Protecht recently conducted a webinar on “Risk Appetite: Development and Operationalisation” covering our North American, EMEA and APAC markets. A range of questions were posed during the webinars, some which we were able to answer during the webinar and others not.
The following is a summary of all questions asked together with a response.
Where the questions were asked early in the webinar and were addressed later on within the presentation we have not included below. This included such questions as “What is the difference between risk appetite and risk tolerance? and “Please also explain risk capacity”.
Click on a link below to jump to that question:
- How often should a risk appetite statement be reviewed?
- How much are non-financial service organisations formalising their approach to risk management?
- Should the appetite be a stopper?
- What is best practice for implementing risk appetite in conglomerates?
- Are risk surveys meaningful to show changes in stances on risk?
- How do you correlate or link RCSA outputs and risk appetite?
- What process and key decision areas to consider in risk appetite?
- How do we set the right expectation for RAS at the staff level?
- How do we decide on which metrics to include?
- What is the best way to temper overzealous executives who believe every risk needs to achieve a low-risk rating?
- Can you explain the difference between risk appetite and risk acceptance?
- Should RAS be incorporated into governance forum charters and individual role KPIs?
- Is the RAS often utilised within project delivery environments?
- How do you deal with correlations between risks?
- Our RAS was created using "risk themes" that do not clearly align to our corporate objectives. Should we restart or make do?
- Must RAS cover ALL possible risks?
- What is the role of an internal auditor in setting the risk appetite?
- For a Canadian small business developing KRIs, should I reference ISO 31000?
- Can we see an example of a risk appetite statement?
- Is risk appetite set by the management or the board?
- Why does ISO 3100 deliberately avoid defining inherent risk?
- Can we have more than 3 levels in the risk appetite matrix?
- As pandemic is under control, should organisations lower their risk appetite or keep it as of today?
- Why does COSO and Protecht persist with enterprise risk management instead of organisational risk management?
1. How often should a risk appetite statement be reviewed?
Most commonly we would expect to see a risk appetite review carried out:
- At least annually as a standard review, similar to the board review of policies.
- When there is a change in strategy. The annually review is ideally timed in line with the strategic planning review as the two should be developed together. Where strategic planning is carried out at another time, the risk appetite should be reviewed for any impact of strategy change.
- At ad hoc times where a material risk situation occurs such as:
- Where a major external shock(s) occurs, e.g. COVID-19, which changes the risk landscape and requires an appetite adjustment.
- Where we gain greater understanding of a key risk which prompts a revisit of the risk appetite in light of the greater knowledge
- When there is an improvement that can be made to the Risk Appetite Statement (RAS) such as the addition of new metrics that can be added to enhance the statement.
As a result it can be good practice to have the risk appetite as a standing item on the Board Agenda to discuss if any updates are required.
2. To what extent are non-financial service organisations formalising their approach to risk management, including adopting, maintaining and managing to risk appetite?
Although the financial services (FS) regulators led the way in providing guidance and implemented requirements for financial service firms a decade of so ago, the principles of risk appetite have firmly spread across every industry. This has been led by a desire for better risk management and a realisation of the importance of risk appetite regardless of the organisation – it is universally useful. In addition, corporate regulators (e.g. ASIC within Australia) have also provided requirements and guidance over the need for risk appetite within any organisation.
As a result, the majority of consulting work Protecht provides for risk appetite is now non-FS and the quality of the approach is no different to FS firms.
3. Should the appetite be a stopper? Or just a guide for decision-making?
The underlying principle of Risk Appetite is to provide “freedom within boundaries”. Therefore if the organisation, or some of its parts, are operating outside of appetite is should be a stopper unless the organisation is willing to increase its appetite to capture these risks. This is the correct response as risk is being taken above what the board finds acceptable.
However, where the organisation, or some its parts, are operating well within risk appetite, the risk appetite can be an enabler, enabling the business to take more risk. This is the complete opposite to a stopper.
With respect to decision making, the risk appetite should act as a stopper for decisions that are outside of appetite. Equally, where business as usual risks are identified outside of appetite, this should prompt decisions to bring it back within appetite.
