Skip to content

Risk appetite: Getting the board on board webinar Q&A.

For any organization, the development and articulation of your risk appetite is crucial to define and guide the degree of freedom that your employees have in taking and accepting risks.

The development of risk appetite is ultimately owned by the board, who should give sign-off and approval. This requires the board to be "on board" with the whole process, providing input and challenge in all stages from its development to final approval. However, getting the board on-board can often be a challenge, requiring a degree of education to align thinking, as well as strong facilitation to bring board members to agreement.

In our recent thought leadership webinar, David Tattam, Protecht’s Chief Research and Content Officer and Michael Howell, Protecht’s Research and Content Lead take a practical approach to how you can best get your board on board.

If you missed the webinar live, then you can view it on-demand here:

Watch on demand

Questions

We were pleased to present this webinar to OCEG members in March 2024. OCEG is an industry leader in GRC training and certification.

Here are questions asked during our OCEG-hosted webinar: 

The following are questions from the webinar Protecht hosted in Nov. 2023:

 

Should the risk appetite or tolerance be set for both impact and likelihood of the risk? Or can we just set a risk tolerance for the impact only?

Great question! This is becoming a more important distinction, particularly with respect to operational resilience.

Typically, risk appetite is set based on a single qualitative level of risk (e.g., Moderate), but then the risk itself might then be evaluated based on a combination of likelihood and impact – the typical risk matrix. More specific tolerances can be then set for a measurable outcome or observable part of the risk. This might include quantitative approaches that might be expressed as, “No more than 10% chance of exceeding losses greater than $10M."

Assessing appetite based on impact only basically says, “We won’t take the risk where our exposure exceeds this limit, regardless of the potential reward or how small the likelihood is.”. These might be prohibition statements (“We don’t do that activity”) or specific limits (“We will participate in this market, but will never exceed $10M worth of investment”). 

< Back to questions

What is the appropriate timing for preparing the RAS?  Is it best to complete risk identification first?

When setting risk appetite, you need to know which categories of risk you expect to be exposed to. This may require some initial identification of risks, but usually this is at the broad level of risks in order to establish risk appetite. 

< Back to questions

ALARP = As low as reasonably practical... what is SFAIRP?

This is a similar acronym used by some which stands for “So far as is reasonably practical.”. It is primarily considered in a regulatory context in safety legislation in some regions. 

< Back to questions

How many risk appetites should we have? Is it in terms of the number or category of the objectives?

Most organizations will have a single risk appetite statement document, but made up of multiple statements. While some organizations only include risk categories, we recommend including acceptable variation around objectives. This would typically mean statements equal to the number of objectives you have at the top level, and the main risk categories you have defined.

For some larger organizations, they may also have a mini-RAS for each entity in a larger group, or each division.  This allows them to tailor the risk appetite statement, and, particularly, related metrics and thresholds, based on how their activities support the broader organizational objectives.

< Back to questions

The board wants GenAI, does that change the risk appetite?

This depends on the approach, but highlights how strategy and risk should be considered together. If you can use Generative Artificial Intelligence, GenAI, wthin the existing risk appetite, then go for it. If you can’t, then it might require a change in the risk appetite. This demonstrates how a chosen strategy and risk appetite are intrinsically entwined. If you don’t change your risk appetite, and therefore pursue the rewards your board expects from Generative AI, will you be relevant in a few years? 

< Back to questions

Should the risk appetite not be derived from, or better, be an integrated part of the organization's strategy?

Absolutely, we agree that risk appetite setting and strategy setting should be considered together. How do you know what strategies you can pursue if you don’t know how much risk you can take? How do you know whether certain risks might be worth taking without having awareness of the potential rewards?

< Back to questions

 

With respect to board interaction and exchange, would you address challenges regarding cultural diversity, to include nuances that affect perception?

Risk perception, and particularly the different perceptions that can occur, should be considered and addressed where possible. So the short answer is yes, but care needs to be taken with the approach.

