Building organisational resilience
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.
Done right, risk appetite is at the core of how a good business is run. Done wrong, it’s a tick- box compliance exercise that sits on a shelf. Here, we look at how to leverage leaders’ and employees’ expertise to tangibly define and operationalise risk appetite.
In our previous article, How to see what you don’t see, we spoke about creating a 360-degree risk radar to establish an organisation’s unique set of risk categories, mapped to its value chain (take a look at the radar example below).
In this article, we expand upon the practical applications of the radar and outlines how it can become the foundation for an organisation to establish a risk appetite statement that is a highly valued and used management tool.
Getting briefly back to basics, why do we actually need risk appetite? It shouldn’t just be an extra layer of paperwork. Risk appetite has two main purposes:
As I mentioned in the first article, I’ve found around 10 radar categories, give or take, tends to be optimal for most businesses. I also spoke about plotting risk events within these categories to give organizations a holistic picture of their risk universe and enable them to identify gaps and opportunities.
Starting to dive a bit deeper, most medium to large organizations will probably find they need a number of sub-categories underneath their main categories. They might end up with, say, 10 categories, and perhaps 50 to 60 subcategories.
Let’s use technology as an example of a main category. Sitting under that, you might have four sub-categories: cyber security, protection of data and intellectual property, technology innovation and run-time of your operating software and systems.
Or, you could look at strategy as a major category. Underneath that, you might have sub- categories such as competitor analysis, capital allocation, macro-economics and geopolitics, and so on.
Underneath the sub-categories, you plot your individual risk events.
The importance of this structure is that it allows you to aggregate and prioritise your risk information. It gives you a method of getting the right risk information in front of the right people. It also facilitates accountability and ownership.
I’ll speak more about governance in the third piece in this series (‘Using the three lines of defence effectively’), but essentially the risk radar model allows you to identify:
How does this assist with determining and operationalizing appetite? As I’ve mentioned, the risk categories are mapped to your value chain. They should also align to your organizational structure. The goal is that each category is assigned to a relevant executive leader directly under the CEO level.
For example, technology might be assigned to a chief information officer, if that position exists. Financial and perhaps strategy categories might be assigned to your chief financial officer, and so on.
This is important, because you can then start to meaningfully define appetite using that same organization of your risk information and governance structure. The clear message you want to send is: it’s not risk’s role to set appetite. The role of the risk function is to support and verify performance within appetite is maintained, but there are other executives who have the accountability to work with the board to define appetite for their areas.
Getting a general consensus on these roles is the first really important step to bringing risk appetite to life, rather than it being a document that sits on the shelf.
As we know, it’s ultimately the board’s role to define and approve the appetite for risk within the organization. But, using the technology example, if you’ve got a chief information officer, their role might be to say ‘this is what I think the appetite position is for technology’. That view goes up the board, and it is the board’s role to explicitly agree or disagree and clarify.
Done well, this process should trigger healthy debate between executives, the board and the management team. Generating this debate is the second step to transforming risk appetite statements into genuinely useful guidelines within the business.
As we just touched on, the demarcation of responsibility between the board and the organization is one of the key factors in getting risk appetite right.
The board is responsible for setting an organization’s appetite. But, the process of obtaining board approval can be slow and time consuming. You don’t want to have to go to them every time you need to change a granular element of your risk position.
Separating your risk appetite infrastructure into qualitative statements and quantitative metrics, therefore, can help.
The qualitative statements are the board’s responsibility. These clarify the appetite position for each sub-category. This is where the sub-categories become very relevant.
Continuing with the technology example. In a sub-category like data protection and cyber- security, you would likely have an avoidant risk appetite. The board’s statement would reflect the fact they expect strong controls in place to prevent theft of important company and/or employee data and intellectual property. Compare this to technology innovation, where the board’s appetite for risk may be quite high. They may expect the company to be taking risks in this area to gain productivity improvements or other advantages.
That would be where the qualitative statements end. From there, the executive leaders need to determine quantitative metrics—otherwise labelled as ‘key risk indicators’—that actually make the appetite levels mean something. This is the third important step to bring risk appetite to life.
