5. Pragmatism is key in developing and refining risk appetite
Developing a formal risk appetite often represents a significant change within an organization, especially those with fairly immature risk management. The task of setting risk appetite levels across all risk types can sound daunting. The key is to be pragmatic, and take a methodological approach:
- Start with qualitative risk appetite statements
- Establish preliminary appetite levels
- Select key risk indicators
- Assess initial risk profile
- Establish risk thresholds
Organizations should use year-one to learn and adjust. After a year, organizations should have enough data to compare how actual risk metric levels performed against target thresholds and, armed with this information, management should review and revise established appetite levels and adjust metric tolerances, as appropriate.
6. Building an effective risk dashboard linked to thresholds and triggers enables risk oversight
Risk dashboards are important to monitor the organization’s top and emerging risks and should be linked to risk taxonomy and the agreed risk appetite statements for key risks. To make the dashboards understandable and able to drive action, they should focus on a prioritized set of risk metrics – only the most relevant risk metrics should be included in risk dashboards.
Of course, dashboards need to be tailored to the audience. The board requires higher-level information to support governance, senior management requires organization-wide information to support portfolio-level decision-making, and staff need risk information for day-to-day decision-making. Every dashboard should be well designed and easy to read.
7. Risk must be embedded in decision-making processes to bring about the desired change in behaviors
To be fully effective in enabling the desired level and type of risk-taking, the RAF must be integrated into decision-making processes, including strategy planning, budgeting and resource allocation, portfolio management, and project and program approval and oversight.
Decisions on the company’s strategy have to be informed by a view on existing and expected levels of residual risk and set in the context of risk appetite. Risk-based resource allocation, within the context of risk appetites and thresholds, should enable resources to be deployed to help maximize risk-taking to achieve the desired development objectives and to help manage key risk exposures.
8. Build risk appetite into the broader enterprise risk management program/project
In the end, the risk appetite framework and risk appetite statements are tools within the broader risk management framework. That framework and the associated policy(s) include other fundamentals, such as the governance and leadership structure as noted above – notably, how risk will be overseen and governed by the board and managed by senior management, the frequency and process for risk oversight, and the supporting committee and approval processes.
The three-lines-of-defense risk operating model has been shown to be an effective framework for risk management and for implementation of an organization-wide risk appetite and has been adopted by the likes of the UN. The model sets out clear roles and responsibilities across all risk types, clearly delineates who is in the first line, establishes strong independent risk oversight, and provides for periodic independent assessments (which are commonly carried out by internal audit and evaluation functions).