What’s your organisations risk appetite?
Welcome to, what will potentially be a controversial blog today.
One of the things I’ve been teaching my courses is risk appetite and risk tolerance. Now those terms are used interchangeably, and unfortunately this is creating quite a lot of confusion within the risk management fraternity and it’s not helped but the fact that there are no examples within the ISO 3100 Standard that potentially can identify the differences between them. Then on top of that, people are coming to my courses as saying well my boss doesn’t want to use the word ‘appetite’ because it indicates they’re hungry for risk, so they call it ‘risk acceptance level’.
Essentially what I’m seeing, is that all of these different terminologies are creating a confusion and clouding the true reality around setting the risk context for your organisation. What we need to do is to set our parameters in which we will manage risk, what you choose to call it is up to you but there are a number of fundamental questions that you need to ask.
The first and most important question is what level of risk or what level of residual risk am I will to accept as an organisation, in the pursuit of my objectives? What level of risk against certain categories?
Now those certain categories may be different, so you might have a very low acceptability for safety risks – and I think you should, and reputation – but may be slightly higher than performance or financial management. So identifying your risk categories and then identifying what level of risk you are willing to accept, which actually becomes your target level of risk. So when you identify a risk and analyse it, if it’s sitting above that target then straight away you know you have to take steps to reducing it down to that target.
The second question that we need to ask is what are what categories or impact areas or critical success factors am I going to measure my consequence against? And if we remember some of the previous blogs, asking that question in strategic planning, what does success look like? Out of that drops the critical success factors for our consequence matrix.
Question three, analysing each of those categories and asking what does a severe consequence look like to us as an organisation against each of those categories? This is going to express once again, your – not so much appetite – but what is your threshold for pain?
Now, to use an example (for those of you who know, I served twenty years in the army), now when we’re training in Australia we have a different threshold for pain in terms of safety incidents as we might have on operations in a warzone. Now, we still try to stop deaths and injuries, but the situation in Australia is a lot more benign that it is in a warzone, so we have a lot less control. Therefore our consequence matrix might be slightly different for in the country, as opposed to outside.
The next question we need to ask is what does almost certain look like for us; is it more than once a year, is it a hundred in a thousand, or is it once in three months? We really need to ask this question as well because if we get this wrong, or if we have an inappropriate likelihood matrix, we are also going to see some real problems with our risk assessments.
And finally, the question we need to ask is what kind of matrix are we going to use? Are you going to use a 3×3 matrix or (my preferred one) a 5×5? More importantly, what does each square represent? So if it’s almost certain and it’s an extreme consequence that should probably be an extreme risk, thus the top right and bottom left, that’s pretty clear cut. You’ve got extreme risks in the top right and low risks in bottom left, if that’s how your matrix is orientated, but what of the ones in the middle?
The way you structure your matrix is going to determine how conservative your organisation is and if you choose the wrong type of matrix and you have incorrect squares e.g. if you’re a highly conservative organisation but you’ve got a lot of squares at the medium or the low level, rather than the high or extreme level, your matrix isn’t actually reflective of the nature of the business that you’re doing. So you really need to make sure you ask all of the above questions, they are going to set your risk context.
Too many people and too many organisations are scrambling around asking ‘what’s my risk appetite?’ or ‘what’s my risk tolerance?’ It’s even regulated or legislated in certain areas, like in the Australian Prudential Regulatory Authority (APRA) asking for risk appetite statements, but it doesn’t tell you how to calcite it. So there’s this void of knowledge that exists around appetite and tolerance that people are filling with their own opinions. To me, there’s a fundamental outcome that you want: to actually set your risk context – and if you ask those five questions I’ve set out you’ll be able to.
So the questions in summary are;
- What is the level of risk that I’m willing to accept against all my particular categories?
- What am I going to measure my consequences against? What are my critical success factors?
- What does severe look like against every one of those critical success factors?
- What does almost certain look like against from a likelihood perspective?
- What does my matrix look like: size and what do the squares represent?
If you can do this you will nail your context and the rest of it will flow on from that.
That’s all I’ve got session, and as always, let’s be careful out there.