The quantitative metrics should set a clear upper and lower level of risk-taking performance. If the lower limit is breached, you are outside appetite as you are not taking enough risk. If the upper limit is breached, you are outside appetite due to excessive risk taking.
Having both an upper and lower limit is the fourth really important step to bringing risk appetite to life. The lower limit frees employees up and makes it safe for them to take risk for improved returns, helping to shift that mindset from risk only being a bad thing that needs to be avoided.
For example, if the board has made it clear they have an elevated appetite for new technology risk, the key risk indicator metrics assigned could be the percentage failure rate of innovation projects. If there is genuinely an elevated appetite for this risk, the lower limit will not be 0%, as some failure must be expected in new technology innovation.
This is just one example, but it shows how the governance structure you put in place around the risk categories is crucial to operationalizing the appetite statements. It’s about leveraging the expertise of your leaders and your people to tangibly define risk appetite across your entire risk universe.
Strategic decision-making can become much more consistent and informed once an organization has a clear risk appetite statement with upper and lower limits of performance.
An acquisition decision, for example, can be made with consideration to expected performance across all categories of risk, not purely financial. Analysis can show the expected reliability of performance within appetite, anticipated costs to implement controls to achieve this performance, any expected deviations of performance outside appetite, and corresponding approvals (temporary or otherwise) for these breaches.
As the risk director, if you’re having sessions with the strategy team, you can ask:
By using this approach, risk is able to help an organisation explore new opportunities and achieve its goals, as well as preventing bad things from happening. This is key to risk ‘earning a seat’ at the strategic table.
Measuring whether appetite has gone awry after the fact is only so useful, however. Being able to foresee ahead of time whether appetite levels are likely to be breached is obviously far more valuable.
To enable this, risk managers really need to work with the business as it is developing its quantitative metrics to ensure they are mostly lead indicators.
Supply chain management provides an easy illustration here. If you’re looking at customers’ supply chain credit risk, for example, and your indicator is whether or not bills have been paid in full on time, you’re only ever going to discover you’ve got a problem once it’s too late.
It might be better to design an indicator that involves looking at the performance and balance sheet (assuming these figures are available) of your top customers. Are they likely to be able to pay you? That might give you a better chance of forecasting if a problem is headed your way and being able to take proactive action, rather than reacting after the fact.
One other thing that this approach to risk appetite may allow you to do is to actually remove some of the controls and systems that are in place around certain risks.
Something you’ll hear a lot these days is that everyone wants to be ‘best practice’ in every part of the business. There’s nothing wrong with this goal, but sometimes we need to step back and assess what best practice really entails.
Oftentimes, layer upon layer of administration and bureaucracy is created in organizations. More and more controls are added, and there are so many rules that it becomes hard to get things done. The environment becomes stifling.
However, if you have clarified your risk appetite positions, and clearly defined with metrics what it means to be within appetite, you may be able to re-assess some of these controls. Analyse the actions you’re currently taking against your approved appetite and ask yourself: if we removed X control, would we fall outside of appetite?
If not, perhaps you may be able to re-introduce some more freedoms that may lead to greater flexibility and innovation.
I have consistently found that this approach to risk appetite delivers invaluable risk, and strategic, insights. Just the power of going through the process of setting and defining appetite within your management, your executive team and your board can reveal important misalignments.
As each person involved contributes to articulating and writing down what they believe the appetite position to be in a certain sub-category, you will often start to realize where broad gaps exist in perceptions.
It’s these kinds of gaps that can lead to misunderstandings around individual and team performance and progression. This inevitably leads to either too much risk being taken, or too little. This is especially the case where different categories (such as safety and productivity) are in potential competition. By having a clear understanding of the company’s full risk radar, and relative appetite of each category, serious incidents can be avoided at the same time as big bets being taken for superior returns.
I’d say there are three key challenges you might anticipate as you go through the risk appetite operationalization process.
This article was first published in July 2020 by Risk Leadership Network, a global membership network for risk professionals.
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.