For every organization, the integration of risk appetite and strategy is crucial. When risk appetite is considered separately from strategy, the outcome can be misaligned risk appetite, misaligned risk management and missed opportunities.
In Protecht’s recent From risk appetite to objectives appetite webinar, we went through a practical approach on aligning your risk appetite and strategy, by ensuring your decision making always references your risk appetite.
We had great engagement as well as positive feedback from our attendees. We had a bunch of great questions, which we’ve answered below. Where appropriate they have been categorized or combined when they were on similar topics.
If you missed the webinar live, then you can view it on demand here:
Questions
For this webinar we've divided the audience questions up into macro-level topics. Follow the links below to review the questions on each topic:
Differences between risk appetite zones and risk matrix zones
Risk capacity
Strategic vs operational objectives
Risk measurement
Risk appetite and tolerance
Risk appetite and culture
Governance
Risk appetite and artificial intelligence
The rest
Differences between risk appetite zones and risk matrix zones
How do you get clients to not confuse risk appetite zones with risk matrix zones – particularly for aspects like innovation where the appetite may be high or WHS where the appetite is zero and neither would map to these locations on the risk matrix?
Is there a case for using 'target risk levels' (relative to 'residual/current risk levels') as an alternative to or a part of appetite and thresholds?
Could you please clarify further how the output from a consequence/likelihood matrix (risk rating) is considered when developing and analyzing risk appetite?
Separating risk appetite zones from a risk matrix (and more particularly, the common color coding of a risk matrix) is important. Breaking it down into simple steps can explain the difference:
- Define the risk appetite for a risk or category of risk
- For each risk, assess the level of risk (usually expressed qualitatively in a risk matrix with an associated color)
- For each risk, compare the level of risk to the risk appetite to assess whether it is within appetite.
This qualitative approach highlights that you can have two different types of risks with the same level of risk, but one can be inside risk appetite and one beyond it.
In an organization that did not have a formal risk appetite statement, I adopted a ‘target level’ that varied by risk type. This was essentially used as a proxy for risk appetite.
Another approach is to remove color from the matrix itself, and plot risks on the matrix with a bubble colored based on its proximity to appetite, such as below:
Risk capacity
How do you measure risk capacity and for what area (whole organization, operational area, objective, project)?
Risk capacity typically refers to the maximum amount of risk an organization can afford to take while remaining viable. Put more practically, it might mean you’ve taken on a significant amount of risk that will almost inevitably result in demise or severe financial distress, even if it is not immediate.
It is more commonly applied in the financial sector and is applied at the organization level. It is usually a measure of the overall financial position of the organization, measured in financial metrics. It is not typically applied at a lower level.
Strategic vs operational objectives
Should all organizations have strategic objectives? Can an organization only be run with operational objectives?
We would expect most organizations to have strategic initiatives – projects that are designed to change the organization and its operating model. However, it is possible that an organization that has an operating model that is already aligned to achieving its mission or vision may have steady operational objectives that do not differ.
Do operational objectives go in a strategic or operational plan? How do you present the difference of strategic vs operational objectives to business and executive team that doesn’t define any strategy/plan or real objectives?
This may depend on how the organization documents its business plans. Strategic and operational objectives may be in the same document, which is what we would recommend.
During our engagements with customers, particularly when assisting them develop or review their risk appetite, sometimes it becomes obvious that objectives are not well defined – or perhaps they’ve defined operational objectives as strategic objectives. This is a great opportunity to engage the executive team in explaining the difference and articulating the link between achievement of objectives and risk appetite. The simplest way we’ve found to explain the difference is that strategic objectives change the organization, and operational objectives are about running the organization. The former changes the operating model, the latter are delivered by the current operating model.
If we don't have good strategic and operational objectives, how do we keep moving forward with risk while our executive catches up?
I assume by ‘good’ you mean well defined or articulated. I’d position yourself to demonstrate the value that can be achieved by clearly articulating and agreeing upon the objectives, and that this improves the ability to both achieve them and effectively manage the risks related to achieving them.