< Back to questions

 

How do you differentiate risk appetite setting for compliance-type risks from other risks, where taking risk is a conscious business decision? For compliance risk types that are governed by a law, risk appetite is perceived to (have) to be zero. You cannot take more money laundering risk to make a business out of it.

We see compliance management and compliance risk management as two separate ideas. Compliance management are the processes to ensure you remain compliant. Compliance risks are risks that could result in noncompliance, as well as failure to meet other objectives. Misconduct may not always result in a regulatory breach, but it probably affects your customer satisfaction objectives regardless.

I would argue that you CAN take more money laundering risk, by increasing your exposure by volume or types of transactions. That doesn’t mean you won’t be actively doing your best to comply (I hope!) with money laundering laws, as well as reducing the likelihood that money laundering will occur.

Typically when people use the concept of zero tolerance for compliance risks, it doesn’t mean they can’t happen. It means action will always be taken when they do. There isn’t some acceptable minimum threshold (e.g., we will turn a blind eye to money laundering less than $1 million) that you accept as part of doing business.

< Back to questions

What do you do if 5 of your metrics are red and 15 are green? Are you inside or outside of RA?

Typically we would say you are out of appetite for the metrics in red (or outside of tolerance). These have been defined as the limits of your appetite for one or more types of risk. Perhaps you have capacity to reign in those outside of tolerance, while potentially using up some of the available ‘risk budget’ for those currently well within tolerance.

What is being hinted at here is the concept of composite metrics, where multiple metrics are consolidated into a single metric and scaled; usually these are granular metrics rolled up to a single risk type. This acknowledges that it might be ok for one or more individual metrics to be pushing the boundaries, as long as others are within. We explore composite metrics further in our Risk Metrics and Key Risk Indicators course.

< Back to questions

If I have a risk committee, do I present the risk appetite to the board for briefing or for their action?

While the risk committee may review the risk appetite, the full board is accountable for risk oversight. The full board may receive information from the Risk Committee, but they should be fully informed and approve the risk appetite. We usually see the setting and revision of risk appetite to be completed jointly by Executive and the board, it is the board who need to approve it.

< Back to questions

I didn’t see anything about reputational risk indicators in the webinar.

A common objective of most organizations is to maintain their brand and reputation. While it may have not been included in any of our specific examples, as an objective this is typically measured as variation around performance. This might be measured as ‘Trust Ranking In the Market’ with a target of being in the top 5 (for example) in the specified market. Perhaps you can tolerate being in the top 10, but not outside. This is an example of setting a target KPI, with some acceptable variation around that target.

< Back to questions

Very practical and realistic approach. Many thanks. However, you are equating inherent = gross risk whereas it is an immutable characteristic of the element being assessed, e.g. an atomic power station remains an atomic power station no matter what mitigation you take. Might I also suggest implementing a Waiver procedure to temporarily record & approve deviations on a time-limited basis.

We don’t commonly hear the term gross risk, but see it as the same as inherent risk. There be some nuance to these terms in specific frameworks. In terms of this example I would suggest that:

  • The power station has inherent risks related to simply operating it, in particular some significant impacts.
  • Some of those risks can be mitigated through treatments (which would include lots of controls). An assessment of risk after these are implemented is the residual risk
  • Despite best efforts, those controls may sometimes fail, and the more extreme incidents might be experienced. These may be tested through scenarios and operational resilience activities.

One of the treatment options we include in risk frameworks we develop with customers is formal risk acceptance, which I assume is the same or similar to your waiver concept. It acknowledges that the risk which is outside of appetite cannot be practically brought back to acceptable levels quickly.

For example, accepting that metrics related to cyber risk are likely to remain outside of tolerance for 6 months until a digital transformation project can be complete. They typically require escalation, approval, be time-bound as you suggest, and be subject to regular reporting and review until they are resolved.

< Back to questions

 

As we get to this operationalization of the risk appetite, how do we align the ratings (L,M,H) at the business unit level to a rating (L,M,H) at the board level. In other words, a High for business unit 1 is not the same as a High at the board level.

