Why Spreadsheets are a Risk to Your Risk Program
Spreadsheets don't lead to improving the likelihood of desired business outcomes.
A Practical Guide to Implementing Risk Appetite Frameworks in Enterprise Risk Management Programs
A Practical Guide to Implementing Risk Appetite Frameworks in Enterprise Risk Management Programs
This is the second section of a two-part guide that is intended for enterprise risk managers and other executives who would like to familiarize themselves with the concepts of risk appetite and get ideas for practical, real-world approaches to incorporating risk appetite frameworks into their ERM programs.
The first part of this guide provided a plain-language definition of risk appetite and summarized key concepts supporting it. You may wish to start there first, as the information that follows builds upon the definitions and perspectives shared earlier. Just in case, we think it worth repeating the following recommendation, as this philosophy underlies the information that follows.
Keep your approach to risk appetite practical and actionable for your organization. This means using plain language that makes sense to your business people. It also means starting simple and taking an iterative approach. Resist the temptation to get too fancy too quickly. It is far more important to effectively engage your executive team and get them comfortable with the process than it is to come up with an elegant and technically robust model out of the gate. Keep it simple. You will still get the most important benefits. Evolving and adding depth is easy later if you have properly engaged your board and executive team in the beginning.
The remainder of this article provides a practical, 7-step process for implementing risk appetite frameworks into ERM programs, along with some real-life examples.
The seven-step process documented below is based on practical, real-world experience with what works best when organizations are implementing risk appetite frameworks for the first time. Those who have already implemented risk appetite frameworks may also find some useful ideas from the steps.
These seven steps lay out a practical and iterative process that removes unnecessary complexity and focuses on achieving early success and productive engagement with board members and executives.
Establishing risk appetite statements is ideally a top-down process. The board of directors is responsible for setting strategy and overseeing performance. They are also the ones who should be setting the parameters of risk appetite for the organization. In carrying out this responsibility, board members are provided with relevant information by executive management regarding key risks, key mitigations and the corporation’s overall risk profile.
In some cases, however, ERM is driven as a bottom-up activity, with certain departments (e.g. information technology) taking the lead to document and manage important risks for their department. In these cases, departmental leaders will develop risk appetite statements to manage their local efforts and to clarify and communicate their strategic assumptions when there is no clear direction from above. Even in this case, the board should still ultimately be responsible for reviewing and approving the results of the bottom up process.
In many cases, it is not practical to expect your board members to generate a risk appetite statement from a blank slate. Instead, a good approach is to engage a group of key stakeholders who can help formulate and draft risk appetite statement for review and approval by the board. Typically, this risk appetite working group will include executive team members, business unit leaders and members from the planning, finance and enterprise risk departments.
Once you have clarified who your risk appetite working group will be, it is helpful to reflect on their level of experience and comfort with risk management concepts. Your conclusions may help determine if you will complete your risk appetite framework internally or if you wish to engage an external partner to help with facilitation.
The next step is an introductory session with the risk appetite working group. The objective for this session is to introduce the concept and agree on a common language and goals for the risk appetite framework. You can introduce your high-level plan, explain why you are embarking on it and secure buy-in for the process. Depending on your progress and the receptiveness of your group, you may also be able to complete the next step in your first working session. Most likely, however, you will need to give your working team members time to reflect on the information you have provided and prepare for the next steps.
Hopefully this step will be the easy part. In most cases, your company’s mission, vision and strategic objectives will have already been documented and approved by your executive team and board of directors. Your initial risk appetite statement will be closely aligned with these elements, so a review of them provides a good grounding to start your process. Strategic objectives should be briefly documented, as they will mapped to risks in step 4 below and will be used to help calibrate your risk appetite statements and risk thresholds.
In some cases, strategic objectives, mission, vision and other value drivers are not clearly identified or are in a state of flux. For example, your firm may be going through merger and acquisition activities, such that strategic plans and priorities are unclear. Similarly, public sector organizations often experience similar challenges during times of political change. Even if objectives, mission and vision are not clearly identified, it is helpful to briefly document them as they are assumed to be, as they will provide guideposts for subsequent activities and will be useful for adjusting risk appetite statements when these elements are clarified in the future.
Documenting your organization's vision, mission, values and strategy to develop a risk appetite framework.
