Demystifying Risk Appetite Statements
By Rebecca Gurney, Principal Advisor, Risk, Continuity & Security, Stanwell Corporation
In today’s fast-paced, continually changing risk environment, a challenge for organizations is to understand and measure individual perceptions of risk, to develop and mature risk culture, and hopefully, as a result, improve overall performance of the organization to achieve desired objectives. What influences the perception of risk and how can you establish cultural expectations in relation to risk taking behaviours? Furthermore, what can you do as an Executive and Leader to better understand measure and improve the risk culture within your organization?
An individual’s perception of risk is informed through their personal knowledge and beliefs (what they have experienced before), and is often inherently connected to their understanding of a problem (what they know about the problem), and their individual attitudes towards evaluating a problem (how much they value the problem).
"Cultural expectations can be established in relation to what is and isn’t acceptable risk taking behaviour through the development of a Risk Appetite Statement (RAS)"
Most organizations have methods in place for evaluating the consequence (or impact) and probability (or likelihood) of identified risks occurring, generally utilising a risk matrix. The risk management process within the international risk management standard ISO31000 provides guidance on how risk should be identified and evaluated. Risk appetite is also referred to within the standard, specifically within the risk management principles, where ‘human and cultural factors should be taken into account’ however the application of these principles is generally not as widely understood.
Cultural expectations can be established in relation to what is and isn’t acceptable risk taking behaviour through the development of a Risk Appetite Statement (RAS).
Risk appetite statements focus on the way in which the Board and/or Executive expect their organizations people to behave when making risk based decisions and are generally articulated through a number of guiding principles which outline the expectations in relation to risk exposure which is acceptable across key areas of concern. For example, depending on your industry, risk appetite statements could be established for financial, health and safety, cyber security, trading, environment, fraud, strategy, and/or reputational risk.
Risk appetite statements differ from risk matrices as they set expectations for behaviour, whereas risk matrices evaluate and measure the consequence and likelihood of threats (both positive and negative) to an organization with little or no regard to the human factors. To ensure the risk appetite statement adds value, it should be simple and align to the core values of your organization. For example, an organization may have no appetite for risk taking behaviour which could result in harm to people. Whilst the risk appetite statement clearly articulates ‘no appetite’ for risk taking behaviour, this doesn’t necessarily mean that there is low or no health and safety related risk exposure within the organization. The risk matrix is what is used to evaluate the impact of specific events to the organization, whereas the risk appetite statement aims to align individual perceptions and tendencies for risk taking behaviour to provide an enterprise-wide set of behavioural expectations in relation to accepted risk taking behaviour.
The following strategies can be used to improve the risk culture within your organisation:
1. Establish cultural expectations: As part of your organization’s risk governance framework, consider developing a risk appetite statement (RAS) as an appendix to support the risk management policy. While your risk policy provides the structural framework for risk management within your organization, the RAS outlines the cultural expectations of risk-taking behaviour which is and is not acceptable.
2. Use risk framework and procedure documents as an education/training tool: For the elements of your organization’s risk management process, which you are actively working to improve, include training boxes to your risk process and framework documentation. Communicate not just ‘what’ the process is or ‘how’ the process is to be applied, but also explain the ‘why’ it’s important.
3. Evaluate and measure your current risk culture: By using a simple survey with questions about the understanding of the current risk processes of the organization, you will be able to use this information to establish a baseline measure of the risk culture within your organization.
Establishing a simple, effective and measurable set of behavioural expectations which add value to enterprise-wide risk frameworks is challenging. The very process of measuring risk culture is a subjective process–there is no right or wrong approach, and cultural bias should be considered. Ultimately, the success of risk culture programs and an organization’s risk-governance framework will be measured through a visible improvement in the overall performance of the organization.
Operating from Brisbane, Queensland, Stanwell Corporation has been the largest power generator of the state. Founded in the year 1997, the company with the capacity of more than 4100 megawatts, presently supplies for more than 45 percent of state’s power needs.