Risk Appetite

Cost of living pressures and high levels of inflation are among the high profile challenges currently impacting all organisations, across a variety of industries. It is common to see periods of increased risk, such as this, reduce risk appetite levels. However, an increased need to differentiate unique offerings, provide high quality services, and – ultimately - deliver for customers and shareholders, could see more risks being taken.

Risk appetite is the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives. Understanding and articulating risk appetite is an integral component of risk management and broader corporate governance.

For all organisations, achieving objectives is inherently linked to the effective management of risk. Understanding exactly what effective management of risk means for your organisation will depend upon your risk appetite.

Despite the need for risk appetite to be well-understood and implemented effectively, it remains one of the most challenging components of Enterprise Risk Management (ERM) and, consequently, is a topic many organisations often struggle with.

Articulating and applying risk appetite will be unique to each organisation and success will depend on a variety of factors. There are a number of key topics which should be considered by all organisations to support effective risk appetite implementation.

Engage the Board

An organisation’s Board and senior management will possess a deep understanding of its vision, strategy, and objectives. Asking the right questions to this group will enable the development of a formalised risk appetite.

The Board should be engaged with through discussions that explore the main areas of risk to the organisation and whether the current level of threat is acceptable. This approach can provide an excellent method for developing their views on risk appetite. It is also critical the Board hold sufficient risk management knowledge in order to be able to appropriately articulate their risk appetite. Training to improve their knowledge should be considered if deemed necessary.

Communicate to the organisation

Engagement with managers and employees is an essential step to ensuring an organisation can easily follow the risk appetite set by the Board. When communicating to the wider organisation, risk appetite will need to be practical and accessible to support adoption and integration. For example, managers will want to be able to use the established risk appetite to agree service level agreements (SLAs) with third parties handling outsourced processes.

Individual attitudes to risk, aversion to change, and the organisation’s broader risk culture can often make this a challenging step in implementing risk appetite. Nevertheless, organisations should be prepared to provide training, update codes of conduct, and implement new processes to facilitate effective utilisation of risk appetite.

Establish risk appetite metrics

While risk appetite may start as a set of statements describing how much risk an organisation is willing to take across various impact areas, robust measurement will enable more effective risk management. Established metrics and key performance indicators (KPIs) can often be adapted to ascertain if an organisation is taking an acceptable level of risk.

One example of this is staff turnover. This is a metric commonly used by HR departments and can be easily used as a lagging indicator of various people risks.

^{Staff turnover can be used to measure people risks and whether the defined appetite is being exceeded. This example tracks an organisation targeting a rate of less than 8%.}

Similarly to how risks should be escalated to the Board at certain assessment levels, when metrics exceed defined thresholds, senior management should be alerted to enable mitigation action to be taken to reduce the level of risk.

Link individual risks to appetite and prioritise based on this

Risk appetite should be included within the organisational processes used to measure and prioritise the risks included within risk registers. In times of significant budget pressures, risks that exceed agreed appetite levels should be prioritised for additional mitigation measures when making investment decisions.

Reviewing each risk within the risk register, to determine what the specific appetite level should be based on the Board’s overarching risk appetite, has proven an effective approach. If this level is surpassed, key stakeholders should evaluate actions that could be taken to improve the risk assessment. This is conventionally known as setting and monitoring target risks scores.

Utilise risk appetite levels for insurance

A common method for organisations to transfer elements of certain risks to third parties is through the utilisation of insurance contracts. A clear understanding of financial risk appetite should be used by insurance buyers to set the insurance retention level (deductibles or excess levels, for example) and overall programme structure.

It is crucial insurance is considered as part of wider risk management strategies and that it is discussed when articulating risk appetite. It is also important to remember that risk appetite covers a far broader scope than solely financial risk and insurance.

Being aware of organisational risk appetite - and the ability to base key decisions on the information it provides – will benefit any organisation. Taking the first step of engagement with the Board and senior managers to articulate their risk appetite will help unlock these benefits and improve risk management.

Article