What do boards need to know about risk appetite?

29 August 2018

Marita Corbett, National Leader, Risk Advisory |

Risk - it's traditionally seen as negative, something businesses must do their best to avoid. However, in an age where disruptive forces - particularly technology - can no longer be ignored, organisations need to have the capacity to change and experiment. And that means they have to take on some risk.

Few organisations have formalised their risk appetite approach

The level of risk a business is prepared to seek or accept is known as risk appetite (as distinct from risk management, which is the process of identifying, assessing, prioritising and minimising risks). Risk appetite can be relative to growth expectations - a business may need to seek or accept risk to some extent in order to achieve growth goals and remain commercially viable. Understanding risk appetite is therefore an important step in helping organisations adapt to disruption and grow.  But, the results of a recent AICD/BDO Enterprise Risk Management (Risk Appetite) survey of 356 AICD members from a range of sectors show that few organisations have fully formalised their risk appetite approach or position.

The survey indicates that while 80.6 per cent of organisations have some risk appetite statement, only 6.2 per cent of organisations have fully formalised risk appetite statements that were documented in policies and procedures, supported by thresholds that establish parameters for specific risks. The remaining 74.4 per cent have either only a documented risk appetite that is not supported by thresholds for specific risks or established thresholds without formal documentation in a risk appetite statement. Publicly listed and not-for-profit organisations have the highest level of maturity (i.e. they have a better grasp of the levels of risk they're prepared to seek or accept), while federal, state and local governments - as well as private organisations - have a lower overall maturity level.

What challenges do businesses encounter when creating risk appetite statements?

AICD and BDO have identified four core components of a risk appetite statement:

  1. Level of risk
  2. Risk limits
  3. Setting tolerance
  4. Timing/process for review.

The survey notes that identifying risk limits and setting tolerances are the most challenging components to incorporate into an organisation's risk appetite statement - particularly among public sector organisations.

What makes a risk appetite statement successful?

Where all layers of the organisation had involvement in formulating the risk appetite statement, achieving effectiveness was more than twice as likely as those who did not engage broadly.

Establishing risk escalation and reporting protocols were found to be an essential part of risk appetite, and something that only 43 per cent of respondents had formalised.

Likewise, those organisations that had linked performance assessments and remuneration to risk management were found to have effective risk reporting protocols (69.8 per cent), while those that had not linked performance assessment and remuneration to risk management were found not to have established risk reporting protocols.

Key challenges in risk appetite

The greatest challenges that organisations unanimously face with regards to risk appetite are:

  • Understanding and education (33.5 per cent)
  • Culture and ownership (23.5 per cent).

However, organisations with completely aligned top-down risk appetites and bottom-up risk limits identified in particular understanding and education to be less challenging. They also found balancing risk and return easier, and had more integrated strategies.

In terms of challenges over time, understanding and education of risk appetite is identified as improving gradually, yet still remains the most difficult to implement. Years one and two are especially hard for organisations, as the integration of risk appetite with strategies and practices becomes a reality.

Culture and understanding

The AICD/BDO survey shows that culture and understanding are the two key challenges of coming to grips with risk appetite. However, organisations get a much better handle on their risk when a top-down approach is taken in which all the layers of an organisation are included.

For boards, this means it is essential to take the time to understand their organisation's culture in creating successful risk appetite approaches. Improving reporting to the board to give it a better grasp of the disruptive forces and the risks the business is willing to take to meet that disruption will also be important.

Ultimately, risk appetite is an essential part of dealing with disruption, and directors need to ensure their organisations are able to understand the risks they're willing to take relative to return on investment as soon as possible. Only then will their businesses be able to survive and thrive in the long term.