For any organisation, the development and articulation of the risk appetite is crucial in order to define and guide the degree of freedom that its employees have in taking and accepting risk.
The development of risk appetite is ultimately owned by the board, who should give sign off and approval. This requires the board to be ‘on board’ with the whole process, providing with input and challenge in all stages from its development to final approval. However, getting the board onboard can often be a challenge, requiring a degree of education to align thinking, as well as strong facilitation to bring board members to an agreed view.
In our recent thought leadership webinar, David Tattam, Protecht’s Chief Research and Content Officer and Michael Howell, Protecht’s Research and Content Lead take a practical approach to how you can best get your board on board.
If you missed the webinar live, then you can view it on demand here:
Questions
How do you talk to someone in a leadership role who thinks risk management is just something to do with handling documented risk findings?
How often do you review risk appetite?
What is the difference between "change/delivered risk management" and "project risk management"?
What is the best way to approach the board for creating and owning risk appetites if we have never done this before?
I'm a Business Continuity Manager reporting into a Director of Information Security then to a CISO into a CIO. I don't have board representation or a dotted line to management – is there a way to achieve this?
What happens if the Board has determined their risk appetite, and the organisation’s Emergency Management unit develops an emergency or crisis trigger that is at a substantially lower threshold than the risk appetite?
Do regulators inherit or share the risk of industry, from a safety perspective, if a justified and reasonable approach still results in an unwanted outcome?
Do you advise using a quantitative description for each risk category from a risk capacity, risk threshold and risk tolerance/limit perspective?
How can I help encourage a not-for-profit board to be less risk averse, considering the sector’s history of risk adversity and capital constraints?
Looking at KRI tolerances of green, amber, and red, would you not also consider a fourth being significantly below green/amber tolerance, indicating that the organisation is not taking enough risk?
Do you have advice in how to manage directors who believe that inherent risk isn't real?
When organisations/directors have vague or poorly articulated objectives, does this hang up the risk appetite session?
What is your view on whether risk appetite should be made publicly available?
Would it be possible to expand on the KPI and KRI on the 'Methodology for Risk Appetite'? The quantitative part was not too clear. What's the best way to accurately set the thresholds?
When the appetite for each key risk is different, does the board need to have a risk appetite statement for each of the key risks?
Do government agencies have much choice in setting the level of risk appetite, given that they are responsible for taxpayers’ funds and are not in the research or competitive markets?
Is it acceptable to go outside risk appetite boundaries with approval in the short term with additional controls and superior profit/benefit?
An incident within a certain area might be severe, but how do you judge if it brings the whole area outside the risk appetite?
What practical techniques can we use to embed the risk appetite statement to lower levels of the organisation?
Can you explain the differences between KPIs and KRIs?
We have an overall risk appetite statement but I don't feel that we have operationalised this. Would it be better to build from what we have or start from the beginning?
Can you explain difference between risk appetite metrics and risk indicators?
How do you define risk appetite for regulation that works on a principle-based approach so where regulation is open to interpretation?
Who should take responsibility of board education session?
How can one have sight of management's appetite before venturing into an investment? Is it possible to factor the risk appetite on our risk registers?
How do you talk to someone in a leadership role who thinks risk management is just something to do with handling documented risk findings?
It sounds like you need to take them out of a compliance, “tick the box” mindset when it comes to risk management. Try and flip the focus to outcome management. What are their objectives, and how much certainty do they need that they will attain them? Uncertainty related to achievement of their objectives exists regardless of whether that uncertainty is documented. They are managing risk every day, even if they don’t recognise it!
How often do you review risk appetite?
The preferred answer is ‘dynamically’. Typically, it is reviewed on an annual basis (and some regulators require this to happen), ideally at the same stage that strategy and business plans are being developed as they go hand in hand. It may however also need to be reviewed and adjusted on an ad hoc basis in response to trigger events such as:
- Rapid environment changes e.g. If the market you operate in is swiftly changing, such as emergence of a disruptive competitor you might need to redefine the amount of risk you are willing to take to remain competitive
- Changes in perceived risk levels or risk behaviour e.g. pandemic
- Out of cycle material changes to strategy
What is the difference between "change/delivered risk management" and "project risk management"?
