You might know your risks but is your risk program leading to better decision-making?
Confident and appropriate decision-making is one of the key benefits of a well-designed and implemented risk management program. An effective risk evaluation activity, supported with a meaningful and practical Risk Appetite Statement (RAS), will provide clear direction on whether or not to accept a risk and then to implement further, prioritised risk mitigation if deemed necessary.
Risk appetite refers to the type and amount of risk that an organisation is prepared to accept or avoid in pursuit of its business objectives.
But it doesn’t have to be difficult. Understanding the nature of your organisation, its objectives, level of risk maturity, and applying some basic principals and techniques will help a lot!
Riskcom has assisted numerous organisations in enhancing their risk evaluation activity, including the preparation of meaningful and practical Risk Appetite Statements.
Read on to discover some key concepts when it comes to creating an effective and considered risk appetite statement.
Creating your Risk Appetite Statement.
To provide some context it is first necessary to revisit the key stages of a standard risk process (as described in ISO 31000 “Risk Management Guidelines”).
Again, the intent of Risk Evaluation is to contribute to effective decision-making. It compares the results of the Risk Analysis (e.g, the level of risk determined by a combination of risk consequence and likelihood) with established criteria to determine if additional mitigation action is required (Risk Treatment).
It is important to acknowledge that one size doesn’t fit all. A RAS that is a single paragraph can be just as effective as a more detailed Statement that goes over several pages of quantitative measures – it simply depends on an organisations scale of operations, complexity and risk maturity. There is no need to necessarily start with complex and detailed RAS if the risk program is in its infancy and evolving.
Developing the risk evaluation process and supporting RAS
Conversely those companies that focus on stable growth and earnings are generally more risk adverse and hence have a lower appetite for risk (‘low return – low risk’).
Single Risk Appetite Statement
A statement that simply and clearly expresses an organisations overall risk appetite approach as either conservative or aggressive, or a combination of either in certain areas, will provide the basic and necessary guidance for decision-making. We consider a statement like this to be a minimal and fundamental expression of approach to risk appetite and to be the building block for a more detailed risk appetite and evaluation guidance.
Prioritising risk treatment and decision making based on Risk Analysis output only
To support this fundamental expression of risk appetite, and to provide further guidance for effective decision making, the majority of organisations we have worked with will have a statement of risk acceptance, with an associated indication of management urgency, for each risk rating determined during the risk analysis.
For example, a ‘Very High’ risk will be deemed ‘Unacceptable’ and will have associated actions such as ‘Urgent action must be taken to avoid or reduce the risk as soon as possible’, with escalation of the risk to senior management and boards. A ‘Low’ risk, however, may be deemed as ‘Acceptable’ and is to be monitored by routine procedures to check that its risk level does not increase over time.
This approach to risk evaluation is reasonable and relatively straight forward to communicate. However, what if there are numerous risks rated as ‘Very High’ and there are insufficient funds and resources to treat all at the same time? After all, A ‘Very High’ risk rating calls for urgent action. There must be a way of prioritising risk treatment to ensure the most critical risks are addressed urgently.
Prioritising risk treatment and decision making based on objective aligned Risk Appetite Statements
To build upon the ‘fundamental’ RAS as mentioned above, it is highly effective to develop specific risk appetite statements, that are aligned to corporate objectives, to enhance the prioritisation of risk treatment (mitigation).
This ensures the risk appetite is aligned with corporate direction and supports the development of corporate risk strategy while it contributes to prioritisation of risk treatment.
For example, an organisation has objectives related to the safety of its workforce, and also building sustainable levels of profit. The organisation has a very low risk appetite for employee health & safety incidents, however, has a low risk appetite for negative impacts on profit. It therefore, follows that a risk treatment for a health & safety risk will be prioritised ahead of a risk treatment associated with profit.
We have seen organisations use a detailed RAS approach like this to guide decision making to reasonable effect. However, and referencing the above example, what if a particular health & safety risk is rated as ‘Low’ whereas, the profit risk is rated as ‘High’. Does the health & safety risk still have priority for treatment? That would seem illogical.
Combining detailed Risk Appetite Statements with Risk Analysis Output
Riskcom has developed an approach, and associated templates, that logically and accurately determines risk treatment prioritisation, and guides associated decision making by combining both objective aligned and specific Risk Appetite Statements with output from the Risk Analysis.
We have described the stages in how to build a meaningful and practical Risk Appetite, within the risk evaluation activity, and these are summarised below.
To summarise: Depending on the scale and complexity of an organisations’ operations, and its level of risk maturity, part or all of these stages could be developed and implemented when considered alongside its level of risk maturity. More confident, accurate and reliable decision making will be achieved when combining objective aligned risk appetite statements with risk analysis output. With this in mind, a single statement that simply and clearly expresses an organisations’ overall risk appetite approach will be reasonable for some organisations.
There are numerous methods of expressing risk appetite, and this partly leads to the confusion and lack of certainty in organisations, across both public and private sectors, in designing risk appetite statements. We have outlined in this article some common approaches to risk evaluation and risk appetite but also included an approach developed by Riskcom that we believe greatly enhances the output of the risk evaluation stage within an overall risk management process. We have deliberately not introduced ‘risk tolerance’ and its association with risk appetite in this article – that’s for another day!
Riskcom has considerable experience in developing and implementing tailored approaches for risk evaluation and supporting risk appetite statements. Please contact Michael MacLennan (Principal Consultant – Enterprise Risk at Riskcom) if you would like to discuss this article, or how we can assist you maximise the benefit of your entire risk program by developing and implementing an effective risk evaluation/ risk appetite activity.