Risk appetite setting is a powerful tool to encourage the taking of risks across all parts of the organisation.

Historically risk appetite setting has been completed as an isolated risk process that occurs to reduce risk-taking. However, organisations are in the business of taking risks, and a forward-looking, positive risk appetite framework and risk-setting process will empower management and employees to deliver risk-based outcomes in line with the Board’s expectations.

What is the alternative approach?

Deloitte outline in “Risk appetite frameworks – How to spot the genuine article” that,

Everyone these days seems to agree that risk appetite frameworks are good things – even if no-one can quite agree what a good one looks like.

The alternative approach to risk appetite setting is to not focus on the process but on the business engagement. In essence, facilitating constructive challenges, debates and discussions on the key business activities with the business leaders, and then having them and their teams embrace the risk settings as a business enabler.

To support this facilitation, the usage of a structure that enhances the discussion is critical and that is where the simple attributes thrive.

Simple Attributes for Risk Appetite

In our alternative approach there are 4 simple attributes to setting risk appetite:

  1. Target or “Sweet Spot”;
  2. Operating range;
  3. Tolerance; and
  4. Exceeding.

Further information on each is outlined below.

“Sweet Spot”

Firstly, we define the “sweet spot” for the business strategy and operations being delivered every day by our people.

This “sweet spot” defines the point we are aspiring to move to; whether that is a growth/increasing position or a contracting/decreasing position. These terms must be adapted to each organisations culture and language. The key here is to use human language that people operate within in their daily interactions.

To support the development of this attribute, our posting on Agile Risk Management outlines the importance of undertaking shorter sprints of activity. This requires us to critically assess our approach to the right sweet spot for risks in each sprint.

Operating Range

Once you have established the “sweet spot” we recommend developing an “operating range”.

The “operating range” is the range of risk the business is willing to take to execute its strategy and operational outcomes. This range will have an upper and lower bound, providing for movements in risk-taking due to internal and external factors and forces.

A good operating range allows factors that are part of normal business operations and part of expected strategic decisions to occur, without exceeding your normal expectations.

Tolerance

The third step is then to set a “tolerance” level, which although we do not want to move within this territory, we are willing to accept a brief entry.

Developing a tolerance should include exploring the “what ifs” and the “black swan” events that could impact your business. The “what ifs” help ensure the level of appetite incorporates some of the unknowns, however, it must not be too wide so as to accept the unknowns as part of risk-taking. By this we mean, we need to test the boundaries of the Board and management in undertaking those business activities and strategic plans.

The key aspect is when an organisation is in the tolerance level, actions must be taken to move back within the operating range.

Exceeding

The final step is to set the level(s) where we are exceeding the organisation’s appetite.

In these circumstances, management will take immediate action to move back within tolerance and then the operating range. In these circumstances, there may need to be consequence management on those responsible for exceeding appetite (i.e. some form of “cost” of exceeding appetite, including training, coaching, and/or potential financial penalty).

In Summary

These simple steps provide a template for understanding, documenting and monitoring your appetite settings.

The setting of risk appetite is powerful in ensuring organisations operate effectively and take the risk needed to be successful.

SOURCEInnovation of Risk
Scott North has extensive executive and board experience in risk management, internal audit, operational risk and compliance, governance, risk strategy, scenario planning, technology risk, technology architecture, systems design, financial accounting, and management accounting. With Chief Risk Officers roles across financial services in Australia, Scott is an accomplished and experienced senior risk executive with extraordinary results in leading risk management teams. An innovative and process-focused leader, with an entrepreneurial style. Scott has a passion for innovation and digital. Scott is an experienced project leader across multiple disciplines including risk, finance and enterprise systems.