Risk appetite is a fundamental pillar of any enterprise risk management framework, empowering decision makers with the freedom to operate within boundaries. However, organisations often struggle to operationalise risk appetite effectively.
Our Risk Metrics in Action webinar in June 2023 set out how you can effectively link your key risk indicators (KRIs) and other risk metrics back to your risk appetite statement (RAS). In this blog, we'll discuss the audience polls and the questions asked at the webinar.
Results for our surveys were quite consistent across regions, so the data has been presented together.
A decent portion of attendees had a board level risk appetite. We anticipate that for those that don’t, there may be some ‘unwritten rules’ that are applied, but it may result in risks being taken inconsistently across the organisation.
A good two thirds sit in the middle – somewhat operationalised, but not to all areas of the organisation. We find that the use of risk metrics, appropriately cascaded down into the organisation, is an effective way to operationalise risk appetite.
Almost half use some element of the “Can I” test, or use it some of the time. While it is a qualitative test, it is a simple question that allows for a high-level assessment of whether a risk should be taken. Great job to the 17% who use it consistently!
While the majority have a split of ownership, we would suggest the lion’s share should be the business. Second-line risk teams may provide the frameworks to ensure there is a consistent process for their data capture, and provide challenge and advice to the business, but ownership for addressing metrics outside of tolerance should sit with the business – they are the ones taking the risks after all! Risk teams may also act as a line for accountability and assurance over risk processes, which may explain the high proportion of the split answer.
Q1: How does risk appetite relate to the overall risk rating (likelihood x consequence) and the risk matrix?
Great question. Let’s start with the risk matrix. When using the risk matrix in isolation, it is a ‘sizing’ tool. It lets you compare risk against each other – but that is not the same as comparing them against risk appetite.
Consider two risks, the first with an appetite defined as low, while a second is defined as high. If the two risks have the same overall rating of ‘moderate’, the first is outside of appetite and requires attention, while the second is within appetite and does not (and maybe you can take more risk).
One approach to using risk appetite with the risk matrix is to remove the colours from your risk matrix, and plot each risk as a bubble on the matrix, colour coded based on its comparison against appetite. This shows you the relative size of the risks, while using colour to identify whether action is required or not.
Q2: How do you cascade information to the board where we don’t have data but is mainly qualitative?
We will assume the intention is to align with classifications we outlined in the webinar of ‘within appetite, no attention required’, ‘within appetite, raised attention’, and ‘action required’.
Firstly, for each risk you can define a set of three qualitative criteria that would potentially match to when you expect attention should be required, and have those criteria agreed with the board. Of course this will be subjective, but it may be an interim approach if you don’t have data.
It might be worth pointing out that:
- When specific metrics are defined, there is still subjectivity in what we choose to measure, how we measure it, and how we report it
- Qualitative measures, if they are discussed and there is agreement, might be better than metrics that are poorly chosen and measured
Protecht’s KRI module includes both quantitative and qualitative approaches.
Q3: Where does the Three Lines of Defence model fit in here?
The 3 Lines or 3 Lines of Defence model fits into the lifecycle of risk appetite and risk metrics in a few ways:
- The second line provides challenge and advice to the first line on setting and cascading risk appetite
- The second line provides advice and challenge on setting risk metrics, and how they are measured. For example, in a second line role, I found myself challenging existing metrics and suggesting alternative metrics (or ways to measure them) that were more likely to tell the first line what they actually wanted to know and aligned with the risks they did and didn’t want to take
- The second line verifies that the risk metrics process to support risk appetite, and the reporting against risk appetite, are designed and operating effectively
- The third line supports the above, by assessing whether the first and second line are implementing and integrating these processes, in order to provide reasonable assurance that the organisation will achieve its objectives
Q4: How would you record and demonstrate risks outside of risk appetite thresholds in the executive summary?
One key step is to find out how the audience wants it reported – what presentation do they prefer to ensure they get the information they need to support decision making?
More generically, the executive summary should outline the critical issues that the readers need to be aware of to help inform decision making. How the summary is constructed will always be contextual, but you might consider:
- Naming the specific risks and/or thresholds that are outside tolerance; if there are several, it may make more sense to provide a count of the issues and an overall theme if they can be grouped
- Whether there are actions already in progress to address the risks outside of appetite or beyond thresholds
- Outline the implications while it remains outside of tolerance, and more specifically how organisational objectives might be impacted (i.e. why this matters).
Q5: Should ‘risk appetite’ level be the same as ‘target risk’?
Interesting question! Not all frameworks use the term ‘target risk’. It can be inferred as risk appetite – the target risk level which you would like to be at or below, and above that level requires specific attention.
While we have seen it used separately – such as where there is proposed activity that will lower a risk to a target level below the risk appetite – we don’t think it provides meaningful difference. You might use it as alternative language if you are introducing the concept of risk appetite.
Q6: What are some strategies that we can use to embed risk appetite at an operational level?
Operationalising the risk appetite can be achieved using a range of artifacts. These include
- Values and commitments
- Code of conduct
- Minimum control standards
- Delegations of authorities
- Risk metrics
The use of metrics is a primary way to operationalise it, particularly if they can be aligned to a risk metric at the organisational level. If they do not cascade down directly, individual business units might identify how they contribute towards that metric, and define thresholds for their specific contribution. We recommend this is done with a collaborative approach to reduce potential overlap.
Q7: How can we justify the time taken by first line staff to carry out detailed risk analysis process diagrams?