4. For conglomerates, which one is a better practice? Option A: One risk appetite applicable for the parent company and to all subsidiaries or Option B: Risk Appetite at the parent level and separate risk appetite statement (aligned with the appetite at the parent level) should also be defined at the subsidiaries level
There is no correct answer to this. However, we have found the preferred practice which works well to be your option B. Create a group level RAS at group board level and then create “Sub RASs” or “Mini RASs” for each subsidiary which is aligned to the Group RAS but is owned by the boards of the subsidiaries.
5. We recently ran a 'risk survey' among our Executive Committee and Board of Directors to determine each members current stance on each of our top risks (appetite, relevance, capability to handle). Do you think this kind of survey is meaningful to show changes in stances on risks? We can illustrate the movement of risks around the heat map each year. Or is this overall a waste of time? Have you done Risk surveys at all before to calibrate the businesses view on various risks over time?
The views on the use of surveys will differ based on the opinions of who you ask. From our perspective we do not find surveys overly useful for the following reasons:
- People often answer surveys based on what they believe the requester wants to hear father than what they believe. This bias can render surveys of little value.
- When it comes to asking qualitative opinions such as risk appetite, relevance and capability to handle, there is great benefit in listening to a wide variety of views and debates to temper an individual’s view. This includes clarifying, learning and challenging each other. This cannot be achieved in a survey.
- Once survey results have been obtained, what do you do about widely convergent views? In a workshop, these can be debated on the spot and a consensus more likely to be reached.
I, for one, favour the workshop and open discussion approach for these reasons.
6. How do you correlate or link RCSA outputs and Risk Appetite - arguably 2 separate measures of risk that you present to the board
As there is no single definitive way to “measure” risk, we attempt to measure it in a number ways. These methods may include:
- Qualitative judgement using an assessment of likelihood and consequence. This is typical of an RCSA approach.
- Quantitative using proxies for the risk such as using Key Risk Indicators (KRIs)
- Semi quantitative where we use data as well as judgement. An example maybe controls assurance where we assess controls in a number of ways and then provide an overall evaluation such as Effective, Partially Effective, Ineffective.
- Quantitatively using historical information. This would apply to incident management.
Unfortunately, if we report each of these pieces of information separately and wish to apply the risk appetite concept, you need to articulate appetite based on metrics, RCSA matrices, Control effectiveness and incident history etc. which can be very confusing for the reader. As a result, we recommend either:
- Focus on KRIs as the main method to articulate appetite and measure against it.
- Consider not using the RCSA matrix as a tool to evaluate risk against appetite.
As you mature, move to an integrated measure of risk such as demonstrated in the webinar based on Protecht’s Risk In Motion concept.
7. What process and key decision areas would you look for explicit risk appetite considerations?
We need to apply Pareto’s 80:20 rule to risk management in order to ensure we focus on what really matters and avoid information overload and distraction from non-material matters.
As a result:
- Apply risk appetite at the board level to the key board level risks. We would expect this to be for around 15 risk categories.
- Apply risk appetite formally using the “Can I?” principle for material decisions. This would most likely cover strategic decisions and material operational decisions.
That said, as risk management matures, appetite should be used for a wider range of operational decisions and be built into the culture. Ideally it filters down to the informal decisions we make where those decisions factor in an understanding of appetite in order to guide behaviour.
8. How do we set the right expectation for RAS at the staff level? We often say to staff to refer to Board risk appetite statement to assess their target risk, but often the Board RAS is set at too high level to make it useful for staff.
This should be addressed by ensuring the board level risk appetite is cascaded and operationalised through the business using the various artefacts that were shown in the webinar. As a result, staff should be referred to such things as policies, codes of conduct, values and commitments which should reflect and be aligned to the board risk appetite. As you suggest, a board level statement is usually too high level to be meaningful for staff.
9. I've found challenges in deciding KRIs or tolerances for risk appetite. How does one decide on which metrics to include?
This is a great question. The identification of a strong and comprehensive suite of KRIs to use for risk tolerance is often a challenge. We suggest that this is dealt with when you develop your key risk indicator capability and process. We will be running a separate webinar on this later in the year.
