Most organisations have already documented their appetite for different common decisions or business objectives. Segregation of duties, financing and deal limits, procurement criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organisations set risk appetite. Appetite for different kinds of risks has been around for decades. Not all risks, but most of them.
So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern day consultants tell us, the authors believe that any attempts in non-financial companies to aggregate risks into a single risk appetite statement is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.
After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions.
Instead of creating separate new risk appetite statements, risk managers should review existing Board level policies and procedures and identify:
- significant risks that already have its appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organisations that utilise child labour. Or it may have a requirement not to invest in high risk ventures above a certain ratio. In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to;
- for the risks where no appetite has been set by any of the existing policies or procedures, the risk manager should work with the process owners to develop risk limits and incorporate them into existing policies and procedures. Main risks can be divided into three groups:
- “Zero tolerance” risks.
- Acceptable within quantitative limits.
- Acceptable within qualitative limits.
We strongly believe that risk appetites should be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements.
In any case, appetite or tolerance for different types of risk should be reviewed periodically to remain current and applicable.
USE THE CHECKLIST PROVIDED BELOW TO TURN THIS SECTION INTO ACTIONS
|
☐ |
Identify core decision making processes and the significant risks associated with these decisions |
|
☐ |
Review existing Board level policies and procedures to check whether appetites for key risks have already been properly documented |
|
☐ |
If not, update existing policies and procedures to include risk appetites / tolerances / limits |
USEFUL VIDEOS
Interview with Alex Sidorenko on risk appetite and why it’s totally overrated. Interview by Risk Studio. https://www.youtube.com/watch?v=Kyj4x6re0hA
Alex Sidorenko from RISK-ACADEMY talks about risk heat maps and why they are a complete waste of time. There are at least 3 better ways to present risk management information. https://www.youtube.com/watch?v=XFwWLgKUJNQ
Alex Sidorenko from RISK-ACADEMY speaks about how risk workshops are useful for education and awareness building, but not useful for risk identification and assessment. https://www.youtube.com/watch?v=xT7ecliKUuY
USEFUL LINKS AND TEMPLATES
Simple risk appetite evaluation for Board of directors –
http://www.risk-academy.ru/en/download/evaluation-of-risk-appetite-on-the-board-of-directors/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
