Much of the literature around risk appetite revolves around the financial services industry. Within local government, this area is often not well researched, documented or applied in practice. What ‘things’ are within an organisations risk appetite? What risk events are ‘tolerable’? What is an organisations risk taking capacity? Tony Harb and Mitchell Morley, risk management and governance specialists from InConsult look at strategies that can help risk and governance managers better understand, apply and develop appropriate risk taking parameters.
One of the most challenging tasks for a risk manager is to help the organisation articulate its risk taking parameters. These parameters are important because information from here will flow through to risk rating criteria, key policies, major decisions and staff behaviour.
Know your risk capacity
Let’s start with risk capacity. Why? Ultimately, an organisations capacity to take risk will have a significant influence on its risk appetite. The organisation with greater risk capacity will be in a position to take on more risk.
For the record, risk capacity is not defined in AS/NZS ISO 31000 Risk Management standard or in Guide 73:2009 Risk Management -vocabulary. Risk capacity is not always easy to quantify. In simple financial terms it can be determined by things like the value of net assets, available working capital etc. But what about things like reputation or environmental impact which are often much harder to quantify?
Look at risk capacity as the ‘upper limits’ of your risk taking. A risk event beyond this point could mean an organisation is no longer sustainable, no longer a ‘going concern’ and cannot remain ‘in business’. It could mean that an organisations reputation is so damaged that people are prosecuted, go to jail or external intervention is required to enable an organisation to continue to operate.
Risk appetite is defined by the ISO Guide 73:2009 Risk management Vocabulary as the “amount and type of risk an organization is prepared to pursue or take”. It is the amount of risk that a an organisation wants to take and is willing to accept in pursuit of its objectives. It is the organisations “comfort zone”, the level of risk it wishes to expose itself to. Risk appetite must consider an organisations risk capacity.
It is extremely important for staff at all levels to understand the organisations appetite for risk. Where risk appetite is not clearly articulated and communicated, there is a real danger that decision making will be inconsistent with organisational objectives or even worse, people’s behaviour may not be appropriate to the organisation expectations.
Understanding risk appetite is particularly relevant when an organisation has to make choices/decisions that are inherently uncertain such as investment strategy, major outsourcing appointments, major projects and long term strategic planning. It will help an organisation draw a line between acceptable and unacceptable levels of risk and the level of additional controls and treatments required. Some of the problems encountered by some organisations with their investment strategies during the global financial crisis and the problems with major local government infrastructure projects are examples of a lack of understanding of the risks involved and whether they were within the an organisations risk appetite.
Overcoming the challenges
All management will have an appetite for some types of risk and an aversion to others. Getting some alignment between these different views and finding the right balance is difficult and can create a lot of angst.
It is therefore important for an organisation to formulate its risk appetite and risk criteria through a consultative process involving key stakeholders. This can be done through a combination of workshops, questionnaires and surveys. Ensure that key members of your Audit/Risk Committee are included in this process.
Once an organisations risk criteria start to take shape and some form of agreement about the levels of risk is reached, risk appetite parameters will emerge and can then be documented as part of an organisations risk management framework. Documenting them is important to ensure that the organisations attitude to risk and risk parameters are clear. Some example of risk appetite statements could include:
- “The organisation has no appetite for risks which may have a significant negative impact on the organisations long term financial sustainability”.
- “The organisation has no appetite for risks which may compromise the safety and welfare of staff, contractors and/or members of the community”.
- “The organisation has some appetite for risks that maintain and improve levels of service to the community”.
- “The organisation has some appetite for risks that improve efficiency, reduce costs and/or generate additional sources of income”
Risk appetite statements help to “set the tone from the top”. Incorporating them into the risk management policy is now considered part of good practice in risk management.
Whilst most organisations have a similar risk profile, setting risk appetite is not a one size fits all approach. Every organisation needs to carefully consider its particular operating environment and risk profile before determining an attitude towards risk that is appropriate for its circumstances.
Ultimately, the decision to accept or treat risks needs to be made on a risk by-risk basis. Including statements like “all risks with a residual risk level of 2 and above, must be escalated to the General Manager for review”, should also be incorporated within an organisations risk management framework.
The bottom line!
Risk appetite has to consider the needs of the range of stakeholders that ultimately determine an organisations strategy. It should be developed in a consultative manner that takes into account the context in which the organisation operates and particularly the an organisations risk capacity.
It should be regularly reviewed as the environment in which the organisation operates can change quickly and risks that might have been tolerable previously may no longer be acceptable and vice versa.
Establishing a risk appetite statement and supporting risk criteria will help all stakeholders to better determine whether their actions and decisions are within acceptable or tolerable risk parameters.
Risk appetite has to cascade down through the organisation to act as an early-warning system to trigger escalation or corrective action when risks are outside the tolerable levels.
A clearly articulated risk appetite statement and supporting risk criteria are critical foundations that underpin successful risk management.