Once a strong suite of KRIs is developed across the business, these should be used to develop a suit of metrics to use for tolerance setting and reporting to the board as part of risk reporting. These will be higher level and often involve composite or aggregated KRIs made up of several more granular KRIs in the business.
10. Regarding stakeholder views, in your opinion, what is the best way to temper overzealous executives who hold a view every risk needs to achieve a low-risk rating?
This issue is common where boards are setting risk appetite for the first time. Conservatism prevails as the major focus will be on limiting harm to the organisation.
This needs to be dealt with by:
- Providing adequate education to the board on risk appetite concepts and meaning with special focus on the relationship between risk and reward, and as a result, risk appetite and reward. Without risk there is no reward. With too much risk we may get reward in the short term but then inevitably we fail as a major risk hits. We must get the balance right.
- Explain that with too low a risk appetite we fail slowly and with too high a risk appetite we might fail quickly.
- Explain the implications of setting a too low appetite. For example, if we deem the current level of cyber risk to be medium and the board wants low, this risk would be outside of appetite and requires immediate attention and most likely substantial investment in improved cyber controls. Is the board ready for this?
11. Can you please explain the difference between risk appetite and risk acceptance?
Risk appetite is the amount of risk we are willing to take / accept in pursuit of achieving our goals.
Risk acceptance links to risk appetite in the following ways:
- Where the risk is evaluated against appetite and deemed to be within appetite you may risk accept automatically. This would be especially true where the risk is evaluated as being in the “Green” zone – within appetite no immediate action required.
- Where the risk is outside of appetite (red zone) this usually means immediate action required. This action may include:
- Improvement in controls (Remediating weak controls of filling control gaps)
- Process re-engineering
- Formal Risk Acceptance
- Formal risk acceptance involves accepting a risk outside of appetite. This acceptance should be based on a formal risk acceptance policy and process by duly authorised persons / committee. Acceptance should be for a finite time and should be used where we do not wish to avoid but the treatment method will take some time to implement.
12. Should RAS be incorporated into governance forums charters and individual role KPIs to enable Operationalisation?
This is certainly one of the methods available in order to operationalise the RAS within the business. Including it in governance forums and charters makes sense. For individual KPIs, the issue will be granularity, complexity and volume. We suggest cascading metrics to a business unit level and then if the business unit wishes to link to an individual’s role as part of staff performance management, that is their option.
13. Is the RAS often utilised within project delivery environments and is the Bow Tie risk analysis fit for purpose within the project delivery community?
Yes is the quick answer. Project execution / delivery risks which lead to cost, time and quality issues can be addressed by risk appetite in the same manner as for operational risks. The cost, time and quality become the objectives and therefore tracked by KPIs and the risks that could lead to uncertainty in these desired outcomes would be tracked by KRIs. The principles are the same.
Bow Tie analysis is fit for purpose for any risk and that includes project management risks. There is no reason not to use the principle on these risks.
14. How do you deal with correlations between risks? And trade-offs between elements/statements in your risk appetite?
With difficulty! Moving from a siloed risk by risk-centric view for setting appetite and measuring risk against that appetite is difficult, particularly for non-financial risks. This is because the lack of data makes the use of statistical techniques such as Monte Carlo simulation very difficult. Statistical techniques such as Monte Carlo are the main approaches for dealing with correlation between risks within financial risk management.
Some ways that correlations between risks and as a result trade-offs of risk appetite components can be measured is to use scenario analysis where the scenario involves multiple risks. For example, running a scenario of a project failing at the worst possible time (based on multiple risks) and setting a risk appetite on the maximum financial loss that would be acceptable. This appetite by default covers the combined impact of multiple risks.
15. Our RAS was created using 'risk themes' that do not clearly align to our corporate objectives or corporate risks? Should we restart or make do and try and align to our objectives?
I would strongly suggest you restart. The risks defined in the risk appetite statement should be the same as the corporate risks assessed in the business and these should be clearly aligned to strategy and objectives. We should have one core set of strategy aligned risks for everything we do in risk management.
