The case for setting both an Inherent and Residual Risk Appetite
In the last two blogs, Inherent Risk - It is useful? and Expected and Targeted risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite.
The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.
At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites. Listening to the conversations it becomes clear that the discussion was at cross purposes.
The director that wanted a higher appetite was an “ideas” person and wanted to encourage the business to explore opportunities and strategies that were “a bit out there” while the other director was concerned as to how this high appetite might affect the business, especially in relation to financial and reputational impacts.
As they were discussing, I realised that the “ideas” director was talking about inherent risk while the other director was talking about residual risk. This is like arguing about apples and oranges - they are not the same. I then suggested that we set a risk appetite for both inherent and residual risk defined as:
Once we did this, the divergence between the views of the two directors narrowed and some common ground was found.
By way of illustration, I have used the simple qualitative risk appetite measures of Low, Medium and High. The setting of an inherent risk appetite demonstrates the willingness of the board to allow the organisation to investigate higher risk opportunities.
Setting a higher inherent risk appetite empowers the business to research new and innovative ideas. This is not implying we are giving authority to go ahead with these riskier ideas, just researching them.
This satisfied the “ideas” director who was keen in encouraging management to consider alternative and innovative strategies.
The setting of residual risk appetite, on the other hand, demonstrates the board's view as to the level of controls that would be required over the new initiatives and innovation prior to “going live”. This satisfied the more conservative director as they were concerned about the ultimate impact on the organisation from these initiatives. If a low residual risk appetite is set, this implies that before going ahead with the initiative we must invest in adequate controls to bring the residual risk to low.
This is illustrated below:
Example Risk Appetite
| Key Risk |
|
|
Explanation |
| Strategic Risk |
High |
Low |
The directors recognise that the organisation operates in a fast developing industry where innovation and disruption are common. The directors are willing to set a high strategic inherent risk appetite to encourage research into more innovative areas but have a low residual risk appetite. This means that if high inherent risk strategies are pursued, adequate investment must be made into effective controls in order to reduce the residual risk to low. |
The various combinations and what this means are as follows:
|
|
|
Meaning |
| High | High | Willingness to research high risk strategies and little effort required to control the resulting risk. This would keep down the cost of controls but bring high residual risk to the organisation. |
| High |
Medium |
Willingness to research high risk strategies and medium effort required to control the resulting risk to medium. This would mean that some control is required to achieve a medium residual level. |
| High | Low | As above, willingness to research high risk strategies but effective controls are required to be put in place to bring residual risk to low. |
| Medium | Medium | Willingness to research medium risk strategies and little effort required to control the resulting risk. This would keep down the cost of controls but bring medium residual risk to the organisation. |
| Medium | Low | Willingness to research medium risk strategies and adequate effort required to control the resulting risk to low. |
| Low | Low | Willingness to research only low risk strategies and little effort required to control the resulting risk as it is already low. |
In terms of applying this to strategy, both appetites need to be addressed. The Inherent risk appetite defines what strategies can / cannot be even brought to the table. The residual risk appetite specifies that only where it is possible to control the risk to the residual risk appetite level, may the strategy be pursued. For example, if inherent risk appetite is high while residual is low, if it is not possible to implement controls to bring to a residual of low, even though the strategy is within the inherent appetite, it could not be pursued. i.e. Both the Inherent and Residual risk appetites need to be met.
As with all ideas in risk management, the usefulness and appropriateness of setting inherent and residual risk appetite will differ by organisation depending on the makeup of the board, the maturity of risk management and risk appetite and the level of complexity in the organisation’s existing risk management framework.
The main negative of setting both levels is increased complexity and this needs to be weighed up against the benefits and this judgement must be left to each organisation to make. We have found it to be very useful for some clients especially where disparate board views exist but can think of other examples where it would not add so much value.
To share your thoughts, views or constructive feedback, you can send an email to info@protechtgroup.com.
How hungry are you for Risk? You can read this complimentary eBook:
A Practical Guide to Risk Appetite.
