Skip to main content

Reviewing Risk Appetite

When and how to review risk appetite to align with business strategy, risk tolerance, and evolving internal or external change.

M
Written by Mark Scales
Updated over 4 months ago

Overview

Reviewing risk appetite is an important process for any business to support effective risk management. It involves assessing whether the current risk appetite is aligned with strategic objectives, operational capabilities, and the external environment.

The risk appetite helps guide a business in developing its processes, ensuring that risks are taken and managed in line with business goals. For a business with lower risk appetites, this often means implementing more robust control processes to manage risks within acceptable thresholds. This typically requires more resources, effort and cost.

Care must be taken when setting risk appetite as lower risk appetites will generally introduce more control processes, which takes more resources and can slow down the organisation, while higher risk appetites increase the chances of things going wrong and the consequences associated with those incidents.

In StartRisk the risk appetite can be adjusted by the Risk Class owner in the Risk Class Editor view.

The First 12 Months:

It's particularly important to monitor and review risk appetite closely in the first 12 months after setting it for the first time. During this period it is crucial to identify any misalignments between the risk appetite and the actual risk tolerance for the business.

When reviewing risk appetite during this period, consider the following internal indicators that risk appetite may be set too low:

  • are risk exceptions (risks identified as being outside of appetite) able to be tolerated?

  • are risks being identified exceptions too often?

  • do additional control processes for critical risks appear to be excessive and not required?

  • is there a disproportionate allocation of resources towards managing risks, diverting attention and resources from more significant risks or strategic initiatives?

  • are existing controls either consistently failing or being bypassed because they are too onerous?

  • is feedback being received that working with the business is too difficult or onerous indicating controls are too extensive?

And the following internal indicators that risk appetite may be set too high:

  • are strategic and operational goals being achieved?

  • are incidents occurring that are negatively impacting the business or its objectives?

  • if incidents occur is the business able to respond effectively?

  • is there a culture of complacency in relation to risk management?

  • is feedback being received that the business is unsafe, unreliable or otherwise difficult to deal with?

Ongoing Reviews:

Once the risk appetite has been set up and is operating in a good rhythm for the business ongoing reviews should occur when there is a significant change in business strategy, external operating environment or size of the business. Below are some considerations against each of these factors

Changes in Business Strategy

  • Alignment with New Objectives: Ensure that the risk appetite aligns with the revised strategic objectives. A new strategy might require taking on different types of risks or changing the level of risk the business is comfortable with.

  • Capability to Manage New Risks: Assess whether the business has the capabilities, resources, and processes to manage the risks associated with the new strategic direction effectively.

Changes in External Operating Environment

  • Regulatory Changes: Consider how changes in regulations might impact the risk landscape and whether the current risk appetite allows for compliance while still pursuing strategic goals.

  • Market Dynamics: Evaluate how shifts in market trends, competition, and customer behavior affect the risks to achieving strategic objectives and whether the risk appetite needs adjustment to account for these changes.

  • Technological Advances: Technological evolution can introduce both opportunities and risks. Assess if the current risk appetite supports taking advantage of new technologies while managing associated risks.

Changes in Size of the Business

  • Scaling of Operations: As the business grows, its risk exposure naturally changes. Review whether the risk appetite accommodates the increased complexity and volume of operational risks.

  • Financial Capacity: Growth often affects financial stability and resources. Ensure the risk appetite is consistent with the financial capacity to absorb risks without jeopardising the business's health.

  • Cultural Integration: For businesses experiencing growth, especially through acquisitions, consider if the risk appetite reflects the integrated culture and the combined risk profile of the expanded organisation.

Did this answer your question?