You can keep moving forward with risk management activities – objectives will exist even if they aren’t well documented. People might not agree on exactly what they are, but you should weave discussion about objectives into existing risk activities. It might help them catch up!
Do you think that operational objectives follow strategic objectives?
Usually there is a flow on effect, as the delivery of strategic objectives may change the operational objectives. Even when they don’t change the operational objectives themselves, it might change the way they are measured or redefine what are acceptable measures of success.
Can I treat company scorecards as the short objectives for a particular fiscal year?
The coy answer is ‘it depends’. Depending on what is articulated in the scorecard, you might be able to extract the objectives. If the scorecard is primarily metrics, you need to ensure you understand what the metric represents. Typically, a metric is just one measure of an objective. The scorecard may not include measurables for every objective. You could use this as a starting point, but I would recommend that you leverage it in discussions with those who are responsible for developing and meeting the objectives to ensure that they are not only captured appropriately, but you also get buy-in for related activities.
Risk measurement
Have you seen anyone using a quantitative risk appetite statement, rather than using a qualitative risk appetite statement and then defining KPIs and KRIs?
We think that the qualitative and quantitative (which I will assume means metrics with thresholds in this context) go hand in hand. Financial stability is likely to be an objective, which might have a number of associated metrics related to financial exposures and financial ratios. We would expect the qualitative description to help describe and define the boundaries, such as the types of financial risks the organization is willing to take, and the overall level of risk it is willing to accept. While subjective, this qualitative expression can help inform decisions that might impact the objective but might not have strong coverage by existing metrics.
Roughly what proportion of your clients are using KPIs in addition to KRIs at the RAS level?
We don’t have this information at hand as all customers apply this differently, but here is an anecdotal answer. For customers where we help develop or review their risk appetite statements, we recommend adopting objectives with KPI’s. Not all of them do as part of their risk appetite statement, as their stakeholders may not be ready to make the change.
However, we do expect that the majority are still measuring KPI’s against objectives in some fashion, and many of them will also be setting targets and tolerances. They just don’t integrate it into risk management and may look at risk and reward separately.
Do the risk appetite and tolerance change based on the rating of the risks identified and updated?
Typically, no. One of the objectives of setting risk appetite and tolerances is to identify risks that exceed it so that appropriate action can be taken – the typical risk responses such as risk avoidance (stop the activity giving rise to risk), implementing controls to reduce the likelihood and impact, and so on.
However, there are some circumstances where, after review, the risk appetite should be changed. This can include when the external environment is changing such that the only way to reliably achieve objectives is to take more risk, and the alternative (such as avoiding an activity altogether) is not acceptable. Once going beyond a threshold, it may also be identified that the effect of being at that level of risk is not what was expected. This formal changing of risk appetite should be very deliberate – not because you can’t (or someone doesn’t want to!) bring the level of risk down.
My lived example was where staff turnover metrics were tracked and beyond tolerance for a number of months in a row. This prompted a review, and it was identified that the turnover rates were not uncommon for the sector, and thresholds were changed.
What is the link between KRI and the risk matrix?
In truth, very little. The risk matrix is a qualitative expression of the level of risk, usually based on a combination of likelihood and impact (though in truth it is a range of likelihoods and impacts). For the sake of example, you might assess ‘loss of control of vehicle’ as a ‘Low’ risk.
A risk metric is something that can be specifically measured and is usually just one component of a risk. One risk might have multiple risk metrics. For our loss of control of vehicle example, you might have an indicator for rainfall, and another that measures the frequency of vehicle servicing. Risk metrics typically give you more frequent information, sometimes in real time, on how the risk is changing.
What might look like a common element is color coding, but this is just a convenience. You could choose not to color code either your risk matrix or your thresholds. The ‘traffic light’ approach provides a quick way for people to interpret results (admittedly a problem when applied to the risk matrix as this only tell you the relative size of the risk, not whether it is within appetite).
The qualitative risk appetite is sometimes challenging, i.e. low, medium, etc. Is there a way to express it in a more quantitative/measurable way?
