It is essential practice for a board to endorse a statement of risk appetite that sets out, for each of the main categories of risk, how much risk the board is willing to allow the company to be exposed to. This statement greatly assists management to design and implement actions, controls and strategies that will keep the risks within the agreed boundaries.

Nothing is more frustrating than a board that can’t agree to accept the risks inherent in delivering the approved strategy.

To help directors and senior executives who are approaching the task of creating a risk appetite statement for the first time (or those who are unhappy with their current efforts and wish to improve), we have put together this list of questions.

The questions below provide comprehensive coverage across:

  • Taking enough risk to achieve desired rewards
  • Defining risk
  • Understanding your organisation’s risk maturity
  • Building a shared view of risk and appetite
  • Defining likelihood and impact
  • Reporting and adjusting

The questions are designed to start you thinking about issues that you may encounter. Your answers are not necessarily good or bad; they should reflect the current and desired state of your understanding of the board and its role in your company.

Trust yourself to recognise the most important questions to help you get the best possible workshop designed to maximise progress with  your board and directors.

At the end of the checklist, we have listed some references that you may wish to investigate for additional reading on the topic. We have also included some suggestions for putting into action the ideas that result from considering the checklist.

Taking enough risks to achieve desired rewards

1. How does your board ensure that management are taking enough risk?
Click to add this item to your personal checklist
 
2. How is management incentivised to take prudent risks?
Click to add this item to your personal checklist
 
3. How does your board respond when risks are below the stated appetite?
Click to add this item to your personal checklist
 
4. Is ‘as low as reasonably practical’ (ALARP) the right setting for your risks or is there a more optimal setting? How will your board communicate and monitor this setting?
Click to add this item to your personal checklist
 
5. How does your board communicate with shareholders and other stakeholders about the level of risk that the board believes is appropriate?
 
1
Click to add this item to your personal checklist
 
 

Defining risk

6. Does the board understand that risk and strategy are related (two sides of the same coin)?
Click to add this item to your personal checklist
 
7. Is it clear that the board and executive team understand that the amount of risk they take, either deliberately or unintentionally, will impact the results they achieve?
Click to add this item to your personal checklist
 
8. Do the board members understand that taking risk is intrinsic to doing business and essential for grasping opportunities? Or is there an attitude of risk minimisation regardless of the need to grasp opportunities?
Click to add this item to your personal checklist
 
9. How is the board helping the executive team to recognise that risk is the effect of uncertainty upon outcomes and does not always have a negative impact?
Click to add this item to your personal checklist
 
10. Would the executive team agree with the board that risk management will increase certainty that a decision’s desired outcome will be achieved?
Click to add this item to your personal checklist
 
11. Have any members of the executive team or board undertaken formal training (even a short course) in risk management?
Click to add this item to your personal checklist
 

Understanding your organisation’s risk maturity

12. The greater the risk maturity of the organisation, the higher the level of risk that can safely be accommodated in the strategic plan. Has your board assessed organisational risk maturity to allow it to set an appropriate appetite?
Click to add this item to your personal checklist
 
13. Does the organisation respond to risks that eventuate in an ad hoc manner, relying on the thinking and abilities of the people involved in the incident? If so, it is likely at level one.
Click to add this item to your personal checklist
 
14. Is the board frequently surprised by events or incidents or frustrated that things which go wrong are, with hindsight, easily foreseeable and preventable? If so, the organisation is likely at level one.
Click to add this item to your personal checklist
 
15. Does success in responding to adverse events depend upon individuals making a heroic effort rather than systems and processes that have been designed and established for precisely this purpose? If so, the organisation is likely at level one.
Click to add this item to your personal checklist
 
16. Does the company have risk processes for certain activities or projects? If so, it is likely at level two.
Click to add this item to your personal checklist
 
17. Is risk managed and responded to differently in different parts of the organisation or by different people? If so, risk maturity is likely at level two.
Click to add this item to your personal checklist
 
18. Is risk management primarily based around certain key projects rather than embedded into the way things are done? If so, risk maturity is likely at level two.
Click to add this item to your personal checklist
 
19. Are staff able to access risk information before they commence a project? If so, risk maturity is likely at level three.
Click to add this item to your personal checklist
 
