Risk Appetite – what does ‘good’ look like?

Risk Appetite – what does ‘good’ look like?

Let’s begin with a definition of Risk Appetite. ISO 31000 (the international risk management standard) defines risk appetite as “the amount and type of risk that an organisation is prepared to pursue, retain or take”. Adding to this, we could say that risk appetite is the amount and type of risk that we’re willing to accept / take in order to achieve our objectives.

Risk Appetite is a fundamental component of any organisation’s risk management framework. The diagram below shows an example of components which may be in your risk management framework.

  • Risk Culture – Having an embedded and operationalised approach to risk management should assist with establishing and maintaining a strong risk management culture where risks are identified, managed and escalated accordingly.
  • Risk Assessments – Your risk assessment process will identify your key controls. These key controls should be monitored to ensure the organisation can stay within its stated appetite.
  • Policies – Similar to risk assessments, risk appetite is operationalised through the policies your organisation has in place. Your policies may already include limits or thresholds which could essentially be your risk appetite statements.
  • Strategic Plan – Your risk appetite is all about the levels and type of risk you can accept in order to achieve your objectives, and your objectives should be laid out in your strategic plan. When establishing or reviewing your strategic plan, it is best practice to also review and consider your stated risk appetite.
  • Reporting – Your risk appetite statements and metrics should form a key part of your reporting processes. Breaches of risk appetite should be escalated appropriately in relation to the size and scale of your organisation.
  • Compliance – This is often forgotten about when setting risk appetite. Ensure that your risk appetite statements and associated metrics align with your organisation’s compliance obligations, and that they don’t result in you accidentally stating that you are willing to accept a breach of an important rule or regulation.

What should my Risk Appetite look like?

Risk Appetite is commonly expressed as a series of qualitative Risk Appetite Statements and associated Risk Appetite Metrics (often referred to as Key Risk Indicators).

Risk Appetite Statements should be:

  • Comprehensive and linked to the organisation’s strategic plan (where applicable).
  • Clear and jargon-free such that you can easily communicate them to stakeholders (internal and external).
  • Forward looking to reflect potential growth, change in services / offering, etc.
  • Linked to the risk categories you use in your organisation.
  • Owned by a senior individual in the organisation.

Risk Appetite Metrics (or KRIs) should:

  • Be linked to an overarching Risk Appetite Statement.
  • Have associated thresholds and limits (explained in the diagram below).
  • Have a clear and consistent way of how they will be calculated (e.g., timelines).
  • Be owned by a named individual within the organisation.

An Example:

An organisation might have a risk appetite statement that states “we will only offer products / services that satisfy the needs of our customers / members / service users. All of our product / service offerings must also be compliant with all relevant regulation and legislation.”

The associated metrics might look something like the following:

  • The number of formal complaints received in a 30-day period.
  • The number of formal complaints received per 100 members / customers / service users in a 30-day period.
  • The number of product / service compliance issues identified in a 30-day period.

Conclusion:

When considering risk appetite, it is important to link it back to the regulatory environment in which your organisation must operate, to your strategic plan, and to your organisation’s risk management capability. This is the ability to manage risk exposures within your desired limits (metrics) and can include available skills and knowledge in the organisation, the controls you have in place, risk culture in the organisation and much more.

When establishing or updating your risk appetite statements and associated metrics, you should consider the appropriate governance forum at which this should be done – e.g., consider getting your board of directors involved in the process.

Finally, you should review your risk appetite on at least an annual basis.

More information

Click here to request a demo to learn more about how CalQRisk can help you with the tracking and reporting of your risk appetite and metrics.

Recent News

CalQRisk Shortlisted as Best Technology Partner in Housing Digital Innovation Awards

CalQRisk has been named a finalist in the Housing Digital Digital Innovation awards. CalQRisk is nominated as best ...
Read More

CalQRisk Achieves G-Cloud 14 Approved Supplier Status

Delighted to confirm that following on from our GCloud 13 supplier status, that CalQRisk has been listed as ...
Read More

CalQRisk named as Finalist for Cyber Security Provider of the Year at the Cyber Insurance Awards Europe

CalQRisk are thrilled to be finalists for the Cyber Security Solution Provider of the Year at the Cyber ...
Read More

Volunteer Succession Planning – ‘Tomorrow’ has arrived.

Strong succession planning is critical for the viability of all businesses but can be particularly challenging for volunteer-led ...
Read More

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is a framework for non-financial reporting which is mandatory for large companies ...
Read More

CalQRisk Triumphs at the 2024 FS Awards, Winning Compliance and RegTech Award

At a distinguished ceremony held at the iconic Mansion House, CalQRisk emerged as the proud recipient of the ...
Read More

NoFrixion Selects CalQRisk for its DORA Compliance Efforts

NoFrixion, the Embedded Banking company based in Dublin, Ireland, has announced its partnership with CalQRisk to ensure compliance ...
Read More

CalQRisk is a finalist in the FS Awards

CalQRisk has been named as a finalist in the competitive and prestigious FS Awards for the Compliance and ...
Read More

CalQRisk Customer Support Manager wins Rising Star at Irish Early Career Awards 2024

Congratulations to our Customer Support Manager, Eimear Farrell, who was named as a Rising Star in the Fintech ...
Read More

CalQRisk wins Pitch Competition at ESCO Cyber Solution Days Event, Kilkenny, September 2024

The Cyber Ireland (CI) CISO Forum and ESCO Cyber Solution Days event took place in the Lyrath Hotel, ...
Read More