Demystifying Risk Appetite Statements

Risk appetite statements focus on the way in which the Board and/or Executive expect their organizations people to behave when making risk based decisions and are generally articulated through a number of guiding principles which outline the expectations in relation to risk exposure which is acceptable across key areas of concern. For example, depending on your industry, risk appetite statements could be established for financial, health and safety, cyber security, trading, environment, fraud, strategy, and/or reputational risk.

Risk appetite statements differ from risk matrices as they set expectations for behaviour, whereas risk matrices evaluate and measure the consequence and likelihood of threats (both positive and negative) to an organization with little or no regard to the human factors. To ensure the risk appetite statement adds value, it should be simple and align to the core values of your organization. For example, an organization may have no appetite for risk taking behaviour which could result in harm to people. Whilst the risk appetite statement clearly articulates ‘no appetite’ for risk taking behaviour, this doesn’t necessarily mean that there is low or no health and safety related risk exposure within the organization. The risk matrix is what is used to evaluate the impact of specific events to the organization, whereas the risk appetite statement aims to align individual perceptions and tendencies for risk taking behaviour to provide an enterprise-wide set of behavioural expectations in relation to accepted risk taking behaviour.

The following strategies can be used to improve the risk culture within your organisation:

1. Establish cultural expectations: As part of your organization’s risk governance framework, consider developing a risk appetite statement (RAS) as an appendix to support the risk management policy. While your risk policy provides the structural framework for risk management within your organization, the RAS outlines the cultural expectations of risk-taking behaviour which is and is not acceptable.

2. Use risk framework and procedure documents as an education/training tool: For the elements of your organization’s risk management process, which you are actively working to improve, include training boxes to your risk process and framework documentation. Communicate not just ‘what’ the process is or ‘how’ the process is to be applied, but also explain the ‘why’ it’s important.

3. Evaluate and measure your current risk culture: By using a simple survey with questions about the understanding of the current risk processes of the organization, you will be able to use this information to establish a baseline measure of the risk culture within your organization.

Establishing a simple, effective and measurable set of behavioural expectations which add value to enterprise-wide risk frameworks is challenging. The very process of measuring risk culture is a subjective process–there is no right or wrong approach, and cultural bias should be considered. Ultimately, the success of risk culture programs and an organization’s risk-governance framework will be measured through a visible improvement in the overall performance of the organization.

Operating from Brisbane, Queensland, Stanwell Corporation has been the largest power generator of the state. Founded in the year 1997, the company with the capacity of more than 4100 megawatts, presently supplies for more than 45 percent of state’s power needs.