To avoid confusion, I’ll clarify that this answer is about settings levels of risk appetite, not measuring the level of risk.

For risk appetite, typically we would expect to see a single risk appetite statement for each of the main risk types you are exposed to at the organizational level. While it might be supported by specific statements at lower levels of the organization, the more typical approach is cascaded metrics. These are more granular metrics that support the board or executive-level metrics and thresholds. If they are ratios they might be cascaded equally to all business units, but they might vary for different business units.

We cover cascading metrics in more depth in our Risk Metrics and Key Risk Indicators course. 

< Back to questions

 

Would you start by identifying and evaluating key risks (to stress common understanding on "risk") and then define risk appetite? Or vice versa?

You need to know which key risks you want to set appetite for, which means identifying those risks first. If by evaluating you mean measuring the current level of risk, that is not required to set risk appetite. We use the ISO 31000 definition of risk evaluation, which means comparing the level of risk against risk appetite (risk criteria in that standard).

< Back to questions

 

How do you address the interconnectedness of risks? Looks like you are advocating setting risk appetite at the individual risk level.

We did primarily cover individual risk boundaries in our examples. However, when implementing key risk indicators, you can associate a metric to multiple risk categories. These metrics could be linked to common cause pathways that could result in multiple risks. For example, a lack of staff engagement could be associated with in increased risk of various types of fraud or misconduct.

< Back to questions

How do you talk to someone in a leadership role who thinks risk management is just something to do with handling documented risk findings?

It sounds like you need to take them out of a compliance, “tick the box” mindset when it comes to risk management. Try and flip the focus to outcome management. What are their objectives, and how much certainty do they need that they will attain them? Uncertainty related to achievement of their objectives exists regardless of whether that uncertainty is documented. They are managing risk every day, even if they don’t recognize it!

< Back to questions

How often do you review risk appetite?

The preferred answer is ‘dynamically’. Typically, it is reviewed on an annual basis (and some regulators require this to happen), ideally at the same stage that strategy and business plans are being developed as they go hand in hand. It may however also need to be reviewed and adjusted on an ad hoc basis in response to trigger events such as:

  • Rapid environment changes e.g. If the market you operate in is swiftly changing, such as emergence of a disruptive competitor you might need to redefine the amount of risk you are willing to take to remain competitive
  • Changes in perceived risk levels or risk behavior e.g. pandemic
  • Out of cycle material changes to strategy

< Back to questions

What is the difference between "change/delivered risk management" and "project risk management"?

Great question. We see the latter as risks to project success itself. For example, risk that would result in delays to the schedule or additional cost to the project. Delivered risk are those that are delivered into the organization or operating model once the project is complete. You can read more in our blog titled When risk and reward don’t talk.

< Back to questions

What is the best way to approach the board for creating and owning risk appetites if we have never done this before?

If you have not done this before, the board needs to go through fundamental risk appetite training focused on the value it brings and how it should be used across the organization to add value. Where possible, get the board to conduct more general risk management fundamentals training such as Protecht Academy’s Risk management for boards course.

Lean into the concept of freedom within boundaries, and bring it to life with stories. Personal stories can be relatable, but you might also use a hypothetical scenario relevant to your organization’s context. In the scenario, what limit would the board put on the risks management is allowed to take in that scenario while pursuing objectives? This can be the hook to get buy-in.

You can also lean on regulatory drivers if you need to – but that can make it feel like a tick the box exercise.

< Back to questions

I'm a Business Continuity Manager reporting into a Director of Information Security then to a CISO into a CIO. I don't have board representation or a dotted line to management – is there a way to achieve this?

While I don’t know the scope of your role, I would suggest that business continuity should not belong to IT – it belongs to the business. We are seeing a shift from business continuity to operational resilience, which requires an end-to-end insight into operations. You may need to navigate internally, and find someone sympathetic to your view. They key will be demonstrating the business need and value to your proposal. How will the organization benefit from this change? Good luck!

