Risk Appetite Statements
Why are good risk appetite statements so hard to find?
Oils ain’t Oils and nor are Risk Appetite Statements.
It’s probably uncontroversial to say that risk appetite statements are better practice for well run organisations. They are certainly becoming more common in both the public and private sectors.
The kicker is that most organisational risk appetite statements aren’t worth reading. Bad risk appetite statements are dangerous for an organisation’s risk culture. They don’t fulfil the purpose of clearly communicating what risks that organisation is willing to live with and which ones they aren’t.
How to improve?
We need to do better, so let’s talk about why risk appetite statements are important, as well as how they should be written, by whom and when.
What is a risk appetite statement?
To begin with, it’s worth setting out what risk appetite is:
- The ISO Risk Management vocabulary guide says risk appetite is
“amount and type of risk that an organisation is willing to pursue or retain”
- The Australian Federal Government’s Comcover
organisation expands on this to state that risk appetite is
“the amount of risk an entity is willing to accept or retain in order to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude towards risk taking. Determining an entity’s risk appetite occurs through the development of risk appetite statements which clearly set out what the executive consider to be acceptable risk-taking”
- PWC uses longer words to say much the same thing as ISO, stating that risk appetite is
“an articulation of the tolerance levels for risk that an enterprise is prepared to accept in the execution of its strategic and business objectives”.
Simpler is better, usually
I’m in the simpler is usually better camp. So let’s stick with the ISO definition and say that the risk appetite statement sets out the amount and type of risk that an organisation is willing to pursue or retain. In the spirit of clarity, it’s also reasonable to restate that an appetite for risk and a tolerance for risk are not the same thing.
Risk Tolerance is the organisation’s readiness to bear risk after risk treatments in order to achieve objectives (ISO)
Tolerance is about how well an organisation can handle risk event(s). Appetite is how much risk the organisation wants to take. Organisations with high appetite for risk and low tolerance are in for a rocky journey.
Why should anyone care?
Risk appetite statements are important because they provide guidance to those who don’t own organisational risk. Effectively answering the question for a worker how much and type of risk can be taken in a particular circumstance. They promote conscious risk taking. In some cases, the process of development brings up uncomfortable truths which need to be worked through. We are seeing this in the sustainability area where short term risks to profit are being parlayed against longer term risks to social licence. We are also seeing it in the ‘move fast and break things’ mantra.
A risk appetite is integral to managing risk and to how organisations communicate and act on risks internally and with external parties. Managing risk within the organisation’s appetite can’t be treated as an independent activity, but at the heart of the organisation’s broader governance structures and decision-making processes.
Done well, a risk appetite statement supports:
- Signalling what the Top Management really cares about
- Clear guidance for anybody in the organisation that engages with risk
- Conscious risk taking
- Only accepted activities being undertaken by the organisation
- Limiting the the scale of accepted activities to within the organisation’s capacity to manage when risk events do occur
- Focussing the leadership on risks that are emerging and /or existential to the organisation; and
- Alignment to organisational strategy and long term resilience; and
- An indication to stakeholders that the organisation is at least developing a risk culture
Plain speaking Sir or Ma’am
Risk appetite statements should be written for a primary audience being the people who engage with risk on behalf of the organisation. This means that the statement needs to be written in plain and concise language. However, it also needs to be precise enough that the target audience aren’t forced to interpret or divine meaning. This can be a challenge when developing a risk appetite statement that covers cyber and online security. A good risk appetite statement will overcome these challenges through careful drafting and stakeholder consultation.
The organisational Top Management is responsible for the risk appetite statement because they own the organisational risk. Because the statement is at the heart of the organisational governance, it needs to connect tightly to the Mission, Vision and Strategic Direction. That said, the statement should be widely internally and externally consulted as it is drafted.
It goes without saying that the risk appetite statement should be the product of deliberate negotiation and constructive argument over a reasonable time period to allow people to have their say, because this process helps develop risk culture. Done well, a risk appetite development process may also help to highlight innovative solutions to uncomfortable risk related issues.
On the dark side of risk appetite statements, the ledger is long. Issues are often seen where the risk appetite statement is never finalised because the leadership is unable or unwilling to confront uncomfortable areas of its business. Worse still is when the risk appetite statement glosses over risks that are obviously being taken in the conduct of its business.
It seems illogical if an organisation states that it has ‘zero tolerance’ for an activity, but still chooses to undertake that activity. If we have zero tolerance for risks arising from some activity, then we shouldn’t really operate in a manner that allows that activity.
Despite best efforts, it can be difficult to understand a risk appetite statement. Organisations that develop risk appetite statements and then drop them on the people that are meant to use them without providing ongoing training are setting themselves and their organisations up to fail, because they aren’t developing their risk culture.
Risk appetite statements shouldn’t be the final arbiter of the most difficult risk decisions. They can’t cover all risks in complete detail. Even trying would make the statement too long to be useful. Many key decisions regarding risk can’t be made solely by consulting a two page risk appetite statement, particularly if the risks are balanced finely between positive and negative, long and short term. This is where organisations need to operate mechanisms to make these decisions.
Lastly, a risk appetite statement that is written to be used as a virtue signalling device to external stakeholders including regulators is likely to be unhelpful to people in the organisation that need to use it.
So, in conclusion, I hope that these views about risk appetite statements might inform your own. Risk appetite statements done well are really useful, both in and of themselves, but also as part of the risk culture development process of organisations. Done badly, they run the risk of being part of the problem of bad risk management processes in organisations.
If your organisation needs help constructing a risk appetite statement suited to its needs, why don’t you contact us.
We’re always happy to help.
An earlier version of this document appeared in Risk Management Today 2021, Vol 31 No 9.