Risk Management

The AICD and BDO Australia have launched the 'Enterprise Risk Management Report 2018'. Find out more here.

Few organisations have formalised their risk appetite approach

The level of risk a business is prepared to seek or accept is known as risk appetite (as distinct from risk management, which is the process of identifying, assessing, prioritising and minimising risks). Risk appetite can be relative to growth expectations - a business may need to seek or accept risk to some extent in order to achieve growth goals and remain commercially viable. Understanding risk appetite is therefore an important step in helping organisations adapt to disruption and grow. But, the results of a recent AICD/BDO Enterprise Risk Management (Risk Appetite) survey show that few organisations have formalised their risk appetite approach or position.

The survey indicates that only 6.2 per cent of organisations have formalised risk appetite statements that were documented in policies and procedures, supported by thresholds that establish parameters for specific risks. Publicly listed and unlisted, and not-for-profit organisations have the highest level of maturity (i.e. they have a better grasp of the levels of risk they're prepared to seek or accept), while federal, state and local governments - as well as private organisations - have a lower overall maturity level.

What challenges do businesses encounter when creating risk appetite statements?

AICD and BDO have identified four core components of a risk appetite statement:

  • Level of risk
  • Risk limits
  • Setting tolerance
  • Timing/process for review.

The survey notes that identifying risk limits and setting tolerances are the most challenging components to incorporate into an organisation's risk appetite statement - particularly among public sector organisations.

What makes a risk appetite statement successful?

Where all layers of the organisation had involvement in formulating the risk appetite statement, achieving effectiveness was more than twice as likely as those who did not engage broadly.

Establishing risk escalation and reporting protocols were found to be an essential part of risk appetite, and something that only 43 per cent of respondents had formalised.

Likewise, those organisations that had linked performance assessments and remuneration to risk management were found to have effective risk reporting protocols (69.8 per cent), while those that had not linked performance assessment and remuneration to risk management were found not to have established risk reporting protocols.

Key challenges in risk appetite

The greatest challenges that organisations unanimously face with regards to risk appetite are:

  • Understanding and education (33.5 per cent)
  • Culture and ownership (23.5 per cent).

However, organisations with completely aligned top-down risk appetites and bottom-up risk limits identified, in particular, understanding and education to be less challenging. They also found balancing risk and return easier, and had more integrated strategies.

In terms of challenges over time, understanding and education of risk appetite is identified as improving gradually, yet still remains the most difficult to implement. Years one and two are especially hard for organisations, as the integration of risk appetite with strategies and practices becomes a reality.

Culture and understanding

The AICD/BDO survey shows that culture and understanding are the two key challenges of coming to grips with risk appetite. However, organisations get a much better handle on their risk when a top-down approach is taken in which all the layers of an organisation are included.

For boards, this means it is essential to take the time to understand their organisation's culture in creating successful risk appetite approaches. Improving reporting to the board to give it a better grasp of the disruptive forces and the risks the business is willing to take to meet that disruption will also be important.

Ultimately, risk appetite is an essential part of dealing with disruption, and directors need to ensure their organisations are able to understand the risks they're willing to take relative to return on investment as soon as possible. Only then will their businesses be able to survive and thrive in the long term.