An organization-wide risk appetite can be a powerful statement that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action is nothing more than an idea.
So how do you give your risk appetite teeth? How do you make it an actionable guide for your organization?
Here are five recommendations to put your risk appetite into practice.
1. Translate risk appetite to the process level.
Every day your front-line managers are making operational decisions about risk, far from your risk appetite policies. This is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.
To successfully implement your risk appetite you need to identify and set risk tolerances at this level of operations; at the front-line process level. This will allow you to connect front-line decisions with your overall risk appetite and determine which processes are out of range.
Setting risk tolerances around front-line processes isn't enough to truly put your risk appetite into action. You also need to be monitoring root causes of risk at this level.
For example, say your risk appetite sets a low tolerance for customer dissatisfaction and as a goal you aim to increase customer satisfaction. You could set goals for a particular customer satisfaction survey. However, this metric doesn't offer any actionable solution to improve customer service.
Instead, go to the root causes of customer dissatisfaction with metrics such as call wait time, email response time, or case volume. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.
3. Risk metrics need to be forward looking.
Another problem with our customer service survey comes from the time to it takes to compile responses and analyze aggregated results just to be able to make a decision. With a survey you'll always be acting on customer impressions from last month as an effect of last year's policies.
Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization.
4. Standardize your risk metrics enterprise-wide.
Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.
Using our customer service metrics again, re-opened cases might a good root-cause metric, but it's not comparable over time or across products as the number of total customers will vary. Instead measuring the percent of re-opened cases may be a more meaningful metric as it's value is independent of customer volume and is thus comparable both over-time and across silos.
5. Align your risk tolerances with your strategic goals and business model.
Risk tolerances will naturally develop from your overall risk appetite, but they also need to be in line with your organization's goals. Your organization might define a very low tolerance for customer dissatisfaction, but if you're attracting lots of high cost customers, then this policy isn't in line with a discount business model.
When risk tolerances are aligned with both overall risk appetite and strategic goals, they will both improve risk mitigation effectiveness and contribute to achieving your strategic goals.
To see the power of these recommendations in action, see our video "Streamlining Governance with ERM".