Writing a Risk Appetite Statement
Here’s an interesting exercise to try the next time you’re Zooming with your risk management team: ask them to name the top three threats facing your organization.
You might get a dozen different answers. Or a lot of blank stares. If so, you likely have some work to do around risk assessment and reporting. Many organizations do—especially now.
As the old saying goes, “By failing to prepare, you are preparing to fail.”
The global pandemic underscored that adage by forcing every organization—government agencies, private companies, public corporations, nonprofit organizations—to tackle unexpected risks and stay agile in response to a dynamic risk environment. As we move out of the pandemic and into the “next normal,” many chief risk officers, controllers, and comptrollers are revisiting their organizations’ risk assessments and looking for better ways to ensure key stakeholders understand the risks and how to apply that knowledge to decision-making. A risk appetite statement is often the tool of choice.
What is a risk appetite statement?
“Risk appetite” is a broad description of the amount and types of risk an organization is willing to accept to achieve its objectives. Companies often talk about operational risk and strategic risk. Organizations of all types, including federal, state, and local government agencies, also may face these threats:
• Financial risk, including waste and fraud
• Legal risks, including litigation and regulatory issues
• Technological risks, including cyberattacks and hardware failure
• Security risks, including harm to employees, facilities, or systems
• Reputational risks, including negative media and external events
A risk appetite statement documents an organization’s risk appetite, clearly defining what the organization considers as threats and what the likely responses will be. A thoughtful risk appetite statement aligned to the organization’s goals is a valuable and useful tool that helps every leader made risk-informed decisions. Particularly for government agencies, making a risk appetite statement available to the public reinforces a commitment to thoughtful risk management.
Guidance from OMB Circular A-123
Risk appetite statements aren’t new, but they’re gaining traction, especially with federal agencies. In 2016, the Office of Management and Budget (OMB) issued Circular A-123, which set new requirements for how federal agencies should integrate Enterprise Risk Management (ERM) into their internal control processes.
Circular A-123 doesn’t require agencies to create a risk appetite statement as part of ERM, but it’s considered best practice to document an organization’s risks, tolerances, and mitigation strategies.
What makes a good risk appetite statement?
A strong risk appetite statement should capture any risk that threatens the organization’s ability to achieve its goals and include plans for addressing those risks. (You can use a risk assessment matrix as a starting point for identifying and prioritizing your organization’s risks.)
Paul Marshall of The MIL Corporation has said USAID has a strategic, well-considered, and concise risk appetite statement. When you’re ready to start writing your organization’s risk appetite statement, keep these core concepts in mind:
Build a diverse team to create the document.
Capturing different perspectives on the organization’s risks will create a more comprehensive and accurate summary. Be sure to invite a diverse group of key stakeholders and subject-matter experts to help create the risk appetite statement. Get everyone up to speed on the work before you meet by sharing examples of strong risk appetite statements and reminding the group of the organization’s goals and objectives.
Start with strategy.
How much risk the organization is willing to take is directly connected to its goals and objectives. Using those as the team’s “north star” as they assess risk appetite and write the risk appetite statement keeps everyone focused and helps produce a meaningful document.
Include an executive summary, and keep it concise.
Many corporate documents are written, reviewed, and filed away. A risk appetite statement is meant to be read, shared, and used. So, keep it as short as possible and try to avoid jargon. Consider including an executive summary to provide an overview of the agency’s risk universe. Add visuals because it’s often easier—and more effective—to show rather than tell.
Define metrics in easily quantifiable terms.
While a risk appetite statement itself offers a qualitative view of tolerance of risk, metrics give teams a way to measure risk levels. Some agencies use established models and tools while others create their own scales to score risk. Whatever method you choose, it should be simple enough for everyone to apply and for your reader to understand.
For example, if employee turnover is a major concern, how many vacancies can the organization sustain over a certain period of time? If a system failure is a risk, how many hours can you afford to have a system be down?
Keep it fresh.
A risk appetite statement is a “living document.” Plan to review it at least annually so that it reflects the organization’s changing risk appetite.
If you are a Workiva user, you can create, revise, and update the statement within the Workiva platform to provide greater transparency to colleagues across your agency. You can solicit feedback and respond to everyone’s comments right within the document. Workiva automatically captures a revision history, so new teammates and long-time employees can all see changes over time.
If we’ve learned anything in the past year, it’s that it’s a risky world out there. There’s never been a better time to get a little peace of mind by writing a risk appetite statement for your organization.