Great question. We see the latter as risks to project success itself. For example, risk that would result in delays to the schedule or additional cost to the project. Delivered risk are those that are delivered into the organisation or operating model once the project is complete. You can read more in our blog titled When risk and reward don’t talk.
What is the best way to approach the board for creating and owning risk appetites if we have never done this before?
If you have not done this before, the board needs to go through fundamental risk appetite training focused on the value it brings and how it should be used across the organisation to add value. Where possible, get the board to conduct more general risk management fundamentals training such as Protecht Academy’s Risk management for boards course.
Lean into the concept of freedom within boundaries, and bring it to life with stories. Personal stories can be relatable, but you might also use a hypothetical scenario relevant to your organisation’s context. In the scenario, what limit would the board put on the risks management is allowed to take in that scenario while pursuing objectives? This can be the hook to get buy-in.
You can also lean on regulatory drivers if you need to – but that can make it feel like a tick the box exercise.
I'm a Business Continuity Manager reporting into a Director of Information Security then to a CISO into a CIO. I don't have board representation or a dotted line to management – is there a way to achieve this?
While I don’t know the scope of your role, I would suggest that business continuity should not belong to IT – it belongs to the business. We are seeing a shift from business continuity to operational resilience, which requires an end-to-end insight into operations. You may need to navigate internally, and find someone sympathetic to your view. They key will be demonstrating the business need and value to your proposal. How will the organisation benefit from this change? Good luck!
What happens if the Board has determined their risk appetite, and the organisation’s Emergency Management unit develops an emergency or crisis trigger that is at a substantially lower threshold than the risk appetite?
This sounds like a perfect candidate situation for our ‘Can I, Should I’ test. ‘Can I’ represents a test against risk appetite – in this case it is within risk appetite. The subsequent ‘Should I’ test checks reward. Is the lower threshold (and investment in resources) actually preventing the organisation from achieving other objectives? If you are in that position, you can suggest too little risk is being taken.
Do regulators inherit or share the risk of industry, from a safety perspective, if a justified and reasonable approach still results in an unwanted outcome?
The regulator’s view or approach (and associated regulations that may apply) is a reflection of the risk appetite of society, which sets the boundary of risk appetite of regulated entities. The way that regulators approach enforcement can have an impact – if they are too light, entities may become complacent. We have seen instances where regulators are held to account for allowing systemic issues to occur under their watch. If regulated entities have acted within their own risk appetite and met regulatory requirements, ideally this would be reflected in any investigation. Not all risk can be eliminated.
Do you advise using a quantitative description for each risk category from a risk capacity, risk threshold and risk tolerance/limit perspective?
We do recommend a measurable metric for trigger and tolerances, so that you have objective measures to support additional action and attention. We do not regularly see capacity quantified outside of financial risks.
How can I help encourage a not-for-profit board to be less risk averse, considering the sector’s history of risk adversity and capital constraints?
Promoting additional risk taking needs to come with commensurate reward. Leveraging that will be key to taking them on a journey. An approach might be to develop some hypothetical scenarios on what strategies could be pursued or objectives achieved with a different risk appetite.
Looking at KRI tolerances of green, amber, and red, would you not also consider a fourth being significantly below green/amber tolerance, indicating that the organisation is not taking enough risk?
While we didn’t cover it in this session, we do cover this in our Academy course on risk appetite. We make it the ‘blue zone’, though the colour is arbitrary. An example might be staff turnover; close to 0% turnover might sound awesome, but you aren’t getting new talent and maybe it indicates you are spending too much on retention initiatives that isn’t commensurate with the benefit.
Do you have advice in how to manage directors who believe that inherent risk isn't real?
The debate on whether inherent risk is a useful concept or not isn’t new. We recommend it to enable assessment of the effect of controls. If only residual risk (or current risk) is recognised, you need to ensure there is an effective approach to controls assurance. For a risk appetite statement, this should simply cover what is the level of risk the organisation is willing to take, as set by the board. Inherent and residual risk are then assessed by the organisation.
When organisations/directors have vague or poorly articulated objectives, does this hang up the risk appetite session?
Yes it does! Given risk is “the effect of uncertainty on objectives” it is fundamental to get clearly articulated and measurable objectives to provide that reference point. However, the setting of risk appetite often forces organisations to become much clearer on their objectives. We’ve run sessions with boards where the first session ends up just being about agreeing on objectives – and they are very thankful for the clarity.
