I have had several reasons to review a few different styles of risk appetite statements lately. Each time I compared them to my preferred method which is:
- One statement for each strategic objective/priority (7 +/- 2)
- Each statement should:
- State the importance of the objective e.g. “Research and development is an imperative for our future growth”.
- Must draw a line in the sand that must be crossed e.g. “We must always conduct research outside our industry when developing new products.”
- Must draw a line in the sand that should not be crossed e.g. “We do not push ethical boundaries when researching, whether researching academic literature or our competitors.”
What I found out is that most methods do not lend themselves well to operationalisation. Operationalisation is the process of translating the board and executive’s appetite for doing business by ensuring appropriate policies, frameworks, processes and systems are in place to guide decision making across the organisation. The aim is to allow decisions to be made quickly when within appetite and staff knows to refer decisions when not within appetite.
I have seen a range of approaches from one catch all statement to a number of statements indicating low, moderate or high appetite for certain types of risks. The problem with the former is there is simply too much room for interpretation given all the strategic initiatives in play at any one time across an organisation. The problem with the latter is one manager’s interpretation of low, moderate or high will differ from another’s.
Irrespectively, no one statement will do it all, and that is why translators in the forms of policies, frameworks etc are required. However, I find it much easier to map the organisation to ensure appropriate translators are in place if there are well thought through statements around strategic objectives--statements that are meaningful.