< Back to questions

What happens if the Board has determined their risk appetite, and the organization’s Emergency Management unit develops an emergency or crisis trigger that is at a substantially lower threshold than the risk appetite?

This sounds like a perfect candidate situation for our ‘Can I, Should I’ test. ‘Can I’ represents a test against risk appetite – in this case it is within risk appetite. The subsequent ‘Should I’ test checks reward. Is the lower threshold (and investment in resources) actually preventing the organization from achieving other objectives? If you are in that position, you can suggest too little risk is being taken.

< Back to questions

Do regulators inherit or share the risk of industry, from a safety perspective, if a justified and reasonable approach still results in an unwanted outcome?

The regulator’s view or approach (and associated regulations that may apply) is a reflection of the risk appetite of society, which sets the boundary of risk appetite of regulated entities. The way that regulators approach enforcement can have an impact – if they are too light, entities may become complacent. We have seen instances where regulators are held to account for allowing systemic issues to occur under their watch. If regulated entities have acted within their own risk appetite and met regulatory requirements, ideally this would be reflected in any investigation. Not all risk can be eliminated.

< Back to questions

Do you advise using a quantitative description for each risk category from a risk capacity, risk threshold and risk tolerance/limit perspective?

We do recommend a measurable metric for trigger and tolerances, so that you have objective measures to support additional action and attention. We do not regularly see capacity quantified outside of financial risks.

< Back to questions

How can I help encourage a not-for-profit board to be less risk averse, considering the sector’s history of risk adversity and capital constraints?

Promoting additional risk taking needs to come with commensurate reward. Leveraging that will be key to taking them on a journey. An approach might be to develop some hypothetical scenarios on what strategies could be pursued or objectives achieved with a different risk appetite.

< Back to questions

Looking at KRI tolerances of green, amber, and red, would you not also consider a fourth being significantly below green/amber tolerance, indicating that the organization is not taking enough risk?

While we didn’t cover it in this session, we do cover this in our Academy course on risk appetite. We make it the ‘blue zone’, though the color is arbitrary. An example might be staff turnover; close to 0% turnover might sound awesome, but you aren’t getting new talent and maybe it indicates you are spending too much on retention initiatives that isn’t commensurate with the benefit.

< Back to questions

Do you have advice in how to manage directors who believe that inherent risk isn't real?

The debate on whether inherent risk is a useful concept or not isn’t new. We recommend it to enable assessment of the effect of controls. If only residual risk (or current risk) is recognized, you need to ensure there is an effective approach to controls assurance. For a risk appetite statement, this should simply cover what is the level of risk the organization is willing to take, as set by the board. Inherent and residual risk are then assessed by the organization.

< Back to questions

When organizations/directors have vague or poorly articulated objectives, does this hang up the risk appetite session?

Yes it does! Given risk is “the effect of uncertainty on objectives” it is fundamental to get clearly articulated and measurable objectives to provide that reference point. However, the setting of risk appetite often forces organizations to become much clearer on their objectives. We’ve run sessions with boards where the first session ends up just being about agreeing on objectives – and they are very thankful for the clarity.

< Back to questions

What is your view on whether risk appetite should be made publicly available?

We definitely want the risk appetite to be made “public” internally amongst our employees otherwise it will not provide the clarity on boundaries required to influence decisions and behavior.
The question of making the document externally “public” is tricky. On one hand we want to be transparent and open and be communicating our appetite for risk, on the other we need to be careful of the following two key issues:

  • The board level risk appetite will contain commercially sensitive information as it speaks directly to our strategy and future intentions. This has to be protected like any other sensitive data.
  • The reading of risk appetite by external parties, including media may be accidentally or deliberately misinterpreted by them. For example, if we say we have a “low” appetite for health and safety risks that reflects our desire to reduce these risks to as low as reasonably practical, or to so far as is reasonably practical, it may be interpreted to read that we have an appetite for staff being injured! Readers of the statement therefore need sufficient knowledge to understand it.

