RISK MATURITY: How to document risk appetite

Most mature organizations have already documented their appetites for different risks to objectives.  Segregation of duties, financing and deal limits, procurement criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organizations set risk appetites. Sometimes risk appetite is driven by legal or regulatory requirements, industry practices, sometimes by stakeholder expectations.

When assessing risk management maturity, reviewers should check existing Board level (or equivalent) policies and procedures to identify:

  • significant decisions/activities that already have their risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organizations that utilize child labor. Or it may have a requirement not to invest in high-risk ventures above a certain ratio. In cases, where the risk appetite has already been set, reviewers should check with internal auditors to test whether limits are realistic and are in fact adhered to.
  • for the decisions/activities where no risk appetite has been set by any of the existing policies or procedures, reviewers should discuss with the process owners to understand risk appetite and see whether it has been incorporated into other existing policies and procedures. Main decisions/activities can be divided into three groups:
    • “Zero tolerance”
    • Acceptable within quantitative limits
    • Acceptable within qualitative limits

Reviewers should also check various risk criteria (another example of risk appetite) used in the organization for different types of decisions to make sure they are consistently applied, are up to date and adequately cover business needs.

This is what a typical non-financial company should have:

At the Board level

  • A Board level policy outlining acceptable or unacceptable actions/behaviour for any risk or activity where having such policy is required by law or regulator (health and safety, anti-money laundering, corruption, environment).
  • Delegation limits, deal or transaction approvals and segregation of authority documented within a finance or investment policy or other Board level document.
  • Existing Board level policies have a notion of high, medium, low-risk activities. Usually, the policy will have different boundaries for different risk levels.  This may include:
    • different risk levels for vendors (higher risk vendors require more attention)
    • different risk levels for investment projects (higher risk projects have higher return expectations and more stringent monitoring rules)
    • no more than 20% of capitals can be invested in high-risk ventures
    • etc, etc.
  • An overall statement in a policy or guideline “Generate a reasonable rate of return at the moderate level of risk (expected volatility 10-20%) through a diversified portfolio of projects.”

It is then up to the risk manager to come up with the methodologies how to calculate risk levels or moderate level of risk (expected volatility 10-20%). If done properly there is a very high chance that you will find out that executives make decisions well within the limits and in fact can and should take more risk. Imagine a risk manager pushing everyone to take more risk. This is a great opportunity for the risk manager to help decision makers take on more of the good risk.

At Executive level

  • Performance targets are set not as single values, rather as ranges, where performance outside of range is escalated to the oversight body.
  • Key decision criteria are calculated based on the risk levels, for example, NPV and IRR for an investment project are calculated depending on the risk level (usually replacing WACC with variable discount rate based on risk or running Monte-Carlo to calculate NPV range)
  • Some significant management assumptions and risks are constantly or periodically monitored through manual or automated indicators.
  • Risks are calculated for key decisions to see that they are within management authority or need to be escalated to the oversight body.

– – – – – – – – – – – – – – – – – – – – – – – – –

This is an extract from a comprehensive G31000 risk management maturity model.

Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


4 thoughts on “RISK MATURITY: How to document risk appetite

  1. One of the major problems with risk appetite is reality. For example, I have been listening to internal auditors at a huge European company. There may be a stated zero tolerance for fraud, but until recently they would not assign staff to investigate any suspected theft or fraud under €200,000.

    Another situation is employee safety. Nobody would set a risk appetite above zero, but that doesn’t mean they are prepared to either invest all the money required to reduce safety risk to almost zero, or to take the only step that over time get it to zero: exiting the business.

    COSO gets it right when it allows managers to breach a stated risk appetite when it is right for the business. Examples might include the possibility of huge gains or that there is no viable alternative.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.