What is your view on whether risk appetite should be made publicly available?
We definitely want the risk appetite to be made “public” internally amongst our employees otherwise it will not provide the clarity on boundaries required to influence decisions and behaviour.
The question of making the document externally “public” is tricky. On one hand we want to be transparent and open and be communicating our appetite for risk, on the other we need to be careful of the following two key issues:
- The board level risk appetite will contain commercially sensitive information as it speaks directly to our strategy and future intentions. This has to be protected like any other sensitive data.
- The reading of risk appetite by external parties, including media may be accidentally or deliberately misinterpreted by them. For example, if we say we have a “low” appetite for health and safety risks that reflects our desire to reduce these risks to as low as reasonably practical, or to so far as is reasonably practical, it may be interpreted to read that we have an appetite for staff being injured! Readers of the statement therefore need sufficient knowledge to understand it.
We would suggest that extracts of the appetite be made publicly available which ensures that the above issues have been addressed prior to publishing. This might include qualitative expressions of risk appetite, but would not include the specific metrics or thresholds.
Would it be possible to expand on the KPI and KRI on the 'Methodology for Risk Appetite'? The quantitative part was not too clear. What's the best way to accurately set the thresholds?
Sure, let’s take a look at the slide you’ve referenced:
In this example, the objectives on the left include KPIs . These are the targets that would be set against your objectives. The thresholds represent the variance around this target that you will accept, and what is unacceptable and requires further action. The best way to set these thresholds is through discussion and deliberation – what would the board expect to prompt additional resources or action outside of existing business plans? In this example, NPS below 50 indicates a poor outcome.
KRI’s are leading indicators of future performance. In this example, poor results on cyber-related penetration tests don’t undermine performance by themselves, but indicate a threshold at which the risk of a cyber event is more than the board are willing to accept and requires specific action and resources to address.
When the appetite for each key risk is different, does the board need to have a risk appetite statement for each of the key risks?
The principle that each key risk may well have a different risk appetite is correct. As to how to achieve this, we suggest that you use a single risk appetite statement that includes articulated appetites for all of the key risks the organisation faces. Each of those key risks may have different levels of appetite, articulated either qualitatively or quantitatively.
Do government agencies have much choice in setting the level of risk appetite, given that they are responsible for taxpayers’ funds and are not in the research or competitive markets?
This may depend on broader government policies, depending on how the agency is governed and its mandate. While they may tend to be more risk averse than private enterprise, it is always contextual.
Given the tendency to be more risk averse, we have found when dealing with some of our government agency clients is that the internal risk appetite statement is too conservative and indeed the boundary can be set wider and still be within regulatory guidelines and guidance while allowing greater freedom.
Is it acceptable to go outside risk appetite boundaries with approval in the short term with additional controls and superior profit/benefit?
Yes, we call this formal risk acceptance, which usually requires justification and sign-off, with a timeline of when it needs to be reviewed and brought back into appetite. An example might be accepting some level of cyber exposure outside of thresholds due to a legacy system that is currently scheduled for replacement in six months, when accelerating replacement is not commercially practical.
An incident within a certain area might be severe, but how do you judge if it brings the whole area outside the risk appetite?
This raises the question of how the risk appetite is applied or cascaded into different areas of the organisation. The board level risk appetite statement might include certain thresholds for what is considered a material incident (a lagging indicator) at the board or whole of organisation level. If the risk appetite is clear, supported by relevant metrics, you should be able to assess the incident. Those metrics might also include composite metrics, such as the aggregate number of incidents, or aggregate size of incidents, that occur in lower levels of the organisation. So the incident might not trigger thresholds by itself, but might in the aggregate.
In some sectors, particularly financial services, regulators are acknowledging that incidents inevitably occur, and require the setting if impact tolerances or tolerance levels for disruption to critical operations, with the expectation they must be recovered within those tolerances. In some jurisdictions these are expected to be linked to the risk appetite.
What practical techniques can we use to embed the risk appetite statement to lower levels of the organisation?