We would suggest that extracts of the appetite be made publicly available which ensures that the above issues have been addressed prior to publishing. This might include qualitative expressions of risk appetite, but would not include the specific metrics or thresholds.

< Back to questions

Would it be possible to expand on the KPI and KRI on the 'Methodology for Risk Appetite'? The quantitative part was not too clear. What's the best way to accurately set the thresholds?

Sure, let’s take a look at the slide you’ve referenced:

board-on-board-blog-example

In this example, the objectives on the left include KPIs. These are the targets that would be set against your objectives. The thresholds represent the variance around this target that you will accept, and what is unacceptable and requires further action. The best way to set these thresholds is through discussion and deliberation – what would the board expect to prompt additional resources or action outside of existing business plans? In this example, NPS below 50 indicates a poor outcome.

KRI’s are leading indicators of future performance. In this example, poor results on cyber-related penetration tests don’t undermine performance by themselves, but indicate a threshold at which the risk of a cyber event is more than the board are willing to accept and requires specific action and resources to address.

< Back to questions

When the appetite for each key risk is different, does the board need to have a risk appetite statement for each of the key risks?

The principle that each key risk may well have a different risk appetite is correct. As to how to achieve this, we suggest that you use a single risk appetite statement that includes articulated appetites for all of the key risks the organization faces. Each of those key risks may have different levels of appetite, articulated either qualitatively or quantitatively.

< Back to questions

Do government agencies have much choice in setting the level of risk appetite, given that they are responsible for taxpayers’ funds and are not in the research or competitive markets?

This may depend on broader government policies, depending on how the agency is governed and its mandate. While they may tend to be more risk averse than private enterprise, it is always contextual.
Given the tendency to be more risk averse, we have found when dealing with some of our government agency clients is that the internal risk appetite statement is too conservative and indeed the boundary can be set wider and still be within regulatory guidelines and guidance while allowing greater freedom.

< Back to questions

 Is it acceptable to go outside risk appetite boundaries with approval in the short term with additional controls and superior profit/benefit?

Yes, we call this formal risk acceptance, which usually requires justification and sign-off, with a timeline of when it needs to be reviewed and brought back into appetite. An example might be accepting some level of cyber exposure outside of thresholds due to a legacy system that is currently scheduled for replacement in six months, when accelerating replacement is not commercially practical.

< Back to questions

An incident within a certain area might be severe, but how do you judge if it brings the whole area outside the risk appetite?

This raises the question of how the risk appetite is applied or cascaded into different areas of the organization. The board level risk appetite statement might include certain thresholds for what is considered a material incident (a lagging indicator) at the board or whole of organization level. If the risk appetite is clear, supported by relevant metrics, you should be able to assess the incident. Those metrics might also include composite metrics, such as the aggregate number of incidents, or aggregate size of incidents, that occur in lower levels of the organization. So the incident might not trigger thresholds by itself, but might in the aggregate.

In some sectors, particularly financial services, regulators are acknowledging that incidents inevitably occur, and require the setting if impact tolerances or tolerance levels for disruption to critical operations, with the expectation they must be recovered within those tolerances. In some jurisdictions these are expected to be linked to the risk appetite.

< Back to questions

What practical techniques can we use to embed the risk appetite statement to lower levels of the organization?

We find risk metrics with defined thresholds is the easiest way to bring it to life. These can be the board level metrics applied across the organization or cascaded down as applicable. We cover practical applications in our Risk Metrics and KRI Protecht Academy course. Other practical ways include through policies and procedures, limits, delegations of authority, codes of conduct, minimum control standards, values and commitments and so on.

< Back to questions

Can you explain the differences between KPIs and KRIs?

Sure, let’s consider some scenarios, on the basis that KPIs are lagging (the ultimate effect on objectives) and KRIs are ideally leading. Let’s cover four basis scenarios, using green to mean within acceptable performance/risk tolerance, and red being poor performance/outside of risk tolerance.