16. Must RAS cover ALL possible risks?
No. The coverage is dependent on the coverage of your identified top level risk categories. These should form the basis of your common risk taxonomy, at the board or board equivalent level.
The principles of the corporate level categories is (roughly) that they will cover 80% of your total risk. This usually leads to approximately 15 or so corporate level risks covering operational, financial and strategic risks.
The RAS should then be based on these same corporate level risks – approximately 15.
17. I'm an internal auditor. On basis of the information received, it seems to be clear that setting risk appetite in a task of risk management (and management). What is the role of internal audit in that context?
The role of internal audit is to provide reasonable assurance that risk management is operating effectively across the organisation and that includes Risk Appetite. It is not to set risk appetite. The audit of risk appetite should be based on a test plan aligned to the level of maturity of the organisation which in itself is aligned to good / best practice.
18. For a Canadian Small business developing KRIs should I reference the ISO 31000 standards? Or is there another standard better for our area?
The ISO31000 standard does not provide guidance at this level of granularity for the development of KRIs. It refers to “Monitoring and Reporting” and this is where KRIs most ideally fit. Simply the use of KRIs will help you align to the 31000 standard but no further granular guidance is provided.
19. Would love to see an example of a risk appetite statement
Protecht does have a proforma risk appetite statement that we use for our client assignments. As such it is not available for free due to the IP involved. However, I can provide you with an outline of the typical contents of the statement and you can email me on firstname.lastname@example.org if you would like that.
20. Is risk appetite set by the management or by the board?
It is usually developed and set as a joint exercise between management and board. However, the Board “owns” the risk appetite which means that they are ultimately responsible for its level.
21. Why does ISO 31000 (deliberately) avoid defining 'inherent risk', which particularly external auditors like to misuse as a synonym for 'gross risk' rather than recognising it as the innate nature of a risk, i.e. a nuclear power station has a different inherent risk than a biscuit factory and their respective inherent risks remain notwithstanding any & all treatment measures.
My view is that ISO 31000 avoids inherent risk because it was to hard to get the multiple countries involved in developing it to agree. The ISO 31000 standard is substantially based on the old AU/NZS 4360 standard which did define inherent risk. The issue hinges around different views as to the usefulness of inherent risk. Some see it as useful (including Protecht) and others not so much. (Refer to https://www.protechtgroup.com/blog/inherent-risk-definition)
22. Can we have more than 3 levels on a risk appetite matrix?
I assume this refers to the Likelihood and Consequence matrix. If so, yes, you can have as many different zones as you like. We typically see somewhere between 3 and 5 zones. The issue is you should minimise the number of zones to aid simplicity and only if you have a valid and valuable reason to introduce more zones (e.g. greater level of granularity of risk, different escalation and response actions by zone etc.) should you have more.
23. As the pandemic is under control should organisations lower their risk appetite or keep it as of today?
Risk appetite is dynamic and therefore is expected to be reviewed / adjusted on an ongoing basis. (Refer question 1). The reason for revision is outlined in question 1 and includes where a major shock occurs which causes us to re-evaluate our appetite.
As the pandemic comes under control, I am not sure our overall appetite for pandemic related risk would change but that our metrics that we use for tolerances will change. For example, we may still have a low appetite for the health related pandemic risks but we may alter our thresholds for metrics such as “number of staff in the office” “time period for isolation” etc.
24. Why does COSO (and Protecht) persist with 'enterprise' risk management instead of organisational risk management because it applies to ALL entities: private as well as government sectors?
Protecht (and, I assume, COSO) persist with “Enterprise” Risk Management as:
- It is the oldest word to describe what we do (Protecht has used ERM since its beginning in 1999) and has no plans to change.
- We see no value in changing the description to such things as GRC or IRM as ERM already incorporates these. Governance, Risk, Compliance, Integration are all parts and features of ERM. Why change?
- It may not be in the dictionary definition but we, and many others, deem “enterprise” to cover every type of organisation and not just a certain type. We have clients across many industry segments: Public, Private, Government, Financial Services, Education, Manufacturing, and they all use ERM and are very happy to.