Building organisational resilience
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.
Operationalizing risk appetite
Done right, risk appetite is at the core of how a good business is run. Done wrong, it’s a tick- box compliance exercise that sits on a shelf. Here, we look at how to leverage leaders’ and employees’ expertise to tangibly define and operationalise risk appetite.
In our previous article, How to see what you don’t see, we spoke about creating a 360-degree risk radar to establish an organisation’s unique set of risk categories, mapped to its value chain (take a look at the radar example below).
In this article, we expand upon the practical applications of the radar and outlines how it can become the foundation for an organisation to establish a risk appetite statement that is a highly valued and used management tool.
Getting briefly back to basics, why do we actually need risk appetite? It shouldn’t just be an extra layer of paperwork. Risk appetite has two main purposes:
- Firstly, it’s an instruction to the company, from the board, around how much risk the company should take and where it should take it. It is an integral tool for decision-making. Without this direction, people just make it up. And the output can go one of two ways – it’s either too conservative or too risky. Either way, you end up with a scenario where the company has not delivered on the board’s expectations.
- Secondly, risk appetite should allow you to proactively monitor when things are going off course. The quantitative metrics, or key risk indicators, enable leaders to gauge if their departments are tracking to the approved appetite position. Are they taking too much risk? Are they taking too little risk? This can be tangibly measured, if risk appetite is done right. So how do you go about this?
Key steps
Establishing categories, sub-categories and events
As I mentioned in the first article, I’ve found around 10 radar categories, give or take, tends to be optimal for most businesses. I also spoke about plotting risk events within these categories to give organizations a holistic picture of their risk universe and enable them to identify gaps and opportunities.
Starting to dive a bit deeper, most medium to large organizations will probably find they need a number of sub-categories underneath their main categories. They might end up with, say, 10 categories, and perhaps 50 to 60 subcategories.
Let’s use technology as an example of a main category. Sitting under that, you might have four sub-categories: cyber security, protection of data and intellectual property, technology innovation and run-time of your operating software and systems.
Or, you could look at strategy as a major category. Underneath that, you might have sub- categories such as competitor analysis, capital allocation, macro-economics and geopolitics, and so on.
Underneath the sub-categories, you plot your individual risk events.
Getting the governance right
The importance of this structure is that it allows you to aggregate and prioritise your risk information. It gives you a method of getting the right risk information in front of the right people. It also facilitates accountability and ownership.
I’ll speak more about governance in the third piece in this series (‘Using the three lines of defence effectively’), but essentially the risk radar model allows you to identify:
- The top 10 risks that need to go up to the board
- The 50 or 60 risk categories that senior management need to be worried about
- The hundreds of individual risk events that middle management need to manage.
How does this assist with determining and operationalizing appetite? As I’ve mentioned, the risk categories are mapped to your value chain. They should also align to your organizational structure. The goal is that each category is assigned to a relevant executive leader directly under the CEO level.
For example, technology might be assigned to a chief information officer, if that position exists. Financial and perhaps strategy categories might be assigned to your chief financial officer, and so on.
This is important, because you can then start to meaningfully define appetite using that same organization of your risk information and governance structure. The clear message you want to send is: it’s not risk’s role to set appetite. The role of the risk function is to support and verify performance within appetite is maintained, but there are other executives who have the accountability to work with the board to define appetite for their areas.
Getting a general consensus on these roles is the first really important step to bringing risk appetite to life, rather than it being a document that sits on the shelf.
As we know, it’s ultimately the board’s role to define and approve the appetite for risk within the organization. But, using the technology example, if you’ve got a chief information officer, their role might be to say ‘this is what I think the appetite position is for technology’. That view goes up the board, and it is the board’s role to explicitly agree or disagree and clarify.
Done well, this process should trigger healthy debate between executives, the board and the management team. Generating this debate is the second step to transforming risk appetite statements into genuinely useful guidelines within the business.
Creating qualitative statements and quantitative metrics
As we just touched on, the demarcation of responsibility between the board and the organization is one of the key factors in getting risk appetite right.
The board is responsible for setting an organization’s appetite. But, the process of obtaining board approval can be slow and time consuming. You don’t want to have to go to them every time you need to change a granular element of your risk position.
Separating your risk appetite infrastructure into qualitative statements and quantitative metrics, therefore, can help.
The qualitative statements are the board’s responsibility. These clarify the appetite position for each sub-category. This is where the sub-categories become very relevant.
Continuing with the technology example. In a sub-category like data protection and cyber- security, you would likely have an avoidant risk appetite. The board’s statement would reflect the fact they expect strong controls in place to prevent theft of important company and/or employee data and intellectual property. Compare this to technology innovation, where the board’s appetite for risk may be quite high. They may expect the company to be taking risks in this area to gain productivity improvements or other advantages.
That would be where the qualitative statements end. From there, the executive leaders need to determine quantitative metrics—otherwise labelled as ‘key risk indicators’—that actually make the appetite levels mean something. This is the third important step to bring risk appetite to life.
The quantitative metrics should set a clear upper and lower level of risk-taking performance. If the lower limit is breached, you are outside appetite as you are not taking enough risk. If the upper limit is breached, you are outside appetite due to excessive risk taking.
Having both an upper and lower limit is the fourth really important step to bringing risk appetite to life. The lower limit frees employees up and makes it safe for them to take risk for improved returns, helping to shift that mindset from risk only being a bad thing that needs to be avoided.