  • KPIs Green and KRIs Green – This looks like a good outcome, but we sometimes call this the ‘Kermit report’. If everything is green, we should verify that everything is being reported accurately. If everything is accurate, perhaps our KPIs are not ambitious enough and we should take even more risk to get more reward.
  • KPIs Green and KRIs Red – This is an indicator that performance is only being achieved by taking excessive amounts of risk. Performance might look good, but the related risks might result in poor KPIs in future. This should prompt action to minimize the risks, even if there is some impact on performance. It might also be an indicator of culture issues, where people are incentivized to perform while ignoring risk. This can lead to a ‘boom/bust’ cycle.
  • KPIs Red and KRIs Green – This may be an indicator of being too risk averse. If all of the KRIs are green, there is available risk appetite (freedom to take risks) to shift some of those KPIs . Additional risk needs to be commensurate with the reward, but you should consider moving some of those KRIs closer to their threshold while improving performance.
  • KPIs Red and KRIs Red – Hopefully you don’t end up here, but this may be the result of poorly chosen strategy, a swiftly changing external environment that undermines the strategy, or inappropriate setting of risk appetite. It might be an indicator that performance objectives were unrealistic, requiring risk taking outside of appetite in order to get anywhere close. This version likely warrants significant action by board and management.

< Back to questions

We have an overall risk appetite statement but I don't feel that we have operationalized this. Would it be better to build from what we have or start from the beginning?

It sounds like you have the right starting point to build from. If your existing risk appetite statement has qualitative statements, the next step to operationalize may be to consider the metrics or indicators to support it. You may need to consider a communication and awareness campaign to assess stakeholders existing knowledge and understanding of risk appetite and how it applies to them, and provide training if required.

< Back to questions

Can you explain the difference between risk appetite metrics and risk indicators?

We use the term ‘risk metrics’ to cover Key Risk Indicators, Key Performance Indicators, and Key Control Indicators, which covers indicators across the lifecycle of risk. Some of our customers don’t differentiate and simply call all of those Key Risk Indicators.

Risk appetite metrics are simply those that are applied at the risk appetite level. Risk metrics may also be applied in other areas of the organization, such as departments or divisions identifying metrics in risk and control self-assessments (RCSAs) relevant to their area that do not for part of regular board reporting.

< Back to questions

How do you define risk appetite for regulation that works on a principle-based approach so where regulation is open to interpretation?

 We see regulation as a reflection and articulation of society’s risk appetite. Where those regulations are principles based, it follows that society’s risk appetite is being articulated on a principles basis. This is fine, but your organization then needs to interpret the principles and reflect them in your internal risk appetite statement. You need to set an internal risk appetite where it is believed you have followed the principles of the regulation.

< Back to questions

Who should take responsibility of board education session?

We are biased in answering here, as at Protecht we conduct a lot of these board sessions. For us, the benefits we bring are:

  • Years of experience in delivering these and dealing with all different types of boards and board members.
  • We are external and that can be seen as a positive as we are independent when discussing any sensitive matters and dealing with board personalities etc.

If you wish to conduct this internally, it should be conducted by the Chief Risk Officer. The CRO has the right level of seniority and should possess the right skills to make this work, while also being sufficiently independent.

< Back to questions

How can one have sight of management's appetite before venturing into an investment? Is it possible to factor the risk appetite on our risk registers?

Ideally the risk appetite should already be set, which helps define the types of investments and associated levels of risk the organization can pursue. Remember that management’s risk appetite should be a reflection of the board-defined risk appetite (or the relevant governing body).

< Back to questions

Conclusions and next steps

If you missed this webinar live, Protecht’s Chief Research & Content Officer David Tattam and Research & Content Lead Michael Howell took a practical approach to how you can best get your board on board with setting and operationalizing your organization’s risk appetite. You can view it on demand here:

Watch on demand

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.