suggest you restart. The risks defined in the risk appetite statement should be the same as the corporate risks assessed in the business and these should be clearly aligned to strategy and objectives. We should have one core set of strategy aligned risks for everything we do in risk management.
No. The coverage is dependent on the coverage of your identified top level risk categories. These should form the basis of your common risk taxonomy, at the board or board equivalent level.
The principles of the corporate level categories is (roughly) that they will cover 80% of your total risk. This usually leads to approximately 15 or so corporate level risks covering operational, financial and strategic risks.
The RAS should then be based on these same corporate level risks – approximately 15.
The role of internal audit is to provide reasonable assurance that risk management is operating effectively across the organisation and that includes Risk Appetite. It is not to set risk appetite. The audit of risk appetite should be based on a test plan aligned to the level of maturity of the organisation which in itself is aligned to good / best practice.
The ISO31000 standard does not provide guidance at this level of granularity for the development of KRIs. It refers to “Monitoring and Reporting” and this is where KRIs most ideally fit. Simply the use of KRIs will help you align to the 31000 standard but no further granular guidance is provided.
Protecht does have a proforma risk appetite statement that we use for our client assignments. As such it is not available for free due to the IP involved. However, I can provide you with an outline of the typical contents of the statement and you can email me on email@example.com if you would like that.
It is usually developed and set as a joint exercise between management and board. However, the Board “owns” the risk appetite which means that they are ultimately responsible for its level.
My view is that ISO 31000 avoids inherent risk because it was to hard to get the multiple countries involved in developing it to agree. The ISO 31000 standard is substantially based on the old AU/NZS 4360 standard which did define inherent risk. The issue hinges around different views as to the usefulness of inherent risk. Some see it as useful (including Protecht) and others not so much. (Refer to https://www.protechtgroup.com/blog/inherent-risk-definition)
I assume this refers to the Likelihood and Consequence matrix. If so, yes, you can have as many different zones as you like. We typically see somewhere between 3 and 5 zones. The issue is you should minimise the number of zones to aid simplicity and only if you have a valid and valuable reason to introduce more zones (e.g. greater level of granularity of risk, different escalation and response actions by zone etc.) should you have more.
Risk appetite is dynamic and therefore is expected to be reviewed / adjusted on an ongoing basis. (Refer question 1). The reason for revision is outlined in question 1 and includes where a major shock occurs which causes us to re-evaluate our appetite.
As the pandemic comes under control, I am not sure our overall appetite for pandemic related risk would change but that our metrics that we use for tolerances will change. For example, we may still have a low appetite for the health related pandemic risks but we may alter our thresholds for metrics such as “number of staff in the office” “time period for isolation” etc.
Protecht (and, I assume, COSO) persist with “Enterprise” Risk Management as:
David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.