The next step in the process is to create your initial risk appetite statements and to set your initial risk threshold values. This will likely involve another workshop meeting with your risk appetite working group and you may find it helpful to create draft materials prior to meeting as a group. Note that you are only setting out initial statements and thresholds in this step. They will be adjusted in subsequent steps, so do not worry about getting them perfect.
There are three related activities that will be completed in this step:
This is a general, organization-wide risk appetite statement typically begins with linkage to the organization’s mission, values, business strategy and overall risk philosophy. It sets out the organization’s general philosophy on risk and provides general guidelines of how the organization will make decisions regarding risks.
A few publicly-available examples are included below:
Once you have completed a general organization-wide statement, it is helpful to create shorter, more refined statements for specific situations or organizational areas. In our experience, setting specific statements and parameters by risk category is the easiest way to start. Category statements may be purely qualitative or include qualitative measures as well. Ideally, they will articulate the desired balance between risk and return.
A few sample statements are shared below, adapted from publicly available examples:
EditFinancial RiskWe seek to maintain an enterprise-level debt rating of “A” or better. As we seek new business, we will maintain our working capital ratio between 1.5 and 2.0%.Health & SafetyThe organization has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers and workforce. Safety drives all major decisions in the organization. All safety targets are met and improved year-on-year.Investment RiskWe will limit our investments in mergers and acquisitions to an amount that allows our organization to maintain its free cash flow target of €375 million.Operational RiskThe company will only tolerate low-to-moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery, breakdown in information systems or information integrity. We will manage our operational activities to avoid an event resulting in a pretax loss of US$15 million or more. No single client will account for more that 20 percent of total sales.Reputational RiskThe company wants to be seen as best in class and respected across industry. It will not accept any negative impact on reputation with any of its key stakeholders and will only tolerate minimum exposure e.g. minor negative media coverage, no impact on employees, and no political impacts.
The next step is to set upper and lower thresholds for each risk category. These will be based on residual risk scores and the area in between the values will represent the acceptable residual risk range. For example, a risk with a residual risk score above your lower threshold and below your lower threshold will be considered within thresholds. A risk with a residual risk score above your upper threshold will be considered above threshold.
When setting initial thresholds, refer to your specific risk appetite statement for each category and set initial values that are consistent with your agreed-to risk orientation. Again, do not worry about getting this perfect, as you will adjust these thresholds in subsequent tuning steps.
Once thresholds have been set, you can compare them against the residual risk scores for each of the risks in your risk register. The example shown previously in Figure 1 was taken from the Essential ERM software system. While having ERM software will certainly make this step easier, it can also be accomplished with a spreadsheet-based risk register. This review will allow you to examine outliers that fall above and below your upper and lower thresholds. Reflecting on these risks and your category appetite statements, you may choose to refine your thresholds somewhat at this stage.
Dashboard from the Essential ERM system showing risks (represented by circles) plotted against risk thresholds. Light blue bars represent upper and lower residual risk thresholds for each risk category. Risks are indicated as either being within, above or below thresholds.
This next is step where risk appetite and strategy come together to provide real context within your ERM program. Once you have set your risk thresholds, it is time to examine the impact of residual risk scores on your key objectives. This step is easier with ERM software but can be accomplished with manual analysis and reporting. The key is to filter your risks by strategic objective and identify risks which deviate from the risk thresholds you have set. This will show you specific situations where your pursuit of strategic returns is not in alignment with your risk appetite.
Sample strategy dashboard within the Essential ERM system. Mapping and filtering risks by strategic objective and overlaying risk thresholds creates a direct link between your risk appetite statements and how your organization is balancing potential strategic returns with associated risks involved in pursuing them.
At this stage, it is time to re-examine risks that fall outside of your risk thresholds. We recommend that you do this by strategic objective, as it will focus your efforts onto the risks that matter most. For example, a risk that falls outside of your risk thresholds but is not mapped to any strategic objectives, may not be something you want to spend much time analyzing.
To re-examine risks, reconsider the root causes, pre-event and post-event mitigations and the potential consequences if the risk event were to materialize. This analysis may cause you to create new action plans for additional risk mitigations. It may also cause you to conclude that the potential consequences of the risk event are not severe enough to warrant concern and you may choose to adjust risk scores or to suppress it from your strategy and risk appetite reporting.
Note that an approach we find extremely useful in risk reporting is based on the bow tie model for risk. This is a visual approach that allows multiple scenarios to be displayed in a single, intuitive diagram. An example is provided below.
A risk details and analysis screen from the Essential ERM system, showing an example of an interactive bow tie diagram. Bow tie diagrams allow users to link risk events with their root causes, pre-event and post-event mitigations and consequences in a single, intuitive diagram. Multiple scenarios can be examined at once and linkages between risks and bow tie elements can be examined (e.g. root cause analysis to identify where a common cause affects multiple risks etc.).
By this step, you have created your initial risk appetite statements, set your initial thresholds and adjusted risks and thresholds after reviewing how your risks are affecting your strategic objectives. It is now time to secure approval from your risk appetite working group and to present to the board of directors for their review and approval. Be prepared - your board presentation may cause you to rework and adjust your risk appetite statements and thresholds but being prepared with the information and reports described earlier will make the process much smoother and much easier for your board.
Once you have received board approval for your risk appetite framework, it is time to operationalize it into your organization’s day-to-day processes and activities. Going forward, operating plans will be established and monitored using the risk appetite framework. In this way, risk appetite provides a mechanism to help propagate vision, mission, objectives and other value drivers into day-to-day operations.
The risk appetite framework itself, including risk thresholds should not be “set and forget” and instead should be reviewed no less than on an annual basis. In practice, good quarterly reporting will help this to occur on a continuous basis, as an examination of trends will help to identify when risk appetite may need to be reconsidered.
Example dashboard from the Essential ERM system showing residual risk trends, strategic objectives with risks falling outside of desired risk thresholds, action plans requiring attention, etc.
Examining risk trends in isolation has limited value, however, risk trends plotted against the upper and lower risk appetite thresholds for each risk category can be a useful indicator for the executive team and board of directors
A few last final thoughts on implementing risk appetite for your consideration.
First, note that some organizations have begun to disclose their risk appetite statements to shareholders and the general public. They may do this only for their high-level risk appetite statement or they may also include their more specific category-level statements. Organizations that do this display greater transparency and accountability and may be more successful in attracting investors and other stakeholders.
Second, when developing risk appetite statements, it is helpful to think of all key stakeholder groups, even if they are outside of your organization and not part of your risk appetite working group. If the stakeholders have expectations or perspectives that will affect your decision making in pursuit of objectives and managing risks, it is important to consider them up front when developing your risk appetite framework.
Third, a simple approach to quantitative risk management can be helpful when setting and adjusting risk appetite thresholds. An example is represented by Figure 6 below. This image is taken from the Essential ERM software system, but it is based on an industry standard approach and can be replicated in spreadsheets or other tools.
A common and easy way to include quantitative measures into your risk rating is to assign a probability level to each possible likelihood value and to assign a dollar impact to each possible impact value. The dollar value may be based on a percentage of firm capital, total assets, annual revenue, strategic reserves, or other meaningful business metrics.
Example of a simple implementation of quantitative risk in the Essential ERM system
As with traditional risk scoring, likelihood and impact are multiplied together to generate inherent and residual risk values in dollars or other currency. In the example above, the level 3 “Possible” inherent likelihood is associated with a 33% probability and the level 5 “Extreme” inherent impact is associated with a financial loss of $15 million. These figures multiply together to generate an expected potential loss of $4.95 million. The organization has partially effective controls in place, which has not affected the residual likelihood, but has lowered the residual impact to level 4 “Major” with a value of $5 million, resulting in a calculated residual risk of $1.65 million.
The utility of this approach is that it is easy to implement and will provide a good general guideline when evaluating risks. The residual risk value can be compared against the risk appetite parameters for this risk and the expected return from the related business activities.
Similarly, an examination of potential quantitative losses will be useful in the settings of category risk appetite statements and threshold values.
Note that for entities in the financial sector, the quantification of risk can be quite complex including complex Value at Risk measures, Monte Carlo simulations and multiple scenario stress testing. These processes are often driven by regulatory requirements. For most organizations this level of rigor does not make sense from a cost / benefit perspective.
Spreadsheets don't lead to improving the likelihood of desired business outcomes.