Writing a Risk Appetite Statement
Here’s an interesting exercise to try the next time you meet with your risk management team: ask them to name the top three threats facing your organisation.
You might get a range of different answers. Or a lot of blank stares. If so, you likely have some work to do around risk assessment and reporting. Many organisations do—especially now.
The global pandemic has forced private companies, public corporations, government agencies, and nonprofit organisations alike to tackle unexpected risks and stay agile in response to a dynamic risk environment. As we move out of the pandemic and into the “next normal,” many chief risk officers, controllers, and managers of internal controls are revisiting their risk assessments and looking for better ways to ensure key stakeholders understand the risks and how to apply that knowledge to decision-making. A risk appetite statement is often the tool of choice.
What is a risk appetite statement?
“Risk appetite” is a broad description of the amount and types of risk an organisation is willing to accept to achieve its objectives. Companies often talk about operational risk and strategic risk, but they may also face these threats:
• Financial risk, including waste and fraud
• Legal risks, including regulatory issues
• Technological risks, including cyberattacks and hardware failure
• Security risks, including harm to employees, facilities, or systems
• Reputational risks, including negative media and external events
A risk appetite statement is a document that clearly defines what an organisation considers to be threats and what the likely responses will be. A thoughtful risk appetite statement aligned to goals is a valuable and useful tool that helps every leader made risk-informed decisions.
What makes a good risk appetite statement?
A strong risk appetite statement should capture any risk that threatens the organisation’s ability to achieve its goals and include plans for addressing those risks. (You can use a risk assessment matrix as a starting point for identifying and prioritising your risks.)
When you’re ready to start writing your risk appetite statement, keep these core concepts in mind:
Build a diverse team to create the document.
Capturing different perspectives on the organisation’s risks will create a more comprehensive and accurate summary. Be sure to invite a diverse group of key stakeholders and subject-matter experts to help create the risk appetite statement. Get everyone up to speed on the work before you meet by sharing examples of strong risk appetite statements and reminding the group of your collective goals and objectives.
Start with strategy.
How much risk the organisation is willing to take is directly connected to its goals and objectives. Using those as the team’s “north star” as they assess risk appetite and write the risk appetite statement keeps everyone focused and helps produce a meaningful document.
Include an executive summary, and keep it concise.
Many corporate documents are written, reviewed, and filed away. A risk appetite statement is meant to be read, shared, and used. So, make it as short and keep the language simple. Consider including an executive summary. And add visuals to make the statement as scannable and digestible as possible.
Define metrics in easily quantifiable terms.
While a risk appetite statement itself offers a qualitative view of tolerance of risk, metrics give teams a way to measure risk levels. Some agencies use established models and tools while others create their own scales to score risk. Whatever method you choose, it should be simple enough for everyone to apply and for your reader to understand.
For example, if employee turnover is a major concern, how many vacancies can the organisation sustain over a certain period of time? If a system failure is a risk, how many hours can you afford to have a system be down?
Keep it fresh.
A risk appetite statement is a “living document.” Plan to review it at least annually so that it reflects the organisation’s changing risk appetite.
If you are a Workiva user, you can create, revise, and update the statement within the Workiva platform to provide greater transparency to your colleagues. You can request feedback and respond to everyone’s comments within the document. Workiva automatically captures a revision history, so new teammates and long-time employees can all see changes over time.
If we’ve learned anything in the past year, it’s that risk is everywhere. There’s never been a better time to get a little peace of mind by writing a risk appetite statement for your organisation.