![](/media/mcljdeqy/tools-for-the-job-understanding-risk-appetite.jpg?width=160&height=160&format=webp,webp&quality=70&v=1db1ee541ca1b70 160w,/media/mcljdeqy/tools-for-the-job-understanding-risk-appetite.jpg?width=320&height=320&format=webp,webp&quality=70&v=1db1ee541ca1b70 320w,/media/mcljdeqy/tools-for-the-job-understanding-risk-appetite.jpg?width=480&height=480&format=webp,webp&quality=70&v=1db1ee541ca1b70 480w,/media/mcljdeqy/tools-for-the-job-understanding-risk-appetite.jpg?width=640&height=640&format=webp,webp&quality=70&v=1db1ee541ca1b70 640w)
Tools for the job: understanding risk appetite
Do you know what the appetite of your organisation is for taking risk in the pursuit of opportunities and the achievement of its business plan? Is it the same across all activities in your organisation? Is it quantifiable, assessed and an active part of governance and decision-making?
Six months ago, my response to these questions would have been: “sort of”, “probably not” and “can you repeat the question?”.
As risk practitioners, we know that, in theory, the first step of the risk management process is to “define the risk appetite of the organisation”. This sounds sensible. Start with the tone at the top and then shape your Risk Management Framework and risk assessment processes accordingly.
But, in reality, how often does this happen first (or at all) when we are asked to embed risk management in an organisation?
The problem is that it feels too big and too abstract. It also involves securing the support, active participation and time of busy senior leaders. The board and the audit committee want to review the risk strategy, endorse the framework, know that staff are being trained, that processes are in place and that risk reporting, mitigations and escalation systems are all working – the tangible assurance of risks being managed.
Our organisation was in a good place in terms of its risk management. A recent audit gave reasonable assurance over the arrangements in place, whereas 18 months ago these had been assessed as “limited”. However, when I realised that risk appetite was becoming a hot topic, I started to explore the benefits that focusing on this could offer us.
I read that one of the characteristics of a risk-mature organisation is “the conscious and dynamic determination of the organisation’s risk appetite by senior officers and using this to support decision-making, resource allocation and internal audit planning. Risk appetite helps organisations to establish a threshold of impacts they are willing and able to absorb in pursuit of objectives, improve organisational health and resource prioritisation, while maintaining performance and demonstrating value for money.”
Reflecting on this, I could see that, while all of our organisation’s 214 risks (strategic, critical, operational and transactional) had largely been assessed in terms of a current risk score and a target risk score (the level of risk that is tolerable), these judgments were often made at a service level, without reference to corporate risk appetite. We could therefore be using resources to mitigate risk to below the level that the organisation would accept, while simultaneously not mitigating risk enough in other areas. Best practice dictated that we required a Risk Appetite Statement, derived from the application of a Risk Appetite Framework – a tool for defining appetite.
The framework
I began to search for an appropriate framework that would meet our specific criteria. We needed an approach that was resource-light in terms of senior officers’ time, covered key areas of operations at a high level, was easily understood with pre-determined assessment criteria, could be easily refreshed when our risk appetite changed and could be scaled further down the line to apply to directorates or services.
We chose a method for developing an activity-based risk appetite statement based on The Orange Book/ Governance Finance Function/ Risk Appetite Guidance ( 2020). This would enable us to determine the organisational risk appetite across 13 themes: strategy, governance, operations, legal, property, financial, commercial, people, technology, data information and management, security, projects/programmes, and reputation – perfect for the council.
Service directors were required to undertake an assessment of their appetite for risk in areas within their control on a one-to-five scale (one being risk-minimal to five being risk-eager). Where applicable, they also had to do this in areas where their part of the business was currently operating.
Appetite levels across the organisation varied. In some areas our risk tolerance was assessed to be minimal/cautious (eg, in our commercial activities and capital programme), while in others we were open and eager in the pursuit of opportunities and the successful delivery of our outcomes (eg, technology, property and operations).
Our aim now is to operate organisational activities in line with the defined appetite for risk. Where activities are projected to exceed the defined levels, this must be identified and managed through the council’s risk management arrangements and appropriate governance mechanisms.
The benefits
Many of the benefits of producing this statement have already been realised. The risk management framework, in terms of the assessment matrix for risk, is being reconsidered now that the risk at the top has been clearly defined. Barriers to areas operating outside of the desired appetite are being explored. Governance, decision-making and resource allocation are being aligned to priority outcomes and the appetite for risk.
When planning internal audit, we now use the statement to consider those areas categorised as “risk-eager”, acknowledging that these may require more assurance in terms of effective and proportionate controls and risk management. Similarly, we are using it to highlight where more effective governance and decision-making is necessary in areas that are more risk averse than they need to be.
This article was published in July 2023.