We find risk metrics with defined thresholds is the easiest way to bring it to life. These can be the board level metrics applied across the organisation or cascaded down as applicable. We cover practical applications in our Risk Metrics and KRI Protecht Academy course. Other practical ways include through policies and procedures, limits, delegations of authority, codes of conduct, minimum control standards, values and commitments and so on.
Can you explain the differences between KPIs and KRIs?
Sure, let’s consider some scenarios, on the basis that KPIs are lagging (the ultimate effect on objectives) and KRIs are ideally leading. Let’s cover four basis scenarios, using green to mean within acceptable performance/risk tolerance, and red being poor performance/outside of risk tolerance.
- KPIs Green and KRIs Green – This looks like a good outcome, but we sometimes call this the ‘Kermit report’. If everything is green, we should verify that everything is being reported accurately. If everything is accurate, perhaps our KPIs are not ambitious enough and we should take even more risk to get more reward.
- KPIs Green and KRIs Red – This is an indicator that performance is only being achieved by taking excessive amounts of risk. Performance might look good, but the related risks might result in poor KPIs in future. This should prompt action to minimise the risks, even if there is some impact on performance. It might also be an indicator of culture issues, where people are incentivised to perform while ignoring risk. This can lead to a ‘boom/bust’ cycle.
- KPIs Red and KRIs Green – This may be an indicator of being too risk averse. If all of the KRIs are green, there is available risk appetite (freedom to take risks) to shift some of those KPIs . Additional risk needs to be commensurate with the reward, but you should consider moving some of those KRIs closer to their threshold while improving performance.
- KPIs Red and KRIs Red – Hopefully you don’t end up here, but this may be the result of poorly chosen strategy, a swiftly changing external environment that undermines the strategy, or inappropriate setting of risk appetite. It might be an indicator that performance objectives were unrealistic, requiring risk taking outside of appetite in order to get anywhere close. This version likely warrants significant action by board and management.
We have an overall risk appetite statement but I don't feel that we have operationalised this. Would it be better to build from what we have or start from the beginning?
It sounds like you have the right starting point to build from. If your existing risk appetite statement has qualitative statements, the next step to operationalise may be to consider the metrics or indicators to support it. You may need to consider a communication and awareness campaign to assess stakeholders existing knowledge and understanding of risk appetite and how it applies to them, and provide training if required.
Can you explain the difference between risk appetite metrics and risk indicators?
We use the term ‘risk metrics’ to cover Key Risk Indicators, Key Performance Indicators, and Key Control Indicators, which covers indicators across the lifecycle of risk. Some of our customers don’t differentiate and simply call all of those Key Risk Indicators.
Risk appetite metrics are simply those that are applied at the risk appetite level. Risk metrics may also be applied in other areas of the organisation, such as departments or divisions identifying metrics in risk and control self-assessments (RCSAs) relevant to their area that do not for part of regular board reporting.
How do you define risk appetite for regulation that works on a principle-based approach so where regulation is open to interpretation?
We see regulation as a reflection and articulation of society’s risk appetite. Where those regulations are principles based, it follows that society’s risk appetite is being articulated on a principles basis. This is fine, but your organisation then needs to interpret the principles and reflect them in your internal risk appetite statement. You need to set an internal risk appetite where it is believed you have followed the principles of the regulation.
Who should take responsibility of board education session?
We are biased in answering here, as at Protecht we conduct a lot of these board sessions. For us, the benefits we bring are:
- Years of experience in delivering these and dealing with all different types of boards and board members.
- We are external and that can be seen as a positive as we are independent when discussing any sensitive matters and dealing with board personalities etc.
If you wish to conduct this internally, it should be conducted by the Chief Risk Officer. The CRO has the right level of seniority and should possess the right skills to make this work, while also being sufficiently independent.
How can one have sight of management's appetite before venturing into an investment? Is it possible to factor the risk appetite on our risk registers?
Ideally the risk appetite should already be set, which helps define the types of investments and associated levels of risk the organisation can pursue. Remember that management’s risk appetite should be a reflection of the board-defined risk appetite (or the relevant governing body).
Conclusions and next steps
If you missed this webinar live, Protecht’s Chief Research & Content Officer David Tattam and Research & Content Lead Michael Howell took a practical approach to how you can best get your board on board with setting and operationalising your organisation’s risk appetite. You can view it on demand here: