Please explore the topic and tools below. We then invite you to complete a short survey to submit your feedback.
One of the mandatory requirements of the Victorian Government Risk Management Framework is that each organisation defines its risk appetite.
By defining its appetite and making it explicit in a statement shared with decision makers across the organisation, your responsible body and executive team send a clear signal to decision makers about how much risk they may take, and create, in carrying out the functions and activities of the organisation.
It also makes it clear to decision makers how they should allocate the organisation’s resources to controlling risks. For example, managers should not spend money on controlling risks which their responsible body has declared a high appetite for, at the expense of controlling risks which it has said it has a low appetite for.
Your internal and external context will present you with a wide range of different risks. Some of them may be complex or have many ‘moving parts’. You may need more than one statement of your risk appetite and, in fact, you may need a suite of them to articulate your responsible body’s appetite for risk.
For the sake of simplicity, we will talk about your risk appetite statement—just bear in mind that the task is to define your risk appetite and this will, in many cases, require more than a sentence.
On this page
- An essential part of your framework
- Who is responsible for defining it?
- When should the responsible body do this?
- The role of risk practitioners?
- Defining your organisation’s risk appetite
- What to do now
An essential part of your framework
As an essential part of your framework, your risk appetite statement should
- align with your risk management policy
- drive your risk management strategy and procedures
- be demonstrated in the contents of your risk register through risk tolerance and key risk indicators.
Who is responsible for defining it?
Your responsible body, with the support of the executive team, must define the organisation’s risk appetite in language that it can be
- used by the executive team to analyse the organisation’s tolerance in relation to each risk
- understood by decision makers in the rest of the organisation so that they can apply it in their deliberations.
They should also show leadership by demonstrating how to use it in their own decision making.
When should the responsible body do this?
A risk appetite statement should be defined at the same time as the organisation’s risk management framework.
If you have a framework already but not a risk appetite statement, then work with your responsible body to create one at your next opportunity. You should then review the other elements of your framework to make sure they are all consistent.
Appetite for risk changes, though, in response to what is going on within the organisation and in the environment. So does the risk itself. This means that your responsible body and executive team should also look at their statement when
- there is a change in the organisation’s internal and external context
- the membership of your responsible body or executive team changes
- they are developing new strategy
- they are evaluating strategies and projects.
To illustrate the first point, we can look at the arrival of coronavirus in Victoria, which was a dramatic change in the environment we were all working and living in. Organisations needed to change their work practices overnight at the direction of the Victorian government. One consequence of that was that many organisations became very keen to deliver, or improve their delivery, of online services, which involved re-balancing their appetite for risk to project budgets or risk of cyber threats.
Why define it?
The pandemic is an excellent example of how risk appetite connects directly to decisions about controlling risk, trading off one risk against another, and the performance of the organisation as it pursues its objectives.
It also shows that we all have an appetite for risk, even if we only discover what that is when a risk materialises in an event.
We know that risk is dynamic. It changes as your internal and external context changes. By defining risk appetite in advance, a responsible body gives both itself and the organisation a headstart on making decisions about how to respond to that change:
- the responsible body knows where it stands on the potential impacts of the risk and so will be able to make critical decisions quickly
- decision makers across the organisation will know when they need to take further steps to control a risk that is growing, and when they need to escalate it to the responsible body for a decision.
The other virtue of stating risk appetite is that it sends a signal to decision makers that they can and should take a risk, within boundaries, in order to meet their objective.
By setting the boundaries clearly, it can help make sure that those decisions, about how much and what type of risk to take, are consistent, accountable and comply with legislation.
It also helps decision makers decide when and how to control risk. Controlling risk comes at a cost, both the direct expense and in deciding not to do other things that might be worthwhile. This means that you should direct your resources to controlling risks that you have a low appetite for, rather than risks you have a high appetite for.
The role of risk practitioners?
Make a case
Risk practitioners should make a case for the value of a statement of risk appetite, both to their responsible bodies and executive team, and to the wider organisation.
We recommend you find examples, which are relevant to your organisation, to show how consequential a statement of risk appetite is. As well as the example of the COVID-19 pandemic we can point to other examples:
- TAC has expressed its low tolerance for death and injury on Victoria’s roads in the campaign message “Towards zero”. This statement shapes the objectives, strategies and operations of the whole organisation.
- The Victorian Funds Management Corporation has determined that it has no appetite to invest state money in businesses that manufacture cluster bombs.
- Hospitals across Victoria make patient safety a priority because they have little to no appetite for the risk of harm.