We strongly recommend that qualitative risk appetite is supported by risk metrics that provide more objective measures of your objective and key risks. Some risks, particularly those that can be expressed in financial terms, can be expressed as probability distributions, which can then be used to set specific metrics or boundaries, such as an acceptable chance of loss, the likelihood of loss exceeding a certain value, or for objectives the likelihood that an objective will be achieved.
How can you measure when you’ve crossed the risk appetite boundaries when some risks are subjective not numeric?
If there are no metrics or measures, try to specify the assessments you would apply. Describe what the boundary looks like. Ideally this will be in discussion with the key stakeholders to come to an agreement for those descriptions.
Preferably you have metrics that support an objective or risk, but if those metrics are only looking at components of the risk, it can still be useful to consider the risk subjectively as well.
So risk appetite cannot be the same for all objectives?
It can be, but the purpose of risk appetite is to help inform decisions, particularly choosing between alternatives which have different effects on your risk profile. If you are falling short of both your revenue growth goals and your employee engagement goals, which one are you willing to let slip if you don’t have resources to address both?
Does zero appetite mean I will not take any risks?
Is it meaningful to have Key Risk Indicators that have a limit set at 0?
Zero risk appetite should mean that you are not willing to take the risk at all. i.e. You won’t pursue the objectives and conduct the related activities that give rises to the risk.
The distinction usually applies to compliance. It makes sense that organizations have zero tolerance for intentionally not complying. However, we must accept that there is a possibility that breaches will occur. When setting risk appetite for compliance risks, we typically consider that the risk appetite is low, but describe qualitatively that intentional breaches are not acceptable, and that all breaches will be investigated. This is the purpose of having a Key Risk Indicator that immediately triggers action if it is anything other than 0.
Colloquially, should it be ‘amber’ instead of ‘yellow’ zone titles?
There are regional differences. The ‘traffic light’ pattern is common, but you could also choose aqua, turquoise, and teal if everyone agrees, or have more zones if they trigger different levels of action and escalation.
Risk appetite and tolerance
Are you saying that the concepts of risk appetite and risk tolerance are the same? (With the former being measured qualitatively and the latter quantitatively). Everything else I have read seems to say that tolerance is a subset of appetite.
Are tolerances a must have when setting appetite?
Do you think it is important to spend effort on appetite and tolerance differences?
Many of the definitions out there don’t always make the distinction clear enough (and sometimes contradict each other) to make it practical. Here are our definitions:
- Risk appetite - the degree of risk that the organization is prepared to accept in pursuit of its strategic objectives and business plans expressed in qualitative terms
- Risk tolerance - the degree of risk that the organization is prepared to accept in pursuit of its strategic objectives and business plans, expressed in quantitative terms
Risk appetite may provide more qualitative boundaries, such as restrictions on geographies, types of products, customer segments, whether it will allow outsourcing of certain functions, and so on, as well as an overall level of acceptable risk for each objective or risk.
Risk tolerance may not be specifically required (unless you are regulated to do so), but we would recommend identifying metrics and setting tolerances so that there is pre-agreement when action needs to be taken.
Can risk appetite be different for different categories of risks within an organization (e.g. operational, financial, strategic, cyber/IT) Also, when there are different departments/teams serving different economic sectors within an organization how best would you advise a risk appetite statement to be set?
The challenge in organizations is to turn risk appetite from the traditional organizational hierarchy approach to a horizontal one such as a value chain approach, ascribing both strategic and operational outcomes along that axis. A more difficult challenge for large complex organizations in financial services for example.
You can, and probably should, set different levels of risk appetite for different risk categories and objectives. These differences will often be driven by the expectations of your stakeholders and the objectives of your organization.
When serving different economic sectors, this might be handled in a few ways, depending on organizational structure and requirements. At the organizational level, the risk appetite might be defined by how much concentration there is in each sector. This can be supported by metrics that define percentage contribution to revenue or volume, for example. This might provide an example where great success in a high-risk product or sector breaches tolerance and forces some more diversification or reduced investment in that market.
