Download Our COVID-19 Risk Assessment Checklist

Find Out How
Risk Appetite Statement

You might know your risks but is your risk program leading to better decision-making?

Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management must deal with a fundamental question: How much risk should be pursued or retained in pursuing these objectives? Organizations must embrace risk in pursuing their goals. The key is to understand how much risk they are willing to accept.

Confident and appropriate decision-making is one of the key benefits of a well-designed and implemented risk management program. An effective risk evaluation activity, supported with a meaningful and practical Risk Appetite Statement (RAS), will provide clear direction on whether or not to accept a risk and then to implement further, prioritised risk mitigation if deemed necessary.

Risk appetite refers to the type and amount of risk that an organisation is prepared to accept or avoid in pursuit of its business objectives.

Despite risk evaluation contributing significantly to decision-making, it is that part of the overall risk management process that, is often (and frustratingly) the least well understood and applied. We have viewed many vague risk appetite statements that provide little or no guidance to management teams and as a result, decisions on which risks are not acceptable, and where to prioritise risk mitigation and allocate resources, is often compromised.

But it doesn’t have to be difficult. Understanding the nature of your organisation, its objectives, level of risk maturity, and applying some basic principals and techniques will help a lot!

Riskcom has assisted numerous organisations in enhancing their risk evaluation activity, including the preparation of meaningful and practical Risk Appetite Statements.

Read on to discover some key concepts when it comes to creating an effective and considered risk appetite statement.

Creating your Risk Appetite Statement.

To provide some context it is first necessary to revisit the key stages of a standard risk process (as described in ISO 31000 “Risk Management Guidelines”).

Risk Appetite

Again, the intent of Risk Evaluation is to contribute to effective decision-making. It compares the results of the Risk Analysis (e.g, the level of risk determined by a combination of risk consequence and likelihood) with established criteria to determine if additional mitigation action is required (Risk Treatment).

It is important to acknowledge that one size doesn’t fit all. A RAS that is a single paragraph can be just as effective as a more detailed Statement that goes over several pages of quantitative measures – it simply depends on an organisations scale of operations, complexity and risk maturity. There is no need to necessarily start with complex and detailed RAS if the risk program is in its infancy and evolving.

Developing the risk evaluation process and supporting RAS

To support the risk evaluation activity and in developing a RAS, its necessary to understand the type of organisation and its willingness to pursue or avoid risk. Risk appetite is influenced by the nature of the organization and by the industry that an organization operates in. Companies that are more focussed on the potential for significant increase in value and earnings will typically have a higher risk appetite (‘high return’ – high risk’).

Conversely those companies that focus on stable growth and earnings are generally more risk adverse and hence have a lower appetite for risk (‘low return – low risk’).

Risk Evaluation Process
Single Risk Appetite Statement

A statement that simply and clearly expresses an organisations overall risk appetite approach as either conservative or aggressive, or a combination of either in certain areas, will provide the basic and necessary guidance for decision-making. We consider a statement like this to be a minimal and fundamental expression of approach to risk appetite and to be the building block for a more detailed risk appetite and evaluation guidance.

Prioritising risk treatment and decision making based on Risk Analysis output only

To support this fundamental expression of risk appetite, and to provide further guidance for effective decision making, the majority of organisations we have worked with will have a statement of risk acceptance, with an associated indication of management urgency, for each risk rating determined during the risk analysis.

For example, a ‘Very High’ risk will be deemed ‘Unacceptable’ and will have associated actions such as ‘Urgent action must be taken to avoid or reduce the risk as soon as possible’, with escalation of the risk to senior management and boards. A ‘Low’ risk, however, may be deemed as ‘Acceptable’ and is to be monitored by routine procedures to check that its risk level does not increase over time.

This approach to risk evaluation is reasonable and relatively straight forward to communicate. However, what if there are numerous risks rated as ‘Very High’ and there are insufficient funds and resources to treat all at the same time? After all, A ‘Very High’ risk rating calls for urgent action. There must be a way of prioritising risk treatment to ensure the most critical risks are addressed urgently.

Prioritising risk treatment and decision making based on objective aligned Risk Appetite Statements

To build upon the ‘fundamental’ RAS as mentioned above, it is highly effective to develop specific risk appetite statements, that are aligned to corporate objectives, to enhance the prioritisation of risk treatment (mitigation).

This ensures the risk appetite is aligned with corporate direction and supports the development of corporate risk strategy while it contributes to prioritisation of risk treatment.

For example, an organisation has objectives related to the safety of its workforce, and also building sustainable levels of profit. The organisation has a very low risk appetite for employee health & safety incidents, however, has a low risk appetite for negative impacts on profit. It therefore, follows that a risk treatment for a health & safety risk will be prioritised ahead of a risk treatment associated with profit.

We have seen organisations use a detailed RAS approach like this to guide decision making to reasonable effect. However, and referencing the above example, what if a particular health & safety risk is rated as ‘Low’ whereas, the profit risk is rated as ‘High’. Does the health & safety risk still have priority for treatment? That would seem illogical.

Combining detailed Risk Appetite Statements with Risk Analysis Output

Riskcom has developed an approach, and associated templates, that logically and accurately determines risk treatment prioritisation, and guides associated decision making by combining both objective aligned and specific Risk Appetite Statements with output from the Risk Analysis.

We have described the stages in how to build a meaningful and practical Risk Appetite, within the risk evaluation activity, and these are summarised below.

Risk Appetite Statements

To summarise: Depending on the scale and complexity of an organisations’ operations, and its level of risk maturity, part or all of these stages could be developed and implemented when considered alongside its level of risk maturity. More confident, accurate and reliable decision making will be achieved when combining objective aligned risk appetite statements with risk analysis output. With this in mind, a single statement that simply and clearly expresses an organisations’ overall risk appetite approach will be reasonable for some organisations.

There are numerous methods of expressing risk appetite, and this partly leads to the confusion and lack of certainty in organisations, across both public and private sectors, in designing risk appetite statements. We have outlined in this article some common approaches to risk evaluation and risk appetite but also included an approach developed by Riskcom that we believe greatly enhances the output of the risk evaluation stage within an overall risk management process. We have deliberately not introduced ‘risk tolerance’ and its association with risk appetite in this article – that’s for another day!

Riskcom has considerable experience in developing and implementing tailored approaches for risk evaluation and supporting risk appetite statements. Please contact Michael MacLennan (Principal Consultant – Enterprise Risk at Riskcom) if you would like to discuss this article, or how we can assist you maximise the benefit of your entire risk program by developing and implementing an effective risk evaluation/ risk appetite activity.

Some of our clients

Have a question about risk management? Our team can help.

Get in touch

Risk Management Solutions Melbourne | Riskcom