- Organisations committed under the Climate Change Act to a five-year Adaptation Action Plan for the system they operate in might find that they have no appetite for activities that cause them to miss the goals set out in the plan.
Work with their responsible body and executive team
Risk practitioners should support their organisation’s responsible body to define their risk appetite and work with the executive team to work out the organisation’s appetite for risk.
Risk practitioners may also need to work with the executive team on
- alerting the responsible body to changes in the internal and external context that should trigger a review of their risk appetite
- reviewing the risks recorded in the risk register to see if risks need to be re-assessed and new controls or treatment plans put in place
- identifying what risk indicators should be monitored to stay within tolerance
- a communications plan to build understanding of its value to the rest of the organisation and, for some decision makers, how to use it effectively
- a training plan to build skills in using a statement of risk appetite in decision making or designing strategies and procedures.
Defining your organisation’s risk appetite
The real work here is in the discussion and deliberation of the individuals that make up your responsible body.
We recommend that you invest time in developing a methodology for deliberation that helps your responsible body work quickly to come to a consensus.
Whatever your method and workshop plan it should work through these stages.
- Come to a consensus about the objectives, functions and activities that your responsible body wants to focus on
- Discover their appetite for those priorities
- Come to consensus about their risk appetite
- Make a statement.
Note that there are two steps in the work of defining your risk appetite: the first to decide what is a priority for the organisation, the second to define their appetite for risk in relation to those priorities.
- Slides for the workshop with your responsible body [PPTX, 2.01MB]
- Example statements of appetite for significant risks [PPTX, 1.99MB]
What to do now
Working out risk tolerance and indicators
Once the responsible body has come to a consensus about its risk appetite, the executive team then works with risk practitioners and others in the organisation to
- analyse what the organisation’s tolerances are for these risks
- identify which indicators will be monitored to make sure the organisation stays within those tolerances
The executive team should also put governance and systems in place to
- monitor and report on indicators
- take action when the organisation comes close to or breaches tolerances
- review the statement regularly
- update it when there is a change in the organisation’s internal and external context
Plans, processes and the model of governance should be presented at a meeting of the Risk and Audit Committee for discussion and approval.
Deliver communications and training
For a risk appetite statement to be effective, the people in your organisation need to know about it and know how to use it. You may need a communications and training plan to build understanding of its value to the rest of the organisation and, for some decision makers, how to use it effectively
Use it in your organisation
A statement of risk appetite can directly inform decisions. In fact, it should be detailed and specific enough to make a material difference to decisions about objectives, organisational resilience, crisis management, insurance, shared risk and pursuing innovation.
- a low appetite for risk to your organisation’s reputation may inform your decision about which contractor to choose to provide corporate information management services and how you manage the contract
- no appetite for risk to your organisation’s compliance with the Climate Change Act should guide decisions about the design of services and supply chains
- a high appetite for working differently in your organisation, even if it means changes to processes or culture, might lead to procurement strategy that favours small businesses.
Knowing your risk appetite may still leave your executive team and managers with dilemmas that need to be discussed. This shouldn’t be seen as a fault in your statement of risk appetite but the virtue of having it all on the table for discussion.
For example, a board may state that it has a high appetite for improving the quality of its frontline services and so will ask that procedures be re-designed so that staff spend more time on face-to-face communication with the members of the public.
This may be in tension with their low appetite for the risk of their frontline staff being the target of abuse or violence, which will increase simply because they spend more time with members of the public.
These dilemmas exist in every working environment. A statement of risk appetite exposes them giving the executive team and managers the information and the trigger they need to balance these risks.
We also think that your statement of risk appetite should inform day-to-day operational decisions indirectly through
- the design of standard operating procedures for frontline staff
- the development of training programs
- the design of governance and reporting systems.
Take, for example, the members of a customer service team in day-to-day contact with people. They don’t need to know the detail of the statement of risk appetite for their day-to-day decisions, but …
- the person responsible for the fit-out of their work area needs to know where the organisation stands on the health and safety of its employees and visitors to their sites
- the person responsible for a procedure for responding to suspicious activity will also need to be across the organisation’s appetite for risk and trade-offs between the free movement and the exposure of staff and visitors to the risk of violence
- the person who writes the policy on how the organisation will respond to a request for information held by the organisation will need to be across the organisation’s appetite for risk when it comes to sharing information, including their legal obligations under the Freedom of Information Act, the Health Records Act, or any other legislation.
These are just three ways in which a risk appetite statement can make a difference, indirectly, to the way people in your organisation make decisions, day to day.
Did the information on this page meet your needs?