An alternative approach is for a risk appetite statement to be set at the organizational level, supported by cascaded risk appetite statements at the next level in the organizational structure – or across value chains. This can enable organizations to tailor risk taking to specific objectives or activities (that support broader organizational objectives). For example, teams releasing innovative products might accept a higher rate of complaints during launch windows.
Risk appetite and culture
How do I position risk and compliance to be an enabler rather than a gate keeper?
Great question. Central to the webinar was the intentional inclusion of objectives as part of risk appetite. This brings to the fore that risk management is just outcome management. Review your existing processes and ensure they can lead back to how they contribute to improving the likelihood of achieving objectives or otherwise provide value.
Does the maturity of an organization come into play when determining risk appetite?
In terms of stakeholder engagement, the lower the maturity, the more you will need to explain the purpose of risk appetite, and how it is related to the outcomes that those stakeholders are looking to deliver. Education is key.
By ‘determining’ risk appetite, I’ll assume this means determining the level of risk that is acceptable. Low maturity might influence the level temporarily. This might occur if there is a realization that risks and how to manage them effectively across the organization might not be well understood. This might warrant some caution in decision making as risk maturity improves but should definitely be temporary – taking too little risks can also mean inability to achieve success!
Do you have some practical tips for how to better align risk appetite and risk culture, for companies who are on a journey to mature their approaches to risk?
We define risk culture as “What our people do when no-one is looking that affects the management of risk”. Educate your people on how risk management is part of their day-to-day work, even if they have no formal risk management responsibilities. Depending on their role, this might include:
- How they can use specific risk appetite statements to inform decisions, particularly for management
- How the results of risk reports they receive relate to risk appetite and define actions
- For those doing more specific work, such as controls assurance, data collection for risk metrics etc., how these activities feed into assessments of whether the organization is operating within appetite.
We currently offer an on-demand course for Risk for Line 1, with a Conduct and Risk Culture course expected to be delivered later this year.
If we chase risk instead of focusing on business objectives and the way we work together, do regulators, boards and even risk managers devaluate risk management as such?
I agree that risk managers should focus on aligning activities with building business value, which is why we recommend all risk conversations can be linked back to objectives. Being a slave to risk process without focusing on outcomes can certainly undermine the value of risk management. It might be worth noting that the stakeholders mentioned may have different objectives – particularly regulators who are typically focused on reducing harm to consumers or maintaining sector stability, rather than the objectives of the organization.
Why do you think risk appetite is always hard to define/not well defined within companies?
The lack of knowledge and awareness of risk appetite and its value when done well may hinder the development of a well-defined risk appetite. Without this, stakeholder involved in its development may see it as “something I have to do” rather than linking it directly to how objectives may be achieved. This can result in them putting in minimal effort.
Our consulting on developing risk appetite usually includes an initial education session on the process prior to any actual workshops, which can be eye opening. We offer courses on Risk Appetite and Framework, and Risk for Boards (of which risk appetite is a strong component).
If an organization is always in the green zone, is that good or is the organization missing opportunities?
This is sometimes referred to colloquially as ‘The Kermit Report’ (we might need to come up with a less dated reference!). It could mean a few things, so is always contextual:
- If everything is ‘green’, it might mean a culture of simply reporting good news. Make sure it isn’t too good to be true, and that people are encouraged or incentivized to share bad news!
- If risks are ‘green’ but objectives are ‘red’ or otherwise not performing, it might mean the organization is being too conservative. This doesn’t mean the organization should recklessly pursue performance, but if pushing closer to defined boundaries increases the likelihood of success, these should be considered.
- Everything is ‘green’, including exceeding all performance targets. Consider whether more aggressive objectives or targets need to be set. In a competitive environment, complacency may result in competitors generating more reward for the risks they are taking.
What strategies can organizations implement to effectively assess, define, and align their risk appetite with their business objectives in an ever evolving and complex operational landscape?
Here are a few quick tips:
- Ensure alignment on objectives at the organizational level, and at business unit level if applicable
- Develop a risk taxonomy and hierarchy if you don’t already have one. This helps align risk appetite, and particularly reporting against risk appetite, with other risk management activities.
