Risk it for a Biscuit?

We all approach risk taking differently. Every day, we make decisions such as what job to apply for, what to invest in, whether to wear a mask, or where to go on holidays, all based on risk and reward. I like to sit by the pool with my sunscreen and hat on while you may like adventure and thrill seeking. 

In business, risk management professionals define this as a risk appetite. 

This article considers why having a risk appetite is beneficial and provides some suggestions on how to develop and effectively use one. 

Risk appetite is something that is unique to each organisation. 

Imagine you have a brilliant idea and go to the leadership team with a proposal. You include a risk assessment that details possible controls that could be put in place to mitigate those risks. You explain that once these controls are implemented, there is only a medium level of risk to the organisation. You highlight the advantages. 

Does your audience have a different risk appetite than you? They might say no – it is far too risky, not something we have ever done before, we do not have the resources, and so on. They may determine that the risk is still too high or that it is an unacceptable risk for this area if it impacted, say, participant’s safety.

What if you were a decision maker in that meeting? How would you determine whether the proposal should go ahead? Is a medium level of risk acceptable or not? Would it be acceptable if the potential impacts were realised? Would having a clearly defined risk appetite have helped? 

A tailored and defined risk appetite can assist an organisation in managing and understanding its risk exposure.It can be used to guide organisational behaviour and strategic decision making. This aids in risk-based decision making – including providing a green light to innovation and enabling people to take calculated risks. It will empower staff, who will better understand the organisation’s position on risk, including knowing when it is fine to proceed and when to bring things to management’s attention. 

A risk appetite can also help an organisation prioritise the implementation of controls to reduce risk, such as the allocation of precious time and resources. 

Developing a risk appetite

Although a risk appetite may be similar across organisations in a sector, it should be tailored to the unique attributes and strategies of each organisation. This will ensure it is relevant and useful. 

A risk appetite should communicate:

• The level and type of risk the organisation is willing to accept or absorb.

• Any risks that the organisation wants to avoid, including risks for which there is no appetite – no exceptions.

• The level and type of risks middle management and staff can take on.

To develop a risk appetite, the leadership team and board (where applicable) would consider the primary risk areas the organisation faces, including future risks, and the effectiveness of current risk controls. 

Once the risk appetite is agreed on, it may be communicated through a statement, often within a Risk Management Policy or Framework. Generally, such a statement is high level and concise but descriptive enough to convey the intent. 

To remain relevant, the risk appetite should be periodically reviewed.

Making a risk appetite effective

An effective risk appetite is set at the top but flows through to all levels. This is achieved by setting and implementing tolerances and boundaries that offer practical guidance for managers and staff and are often established for specific risks.

Tolerances 

Tolerances define what is bearable. For example, a telecommunications company may determine tolerances for an outage depending on the types of customers it affects – there is less tolerance for an outage that affects emergency services than one that impacts only residential customers.

A service provider in the disability sector would likely list the safety or wellbeing of a participant as a significant risk, but they cannot wrap participants in cotton wool. As such, an organisation may tolerate incidents as long as they were not due to neglect, abuse, or failure of support staff to follow safety measures. 

Exceeding a risk tolerance may act as a trigger – such as an investigation, corrective action at the leadership level, or notification to the board.

An organisation may choose to define tolerances for each risk area following the Risk Appetite Statement.

Boundaries 

Boundaries may be implemented to reduce the likelihood of risks becoming reality. For example, there may be set amounts of money that staff at each organisational level can spend without approval or a list of who can sign off on contracts. Such clear boundaries reduce red tape in areas of low risk but tighten control as the risk increases.

Boundaries are communicated through policies, procedures, a risk matrix, position descriptions, delegations of authority, training, and so on. As such, these all need to be calibrated to the organisation’s risk appetite and tolerances. 

An organisation may then develop measures against their risk appetite and tolerances. How the organisation is tracking against these measures will highlight areas for improvement. This can also provide confidence to the board and leadership team that the organisation is operating within the risk appetite.

Risk terminology may seem daunting and complicated at first glance, but when you strip it back, it isn’t as complex as it sounds. Done effectively, a clearly defined risk appetite can enhance productivity and decision making, reduce red tape, and aid in the development of a mature risk- aware culture. Ask yourself whether your organisation has a clearly defined and effectively communicated appetite for risk.