The Risk Appetite Console provides an area for Admin Users to create a series of written Risk Appetite Statements and to set Risk Appetite Thresholds for Residual Risk scores.

The lower portion of the screen also provides a dashboard that displays the organization’s Risks by Category, with Risks as small gray circles, plotted by their Residual Scores ranging from 1 up to 25. Blue bars represent the organization’s upper and lower Risk Appetite Threshold levels for each category, making it easy to quickly identify any Risks that fall outside of the organization’s accepted Residual Risk ranges.

In broad terms, a Risk Appetite statement is a description of the amount and types of risk that an organization is prepared to assume in the pursuit of its desired objectives. It usually starts with a broadly written organizational-wide statement and then provides a series of more refined statements for certain situations (usually done by risk category). It is expressed in terms of residual risk levels (after considering the effects of risk mitigations). It can be qualitative, quantitative, or a mix of both.

The process of developing Risk Appetite Statements and setting Risk Appetite Thresholds can serve two important purposes:

All organizations assume certain levels of risk as they conduct their operations and pursue their objectives, whether overtly recognized or not. Furthermore, each individual stakeholder involved in the organization’s management and governance processes starts with their own individual perspectives, assumptions, and tolerance levels with regards to risk. Establishing a Risk Appetite Statement and setting acceptable Residual Risk Thresholds is a useful method of uncovering unstated assumptions and building consensus on risk management among key stakeholders. Individuals acknowledge that risk will be assumed and learn to set their personal risk tolerances aside, as they agree on threshold levels that are appropriate for the organization in different situations.

Once Risk Appetite Thresholds have been established, they serve as “guideposts” for business managers as they pursue objectives and manage risks. As long as a Risk’s Residual Scores fall within approved thresholds, no further action is required and reporting requirements may be reduced. An organization may be tracking dozens or even hundreds of Risks, but may only choose to highlight and report on risks outside of accepted threshold ranges.

A more detailed discussion of Risk Appetite concepts and suggested steps for implementing Risk Appetite frameworks can be found here on the Tracker Networks website.

Admin Users can edit the text sections in the Risk Appetite Console simply by clicking on the text. Each text field will accept up to 1,000 characters. For text fields in Category columns, only the first 250 characters will be displayed, with the full text being visible in a popup when the User hovers over the text.

Only Admin Users can edit text on this screen. Text will be read only for Standard Users and Read Only Users.

Admin Users can click on the blue “set risk threshold” link in the lower right corner of the Risk Appetite Console (visible only to Admin Users). This will take the Admin User directly to an administration screen, where they can use the drop-downs provided to select an upper and lower threshold level for each Risk Category. Thresholds are based on Residual Risk Scores and can be set at the Category level only (not Subcategories). Thresholds will apply to all Risks in the system and for all data Portfolios. Changes will be saved immediately, updating the blue threshold bars on the Risk Appetite console and the gray bars in the scoring section of the Risk Details screen.

In the example pictured to the right, the column for the Risk Category called “Strategic Risk” has an upper threshold of 13 and a lower threshold of 4. There are 7 risks in this Category, represented by small gray circles and plotted by their Residual Risk scores. Recall that Risks with custom thresholds (as set on the Risk Details screen) will not be plotted on this chart.

Users can hover over the circles to display the Risk Name in a popup bubble. Users can also click on each circle to open the corresponding Risk Details screen.

The top of each Category column shows an overall Risk Appetite Status for the Category. In the pictured example, the category has a red status of “Above” Risk Appetite because at least one Risk has a Residual Risk Score that is above the upper threshold limit for the category. If all Risks in a Category have Residual Scores that fall within the upper and lower threshold limits, then the status will be green and “Within”. If no Risks have Residual Risk Scores that fall above the upper threshold limit and at least one Risk has a Residual Risk Score that falls below the lower threshold limit, then the status will be blue and “Below”. Note that Categories with some risks above the upper threshold and some risks below the lower threshold will have the red status of “Above”. If a Category has no Risks associated with it, or none of the Risks in that Category have been given a Residual Score yet, then the Category status will be a gray “no data”

It is common for organizations that are new to Risk Appetite to set all of their lower thresholds to 0 and to only focus on Risks that fall above upper thresholds. Note, however, that there can be value in tracking lower thresholds as well. Seeing Risks continually below lower thresholds may be an indication that the organization has a culture of conservatism that may be holding the organization back from innovating and achieving its objectives. It may also be a sign that the organization is investing too much in mitigating Risks that may not require the level of mitigation being applied.

Note that when an organization has more than 6 categories, blue sideways arrows will appear, allowing the User to scroll horizontally through all Risk Categories.

Within the Category Column, up to 8 Risks can be displayed on a single row in the chart. If more than 8 Risks in a Category have the same Residual Risk, a blue “see all” link will appear at the bottom of the column. Clicking this link will take the User to the Enterprise Risk Console, filtered for the specific Category, where the User can view all Risks in the Category, along with their status with regards to Risk Appetite Thresholds.

The Risk Appetite Console has several filters that are available to all User Types. The Portfolio filter will only appear when the Portfolio option is enabled by the system administrator.

Applying filters will update the Risks displayed on the chart and may cause the Category status labels to update, based on the Residual Risk level of the newly displayed Risks.

The blue checkbox is checked by default. Unchecking this box will remove from the view below any empty categories that do not have Risks mapped to them. This removes all the categories that have the gray “no data” status.

By default, the screen loads the top 50 Risks in the system by Risk Rank order.

This dropdown can be used to select and display all risks. When organizations have large numbers of risks, there may be some that cannot be displayed in the chart and the blue “see all” link may appear.

By default, the chart does not include any Risks that have had their Risk Appetite Thresholds suppressed on the Risk Details screen. Suppressing risks is done for Risks which Users feel should not be displayed on the default chart in the Risk Appetite Console. This dropdown field can be used to show Suppressed Risks on the chart. Suppressed risks will be plotted with a different color than other risks (pink circles versus gray).

This filter allows the User to filter the chart to only display Risks for a specific Risk Owner or Business Area.

If the Portfolio feature is enabled, this dropdown allows Users to filter the chart to to only display Risks for a specific Portfolio. Admin Users will be able to filter by all Portfolios. Standard and Read Only Users will only see the Portfolios and associated Risks that they have been granted access to.

The date selector allows the User to display the chart based on historical dates. The chart updates to show the Risks that were mapped to each Category on the selected date, along with their residual risk scores on that date. Note that Risks or Categories which have since been deleted will not display in historical views. Clicking on the “Clear” link in the bottom of the date pop up window will reset the chart to the current date.

At this time, Essential ERM does not include a feature to print the Risk Appetite screen or chart. Many Users find the Microsoft Snipping tool useful to take PNG images of the chart and screen. The Snipping tool is a free utility included in most Windows systems and is fast and intuitive to use. Users can type “snipping” in their Windows search box to find and open the utility. If you are unsure if you have this feature installed, check with your IT administrator.

As an additional option, when permitted by a User’s IT administrator, some Users find some approved Google Chrome extensions useful in taking full screen prints in PNG and PDF formats. Some extensions can, however, pose a security risk and browser extensions should never be installed without the permission of your IT department. Tracker Networks makes no representations or warranties about the functionality or safety of any specific third-party extension.