- Integrate risk appetite review into change management activities. Major strategic changes or operational projects may warrant a review of risk appetite. Types of risks that were not relevant before may now become relevant, requiring update and communication of acceptable levels of risk.
Those 10 personal appetite results may be affected by compliance/regulatory issues like insurance. You could be taking on functions that are deemed a ‘moral hazard’ and violate insurance coverage.
These were simple examples in the webinar of course, based on the “Can I? Should I?” test. In a personal context, you might still be willing to take the risk (“I accept that I won’t be insured if I’m injured”). In a work context, we’d be surprised if intentional breach of compliance was tolerated.
This highlights why not only setting organizational risk appetite is important, but it’s communication as well. When people come to work, they need to set aside their personal risk appetite, and adopt the organization’s risk appetite. They can only do that if they know what it is. For most employees this may not be the risk appetite statement itself, but the more granular policies and procedures that support it and define the boundaries of their work.
Governance
What part does organizational governance play in the risk appetite discussion and implementation?
My challenge is the objectives of board vs senior leadership team. Does it mean different RASes for each?
The governing body, usually the board, is accountable for the setting of risk appetite. Typically, we see this being a joint effort between the governing body and the Executive team but should be endorsed by the board.
There should not be a separate RAS for each; the board is responsible for risk oversight and should challenge the executive team and ensuring that variation around objectives and management of risks are being managed within appetite.
The board may have a separate risk committee, however the board in its entirety is accountable for risk oversight.
Risk appetite and artificial intelligence
How is risk management evolving with AI strategic objectives?
With the emerging AI spectrum, how are the risks related to AI going to be measured based on new AI strategic objectives that might arise?
While AI wasn’t discussed in our webinar, it is a hot topic. I won’t go deep here, but the basic principles of risk management and processes apply here. Identify how your objectives and operating model are changing, identify the risks you are willing to take, and manage those risks to remain within appetite. Remember that use of AI itself is not likely to be the objective, but the means to achieving an objective. Make sure the way you articulate your objectives reflects that.
We recently delivered a webinar on AI, which you can watch here.
The rest
How do you determine the minimum reward threshold?
This question was related to a slide on decision making, where you subjectively assess reward against one or more categories related to objectives as well as risk. As a subjective process, you would need to agree with stakeholders what the minimum reward would be needed to proceed. This assumes some level of investment or major project, rather than continuous improvement activities.
You can add some more objectivity by basing these assessments on specific metrics where appropriate, for both risk and reward. For example, the expected return on investment on the reward side, where anything below a specific return may not be considered even if it is low risk.
This approach seems to be a very ‘risk-led’ approach to achieving success, with the RAS at the top of the pyramid. Shouldn't it be outcomes or objectives-led?
I assume this related to our RAS pyramid. The RAS itself should include variation around objectives, to which the artefacts would also relate. Metrics would include key performance indicators as well as key risk indicators, and codes of conduct, policies, and procedures should also be directing our people on how to behave in pursuit of objectives.
What do you see as the value of formal risk education at the undergraduate and graduate level? Are we evolving or properly evolving beyond training and certification as our learning foundation?
As a provider of risk training, we are probably biased so take our response with a grain of salt. One potential challenge is that risk management can be applied at different levels and may require specialization for different sectors or applications. Some quick examples: Enterprise risk, project risk, market risk, credit risk, project risk management for infrastructure projects, and more.
If you look around you will find risk management courses that exist at universities and higher education that may provide qualifications or degrees but may not meet your personal or career expectations. Some are very focused on the insurance sector, for example.
Perhaps of note is that in many (all?) regions risk is not a ‘profession’ per se. There is no standardized body of knowledge, code of ethics, or a requirement to be licensed to work in a risk management role (compared to a lawyer for example). Should there be? That is a much broader question!
Conclusions and next steps for your organization
If you missed this webinar live, Protecht’s Chief Research & Content Officer David Tattam, Research & Content Lead Michael Howell, and Senior Risk Consultant Hela Ebrahimi went through a practical approach on aligning your risk appetite and strategy, by ensuring your decision making always references your risk appetite. You can view it on demand here:
