9 minute read 18 Jan. 2021
Woman walking along the road to the mountains

Ten lessons learned in implementing risk appetite frameworks

By EY Global

Ernst & Young Global Ltd.

9 minute read 18 Jan. 2021
Related topics Consulting Risk

Show resources

  • How to implement risk management to drive development impact final (pdf)

    Download 649 KB

Developing a risk appetite framework can be daunting, but implementing risk management can drive progress for development agencies.

In brief
  • Without support from the Board, efforts to enhance risk management may be perceived as a bureaucratic “compliance exercise.”
  • Risk dashboards should focus on a prioritized set of risk metrics and need to be tailored to the audience. They should be well designed and easy to read.
  • Organizations must realize that it is about supporting a cultural change in how risk is identified, measured, managed and mitigated.

We have entered the final decade of global efforts to achieve ambitious 2030 Sustainable Development Goals (SDGs). The international development community and multilateral organizations are focused on marshalling, deploying and targeting their resources to maximize their contribution to the SDGs and to drive up development impact.

As development agencies look for ways to drive up development impact in increasingly challenging environments, there is a growing recognition that strengthening risk management capabilities can help lead to effective risk decision making and resource allocation. Development agencies operate across a range of risk management maturities, but their formal risk management capabilities are often not sufficiently mature. The evolving COVID-19 pandemic has highlighted the need for agile and well-established decision-making processes informed by an up-to-date view of the organization’s risk profile. Without an established process to identify, measure and manage risks, the organizations portfolio level risk exposure can stray significantly from desired levels.

A robust risk appetite framework (RAF) can help development organizations to assess and manage risks systematically as they look to determine the impact of the evolving pandemic and mobilize resources quickly in response to the crisis. Implementing such a framework can seem like a daunting process, but a pragmatic approach can help organizations to chart the right course and drive increased development impact.

Show resources

  • Download our report: How to implement risk management to drive development impact.

Lessons learned in implementing risk appetite frameworks

In supporting development agencies – and private sector organizations, especially in financial services – we have identified ten key lessons learned:

1. Good governance and leadership are critical to making risk appetite drive day-to-day change

Effective risk management requires a strong, organization-wide governance structure that makes risk considerations a priority of the board and senior management. Without such leadership and commitment, efforts to enhance risk management may be perceived as a bureaucratic “compliance exercise” required by headquarters, as distinct from an important component of enabling more risk-taking and delivering more development impact. The full board needs to know risk is being taken in a well-controlled manner, and that they have sufficient committee oversight of the risk-related activities. The senior leadership team has to remain accountable for bringing all the risks together across the firm.

Effective risk management needs a strong, organization-wide governance structure to reinforce the perception that it is an important component of enabling more risk-taking and delivering more development impact. 

2. An inclusive approach to risk appetite development helps to achieve necessary buy-in across the organization

A risk appetite framework cannot be developed in a management silo – it must be easily understood and supported by all levels of the organization. So, senior management should involve stakeholders from across the organization early in the process and empower operational staff to contribute to and own the initiative. It is important that organizations engage a broad range of internal stakeholders and educate the workforce on risk matters. Staff will likely have a series of questions about the risk appetite initiative:

  • Why are we developing a RAF? What is the rationale?
  • How will it affect me and the organization?
  • How can I determine low from high risks? What do we mean by residual risk?
  • How will this be embedded in our project approval and review processes?
3. Considering a range of benchmarks can support risk appetite development, although it still needs to be tailored

Every RAF must be tailored to the needs and circumstances of each organization. This is especially important for development agencies, given the distinct nature of the mission, objectives and operating model. Risk has to be set within the context of development impact, not financial return. Although agencies are different, they can learn from others. As they look for learnings and practices that might be relevant to inform and support progress, they should think broadly, including public and private sector organizations. For example, financial services firms have honed their core risk management capabilities and know how to embed them across the organization into key decision-making processes, including capital and resource-allocation, and in the management of nonfinancial risks.

4. A common language surrounding risk must be established to unify and standardize risk management across the organization

Establishing an organization-wide common risk language is fundamental to successfully managing risk. Every member of an organization has a role in risk management and must be able to understand and communicate risk concepts and terminology in a consistent manner. Developing and agreeing an organization-wide risk taxonomy is an important foundational element, because it helps enable a standardized approach to risk management, effective risk conversations, and clearer comparisons of risk types and levels across the organization. It is also important to implement consistent rating scales across various aspects of risk, compliance and audit functions so aggregation is possible. This all needs to be founded on a library of consistent risk-related policies and guidance.

Everyone has a role in risk management and must be able to understand and communicate risk concepts and terminology in a consistent manner. An organization-wide risk taxonomy is essential as it helps enable a standardized approach to risk management, effective risk conversations, and clearer comparisons of risk types and levels across the organization.

5. Pragmatism is key in developing and refining risk appetite

Developing a formal risk appetite often represents a significant change within an organization, especially those with fairly immature risk management. The task of setting risk appetite levels across all risk types can sound daunting. The key is to be pragmatic, and take a methodological approach:

  • Start with qualitative risk appetite statements
  • Establish preliminary appetite levels
  • Select key risk indicators
  • Assess initial risk profile
  • Establish risk thresholds

Organizations should use year-one to learn and adjust. After a year, organizations should have enough data to compare how actual risk metric levels performed against target thresholds and, armed with this information, management should review and revise established appetite levels and adjust metric tolerances, as appropriate.