For example, if the board has made it clear they have an elevated appetite for new technology risk, the key risk indicator metrics assigned could be the percentage failure rate of innovation projects. If there is genuinely an elevated appetite for this risk, the lower limit will not be 0%, as some failure must be expected in new technology innovation.
This is just one example, but it shows how the governance structure you put in place around the risk categories is crucial to operationalizing the appetite statements. It’s about leveraging the expertise of your leaders and your people to tangibly define risk appetite across your entire risk universe.
Outputs
Risk informed decision-making and achieving best case scenarios
Strategic decision-making can become much more consistent and informed once an organization has a clear risk appetite statement with upper and lower limits of performance.
An acquisition decision, for example, can be made with consideration to expected performance across all categories of risk, not purely financial. Analysis can show the expected reliability of performance within appetite, anticipated costs to implement controls to achieve this performance, any expected deviations of performance outside appetite, and corresponding approvals (temporary or otherwise) for these breaches.
As the risk director, if you’re having sessions with the strategy team, you can ask:
- Do we know what best case scenario looks like?
- Have we understood everything that needs to go right for best case scenario to happen?
- Have we understood all the assumptions we've made?
- What actions are we taking to maximise the chances of things going right?
By using this approach, risk is able to help an organisation explore new opportunities and achieve its goals, as well as preventing bad things from happening. This is key to risk ‘earning a seat’ at the strategic table.
Proactively monitoring risks against appetite
Measuring whether appetite has gone awry after the fact is only so useful, however. Being able to foresee ahead of time whether appetite levels are likely to be breached is obviously far more valuable.
To enable this, risk managers really need to work with the business as it is developing its quantitative metrics to ensure they are mostly lead indicators.
Supply chain management provides an easy illustration here. If you’re looking at customers’ supply chain credit risk, for example, and your indicator is whether or not bills have been paid in full on time, you’re only ever going to discover you’ve got a problem once it’s too late.
It might be better to design an indicator that involves looking at the performance and balance sheet (assuming these figures are available) of your top customers. Are they likely to be able to pay you? That might give you a better chance of forecasting if a problem is headed your way and being able to take proactive action, rather than reacting after the fact.
Letting go of best practice
One other thing that this approach to risk appetite may allow you to do is to actually remove some of the controls and systems that are in place around certain risks.
Something you’ll hear a lot these days is that everyone wants to be ‘best practice’ in every part of the business. There’s nothing wrong with this goal, but sometimes we need to step back and assess what best practice really entails.
Oftentimes, layer upon layer of administration and bureaucracy is created in organizations. More and more controls are added, and there are so many rules that it becomes hard to get things done. The environment becomes stifling.
However, if you have clarified your risk appetite positions, and clearly defined with metrics what it means to be within appetite, you may be able to re-assess some of these controls. Analyse the actions you’re currently taking against your approved appetite and ask yourself: if we removed X control, would we fall outside of appetite?
If not, perhaps you may be able to re-introduce some more freedoms that may lead to greater flexibility and innovation.
Results
I have consistently found that this approach to risk appetite delivers invaluable risk, and strategic, insights. Just the power of going through the process of setting and defining appetite within your management, your executive team and your board can reveal important misalignments.
As each person involved contributes to articulating and writing down what they believe the appetite position to be in a certain sub-category, you will often start to realize where broad gaps exist in perceptions.
It’s these kinds of gaps that can lead to misunderstandings around individual and team performance and progression. This inevitably leads to either too much risk being taken, or too little. This is especially the case where different categories (such as safety and productivity) are in potential competition. By having a clear understanding of the company’s full risk radar, and relative appetite of each category, serious incidents can be avoided at the same time as big bets being taken for superior returns.
Lessons learned
I’d say there are three key challenges you might anticipate as you go through the risk appetite operationalization process.
- The first challenge is getting the buy-in from your executive and your board to make the process—and its end result—meaningful. While it can be challenging to identify and deal with misalignment on appetite, what’s worse is if you don’t get any debate at all. Because that likely means that people aren’t really engaging and it may just end up being another written statement that’s filed away upon completion.
- The second challenge is getting the balance right between simplicity and complexity. If you err on the side of too simple, you end up with a situation where you’ve got those bland appetite statements that kind of just say “well, we’re a risky company and we’ll do our best to manage that”, which aren’t meaningful. But if you go too complex, you end up with this behemoth infrastructure that nobody can keep track of and which subsequently also ends up being ignored. In my experience, organisations tend to go through a cycle. They start off with something that’s too bland. And then people become interested and engaged, and suddenly you’ve got everyone saying “add this and add this”. And then, ideally, they eventually reach a happy medium.
- The third challenge is in the context of truly operationalising the statement. Too many companies expect their risk appetite statements to be something that goes from the board to the shop floor. It doesn’t work. Risk appetite statements should be management tools. They help senior leaders make decisions, but then it’s those decisions that need to be quantified and translated into meaningful actions and responsibilities for the front line. Don’t expect the risk appetite statement to be picked up and used by a front-line supervisor. But do expect them to be directly impacted by the decisions made by their superiors, based on their use of the appetite statement.
This article was first published in July 2020 by Risk Leadership Network, a global membership network for risk professionals.
Leave a comment
Recent posts