I’ll assume this is in reference to risk bow ties.
My suggestion is to focus on the additional information that a bow tie gives the first line that improves their ability to manage the risk and make informed decisions. You might be able to take data that already exists about a risk, and infer how a bow tie would be built – or perhaps result in discussion on rewording of risks, causes or controls to improve consistency.
You might not bow tie everything, but if you can show that the extra time invested creates more value, they might be more willing to invest the time.
Q8: Have you seen any good examples of reporting that includes risk areas that are below risk appetite?
There are some options that we have seen work in practice. Here are a few:
- You can include a lower threshold, such as a ‘blue’ zone that highlights that too little risk might be taken. Not all risks may have a ‘blue’ zone.
- Having a green zone in the ‘middle’ rather than one end, with amber on either side, followed by red. We rarely see this in practice, because it becomes difficult to collect data or display these risks in a consistent way
- Setting the same metric threshold twice using the common Red-Amber-Green levels, but set in different directions.
Q9: What's the best way to do the communication and consultation part effectively?
We will assume this is step 1 of the ISO 31000 process on risk management.
One of the most important parts of communication and consultation is to ensure you get the stakeholders views of the level of risk they are willing to take, or for the organisation to take, in order to inform risk appetite. The best way to achieve this depends on the stakeholder. For example:
- For some stakeholders, their input is implied, such as depositors at banks would expect very low risk appetite and commensurate low return
- Employees would expect low appetite for wellbeing and safety risks, and low appetite regarding their financial wellbeing (consistent pay and benefits)
- For other stakeholders, they typically are more specific, such as regulators, who are very clear with what they expect (compliance obligations)
- Some stakeholders require need direct communication, such as shareholders, the vocal ones who would typically speak at annual general meetings
Q10: How would you position RAS with the board and executive when they want to set a medium appetite, but want all the risks to be low?
Firstly, understand your audience! The first step is to challenge them on why they want all the risks to be low (and be clear what that means to them). Then re-iterate the purpose of setting risk appetite – to define the boundaries within which Executive can take action and make decisions in pursuit of objectives. Ask them; can we achieve those objectives if we only take this little amount of risk? If we took more risks in some of these areas, how much harder could we push?
In some circumstances it may be very cost effective to implement treatments or controls which would reduce the risk to well below the defined appetite. However this becomes a return-on-investment decision, rather than concerted effort to drive down the level of risk.
Q11: Where does establishing risk tolerance fit into the whole process?
We define risk tolerance as the maximum level of risk we are prepared to take which can be articulated in a measurable metric. This is usually established after a qualitative risk appetite is set, as the qualitative statements can be difficult to operationalise.
Q12: What is the most effective quantitative way of consolidating varying tolerances and assessing against risk appetite?
Unless you are measuring in the same units, it isn’t possible to do a ‘mathematically correct’ consolidation. Often this ends up being semi-quantitative – converting measurable metrics into a score based on their thresholds, and then aggregated. This might include some scoring mechanism, or might simply report the total number or percentage of board level metrics that are outside of tolerance.
We will clarify that you can use risk quantification methods to aggregate risks (with the same measures), which is different than aggregating multiple tolerance thresholds.
Q13: Are you able to share an example of a good quantitative risk appetite statement, differentiating it from a key risk indicator?
We anticipate that for many, a risk appetite metric is synonymous with a board level key risk indicator. Key risk indicators are usually a proxy for a component of risk, and rarely encompasses the whole risk itself.
There is a level of interpretation for this question, but without additional context I would suggest that ‘good quantitative risk appetite statement’ is equivalent to setting a risk tolerance curve for the overall level of risk. This is more often applied to the financial impacts of risks, and more difficult to apply to other risk types unless you apply some form of equivalencies.
It can be applied to measuring financial risks in financial services, which might be measured using Value-at-Risk (the amount of potential loss above a certain confidence level). In practice this is often converted into a key risk indicator with a defined risk tolerance threshold. E.g. Value-at-risk at a defined confidence should not exceed a defined threshold.
Q14: Should risk appetite always be linked to your business plan?
In short, yes. Risk appetite is the amount of risk we are willing to take in pursuit of our objectives, and the business plan is how we operationalise achievement of those objectives. The business plan should be developed with both the objectives and the risk appetite in mind.
Q15: Should we adjust the business plan to our risk appetite and tolerance, or the other way around?
The chicken and egg question. Ideally this is dynamic and integrated. Too often we hear risk teams or executives that get handed a business plan that has been approved, and then the risks have to be assessed and managed after the fact – even if they are outside of appetite.
A more integrated approach would be for risk to be considered at the time the plan is developed, and then revised. The plan might not be viable based on the risks that pursuing the plan would create, or perhaps allowing the organisation to take on a different set of risks would open up completely new opportunities and development of a completely different business plan.
As a result, the development of risk appetite should go hand-in-hand with development of strategy and business plans.
Next steps: watch our risk metrics webinar
Risk appetite is a fundamental pillar of any enterprise risk management framework, empowering decision makers with the freedom to operate within boundaries. However, organisations often struggle to operationalise risk appetite effectively. Meaningful guidance and tools are required that allow it to be used in decision making and to influence behaviour and culture.
Join us in this engaging and practical webinar as we delve into the application of risk appetite in real world scenarios, bridging the gap between a static risk appetite statement (RAS) and dynamic tangible action. How can you effectively link your KRIs (key risk indicators) and other risk metrics back to your RAS?