6. Building an effective risk dashboard linked to thresholds and triggers enables risk oversight

Risk dashboards are important to monitor the organization’s top and emerging risks and should be linked to risk taxonomy and the agreed risk appetite statements for key risks. To make the dashboards understandable and able to drive action, they should focus on a prioritized set of risk metrics – only the most relevant risk metrics should be included in risk dashboards.

Of course, dashboards need to be tailored to the audience. The board requires higher-level information to support governance, senior management requires organization-wide information to support portfolio-level decision-making, and staff need risk information for day-to-day decision-making. Every dashboard should be well designed and easy to read.

7. Risk must be embedded in decision-making processes to bring about the desired change in behaviors

To be fully effective in enabling the desired level and type of risk-taking, the RAF must be integrated into decision-making processes, including strategy planning, budgeting and resource allocation, portfolio management, and project and program approval and oversight.

Decisions on the company’s strategy have to be informed by a view on existing and expected levels of residual risk and set in the context of risk appetite. Risk-based resource allocation, within the context of risk appetites and thresholds, should enable resources to be deployed to help maximize risk-taking to achieve the desired development objectives and to help manage key risk exposures.

8. Build risk appetite into the broader enterprise risk management program/project

In the end, the risk appetite framework and risk appetite statements are tools within the broader risk management framework. That framework and the associated policy(s) include other fundamentals, such as the governance and leadership structure as noted above – notably, how risk will be overseen and governed by the board and managed by senior management, the frequency and process for risk oversight, and the supporting committee and approval processes.

The three-lines-of-defense risk operating model has been shown to be an effective framework for risk management and for implementation of an organization-wide risk appetite and has been adopted by the likes of the UN. The model sets out clear roles and responsibilities across all risk types, clearly delineates who is in the first line, establishes strong independent risk oversight, and provides for periodic independent assessments (which are commonly carried out by internal audit and evaluation functions).

The three-lines-of-defense risk operating model has been adopted by the likes of organizations such as the UN. The model sets out clear roles and responsibilities across all risk types, clearly delineates who is in the first line, establishes strong independent risk oversight, and provides for periodic independent assessments.

9. Communicate, communicate, communicate (and train)

Ultimately, organizations have to realize that the implementation of a RAF is not simply a technical effort; it is about supporting a cultural change in how risk is identified, measured, managed and mitigated. However, staff in the field may misinterpret the purpose or militate against the framework and its implementation, viewing it as a distraction. So, communications around the RAF – as it is developed and, more importantly, when it is rolled out – are critical.

Key elements of effective communication and training include an organization-wide, top-down communication strategy, ongoing risk education at all levels of the organization, and quality and insightful disclosures to external stakeholders.

10. Risk management is a journey

While the introduction of the RAF may represent a marked shift in the organization’s approach to risk management, it is part of a much longer journey. Strategic objectives and risk management priorities evolve over time as the development environment and risk landscape changes.

To support this journey, organizations should identify and resolve policy gaps, and identify where policies and frameworks are outdated or non-existent or have been ineffectively (or only minimally) implemented. The organization should document these gaps and develop a prioritized remediation program as part of its organization-wide risk enhancement program. Some organizations find they have not yet implemented a hierarchy of policies – one that distinguishes between policies, frameworks, standards, guidelines, working papers, and so on, and for each articulates how they should be drafted, reviewed and approved. Such a policy is invaluable in supporting policy implementation.

In addition, organizations also have to make sure the risk function is adequately resourced. Initial investments in staffing, technology and other resources should focus on implementing the RAF and enhancing the control environment and risk reporting. Over time, additional resources should focus on specific risk areas, working with the first line of defense, such as fraud, technology and cybersecurity, procurement, financial-risk management, legal and so on.

To support the risk management journey, organizations should find and resolve policy gaps. They must also identify where policies and frameworks are outdated or non-existent or haven’t been properly implemented. Over time, additional resources should focus on specific risk areas, such as fraud, technology and cybersecurity, procurement, financial-risk management, legal and so on.

Get started and adjust as you go

For organizations that do not have strong and deep risk management expertise, implementing a RAF can be challenging. It brings with it a coterie of other required items – risk taxonomies, risk/governing documents, risk indicators, etc. – each of which feels like a major piece of work by itself.

It can be less burdensome, if done pragmatically. There is a vast body of experience on how best to implement such frameworks, in the public and private sector, and those learnings should be leveraged within the context of each company’s own unique circumstances and strategy. Building on the experiences of others speeds progress and avoids known pitfalls.

It is important to position the RAF as a fundamental part of achieving greater development impact.

A rallying cry could be how implementing the RAF is directly related to achieving the organization’s purpose, recognizing most organizations have to consider how best to marshal, deploy and target finite resources on maximizing their long-term value creation and societal impact. Enhanced risk management allows the organization to manage these higher levels of risk in delivering against the organization’s mission.

Summary

By strengthening risk management capabilities, development agencies can increase their impact. In particular, the use of a robust risk appetite framework can help with more effective decision making and resource allocation.

About this article

By EY Global

Ernst & Young Global Ltd.

Related topics Consulting Risk