Factors to Consider When Implementing a Risk Appetite Framework

Organizations have to take some risks and they have to avoid others. In a fast changing economic climate, organizations need to have a clear defined strategy and risk appetite framework so that they can react quickly to the challenges and opportunities presented at such times.

The challenge for many organizations is expressing clearly their willingness to take risk in order to meet their strategic objectives. In any enterprise risk management approach, risk appetite is a key consideration. For the organization to achieve the desired performance, risk appetite should be addressed throughout the organization and set at strategic, tactical and project/operational level. When designing the organizations risk appetite, the board and management must consider the following five factors:

  1. Components of a risk appetite statement: The risk appetite statement will shape the way the organization is management. An organization’s risk appetite is a function of risk and control. It is therefore important for organizations to consider risk and control issues when developing their risk appetite statements. Viewing risk and control in isolation will lead to sub-optimal decisions being made. For example, many organizations only look at the risk side of the risk appetite statement. This results in basic and fundamental control processes not being followed and eventually poor achievement of strategic objectives.
  2. Risk appetite needs to be measurable: You cannot improve what you cannot measure Measurement is critical for organizational performance improvement because it helps you identify, assess, monitor and report your performance. When developing and implementing the organizations risk appetite framework, there is the need to have a meaningful benchmark to support its proper implementation.
  3. Setting risk appetite is not a once-off process: An organization’s tolerance and acceptance of enterprise risks will change overtime as the circumstances change.  It is imperative that organizations review all the risks they are exposed to, their impact and frequency periodically. Treating the risk appetite definition process as a once-off procedure is like travelling one hundred miles on a potholed road. The consequences will be disastrous for the organization. In today’s volatile economic climate, organizations need to be resilient and agile. The risk appetite they have today will definitely be very different to the risk appetite they will have in a years’ time or so.
  4. Different types of risks have different appetites: Organizations must view risk appetite at different levels, for example at the strategic, tactical and projector operational level.  For example, the organization will have a different risk appetite for regulatory risk in one country and another appetite in a different regulatory regime. These different levels of appetites must therefore align under and be consistent with the organization’s overall risk appetite framework. In other words, the organization need to have a holistic view of the risks it is exposed to.
  5. Organizations have different risk capabilities: It is important to note that organizations are always at different stages of developing and implementing enterprise risk management frameworks, let alone, risk appetite. For some organizations, this is a simple process and for others a much harder process. Organizations need to recognize where they lie on this enterprise risk management spectrum. An organization’s risk capability is a function of its risk capacity and maturity.

The ability to carry risk (risk capacity) depends on factors such as the organization’s reputation, people, knowledge, infrastructure and financial strength. To what extent are the individuals trained and skilled to undertake some risks? Does the organization possess any specific internal or external risk-related knowledge? Does the organization possess physical assets, IT systems or network partners to manage risks and exploit opportunities? Does the organization have enough capital to take risks and shoulder any unwanted surprises?

The risk maturity of the organization defines the extent to which it is able to take risks and exercise control. This is dependent on the organization’s business context, risk culture, risk processes and systems. With regards to the business context, management need to understand the state of development of the business, its size, industry sector, geographical location, political climate, regulatory climate, complexity of the value chain and the business model.

With regards to risk culture; how does the board, management, staff and relevant regulators understand and embrace the risk management systems and processes of the organization? Is the tone of risk management top-down? If the senior management are indifferent, this will more than likely be reflected in the attitudes further down the organization. An example of a poor risk culture is one where risk is perceived to be managed spontaneously and not discussed in making decisions and leadership sends unreliable or unclear messages on acceptable level or risk. Provided business results are met, few questions or none at all are asked regarding what might go wrong.

With reference to risk processes; are there processes for identifying, assessing, responding and reporting on risks within the organization? Are they integrated with strategy and business planning? Are they integrated with regular periodic reporting? Is there a common language across the business when it comes to risk identification, risk assessment, risk monitoring and reporting? If something goes wrong, what are the escalation procedures?

With regards to risk systems; are there appropriate IT and other systems to support the enterprise risk management process? Systems should be both backward and forward looking. The organization should be able to collect, process and share risk information across the business in order to be truly effective. Is there a clear well defined enterprise risk management strategy and policy? Is there any enterprise data warehouse for risk data? How is risk reported within the organization and externally and how often?

Being able to answer all the above questions will help the organization develop and implement a risk appetite framework capable of driving business performance and supporting the achievement of short-term, medium-term and long-term  tactical, operational and strategic objectives .

Sharing is caring:

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes