Where Do We Want to Take The Most / Least Risk?
Traditionally, it’s only been very large companies that talk in this sort of language, or even think about such tasks as creating risk appetite statements, but many small to medium organisations are also learning this approach now, finding it really helps them to get a ‘handle’ on things in this currently uncertain world.
And how is this different to the Risk Statement that we talked about in the last blog?
Well, an overarching business ‘Risk Statement’ will address your organisation as a whole. Championed and communicated by management, it describes a ‘flavour’, attitude, and approach to how your organisation will deal with uncertainty (risk) and actually look for opportunities overall. It will also give a brief overview of the mechanisms you have in place to manage uncertain events across your organisation as a whole.
Risk appetite statements need to be created for each of your organisations’ functional and strategic areas now. The reason for doing this is that each department of your business may need to leave more or less to chance. For example, a legal or finance department may be much more risk averse then perhaps a business development or research and development department. This is because one is controlling capital and the other is complying with laws, while developmental departments may be actively seeking growth and evolution for the organisation. So, in practice, good risk appetite statements can help you translate competing priorities into choices and decisions by focusing on where to take the most or least risk for your business. Of course, there will be some areas where there will be no appetite for risk-taking at all!
In parallel to this, your Leadership Team may have been busy strategising about the direction of the organisation, in pursuit of business objectives or long-term goals. As a result, they will have certain topics in mind such as new Markets and Products, Distribution Channels, Sources of Finance, Brands, Customers, Technologies as well as People, Investments, Culture, Values, Communication etc. (Strategising usually means looking at the world in which we do business rather than focusing on internal activity. Both elements are important to ensure a business remains sustainable.) All these topics constitute ‘themes’ which can be organised into risk areas, categories or risk types (these are just labels, so you could just call them ‘risk buckets’ if you prefer). Now depending upon how high up the list of priorities each of these themes are, (hint coming here Leaders! Check out your 3-5 Year Business Plan for priorities) they will have varying levels of appetite for risk-taking. So, risk appetite statements would be useful for each of these too. Especially as this will help you anticipate and respond to the changing conditions, emerging opportunities and threats in the world in which you are running your business.
What next? All that remains now is to translate your strategic and departmental risk appetite statements into a set of limits, tolerances and triggers and you have something that staff can apply when assessing and managing each risk as it pops up. This will keep risk management practices across the organisation consistent and effective. Staff won’t have to rely on their subjective judgment to make decisions about how to manage or prioritise any uncertainty in the everyday things that they do. Leaving risk management to individual judgment is a surefire way of guaranteeing that staff won’t manage risk in line with Senior Management’s expectations, or the same way as their colleagues come to that! This is how you use ‘checks and balances’ for controlling your business and empowering your staff to make good choices and take effective action. This also feeds into the customer service your organisation gives, facilitating a consistent and fair approach.
Now that everyone understands what they are aiming for, it gives the Leadership Team an opportunity to collect all of these risk appetite statements together (X,Y,Z in the picture above) and compare them to the overarching organisational Risk Statement (lets call this the ruler in the picture above). This is to make sure that despite the differences in departmental and strategic ability or willingness to take on uncertainty, you can all come together in the end on one common risk-taking goal. If you need to revise the organisation’s Risk Statement now, don’t be afraid to do so. Just make sure you double back again to check on your Business Objectives and Mission (purpose) to make sure everything is still aligned. This will also, really help you align your Strategy with the level of risk that you want to take to deliver a given level of performance. As well as providing some input for remuneration decisions, it will also guide what you say to stakeholders, which of course is required to provide transparency.
How do we know what levels of uncertainty we are taking onboard and whether that has impacted what we actually planned to do in the first place? Can triggers help to alert us before it’s too late, to protect the business from loss or veering off our roadmap? The answer to this is certainly ‘yes’, but you’ll have to stay tuned for our next blog where we will show you how to do this.
Here is some essential terminology now:
Risk = an uncertain event or set of events that, should they occur, will have an effect on the achievement of business objectives. Measured as a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact upon objectives. OR the possibility of something bad happening.
Risk Appetite = the amount and type of risk that an organisation is willing to take or must take in pursuit of its objectives.
Risk Tolerance = An organisation’s (including its influential stakeholder’s) willingness to take risk in order to achieve its objectives
Risk Capacity = The maximum amount of risk that an organisation can take on.