20. Is there a consistent method and set of practices for managing risk across the organisation? If so, risk maturity is likely at level three.
Click to add this item to your personal checklist
 
21. Is risk management a pre-requisite of business planning and based on a standard framework that applies across all projects, business units and activities? If so, risk maturity is likely at level four.
Click to add this item to your personal checklist
 
22. Is risk management a routine part of doing business and do systems allow individuals to access and learn from data from across the company? If so, risk maturity is likely at level five.
Click to add this item to your personal checklist
 
23. Is the system generating pro-active insights and replicable to new activities with minimal effort? If so, risk maturity is likely at level five.
Click to add this item to your personal checklist
 
24. Are you confident that your risk maturity supports taking the level of risk described in your risk appetite statement?
Click to add this item to your personal checklist
 

Building a shared view of risk and appetite

25. Have the directors and senior management team discussed the nature and extent of the risks that face your company?
Click to add this item to your personal checklist
 
26. Are the directors emotionally capable of setting aside their personal risk appetites in order to set appetite at the level that best suits the company? How does the organisation support them in this difficult task?
Click to add this item to your personal checklist
 
27. Has the board agreed the current level of risk that the organisation is taking.
Click to add this item to your personal checklist
 
28. Does the appetite statement define the most appropriate level of risk within each relevant risk category?
Click to add this item to your personal checklist
 
29. Does the board understand the inter-related nature of many risks and the way that one incident may trigger several risks?
Click to add this item to your personal checklist
 

Defining likelihood and impact

30. Has the board quantified the estimated impact in cost, management time and effort, human suffering, environmental impact, and reputation damage of each risk? How much of this cost can the company bear? How does the cost increase with each incident?
Click to add this item to your personal checklist
 
31. What can be done to reduce the impact of each risk? What additional benefits, apart from the risk reduction, are derived from undertaking the activity?
Click to add this item to your personal checklist
 
32. Within what range of impact does the board wish to keep each risk?
Click to add this item to your personal checklist
 
33. What is the estimated likelihood of each of the key risks? How often can the company withstand repeated exposure to the risks as they eventuate?
Click to add this item to your personal checklist
 
34. What can be done to reduce the likelihood of occurrence of each risk?
Click to add this item to your personal checklist
 
35. Within what range of likelihood does the board wish to keep each risk?
Click to add this item to your personal checklist
 
36. What are the costs (financial and other) of risk reduction? At what point does the risk reduction cost more than the risk itself? What are the benefits of reducing likelihood (other than the reduction in the likelihood of the targeted risk)?
Click to add this item to your personal checklist
 

Reporting and adjusting

37. How does the board prefer to receive risk reports? Are risks reported through the audit committee first (usually in greater detail)?
Click to add this item to your personal checklist
 
38. Do reports include the inherent (original/untreated) level of risk to keep the board alert to what is possible, or report only the treated level of risk?
Click to add this item to your personal checklist
 
39. Does the board appreciate the standard risk v. likelihood graphical representation of risk, or do they prefer to see a broader framework report?
Click to add this item to your personal checklist
 
40. How does the organisation report to the board on risks that interact with each other?
Click to add this item to your personal checklist
 
41. Does the board want to see the failure mode analysis for each of the biggest risks? (Failure mode analysis is is a step-by-step approach for identifying all possible sources of failures and then prioritising efforts towards the more critical modes of failure)
Click to add this item to your personal checklist
 
42. Does the board prefer to receive reports on a certain number of the largest risks or on all risks above a certain threshold?
Click to add this item to your personal checklist
 
43. How often does the board wish to review risk?
Click to add this item to your personal checklist
 
44. Is risk a standard section in all business cases for board approval and in the regular CEO report? Should it be?
Click to add this item to your personal checklist
 
45. Does the company’s risk framework cover an appropriate range of categories of risk? For example: Health and safety, Compliance, Reputation, Financial, Community experience, Human resources, Delivery of core operations and capabilities, Service delivery, Information management and security, Governance, Technology and innovation.
Click to add this item to your personal checklist
 

Taking action

Read the questions and note which ones you can confidently answer. Make a record of any actions that you wish to take to help answer any questions that you were not confident about.

Risk appetite, rather than risk management, is one of the most important decisions a board will make. It is essential that all directors agree the desired appetite and put aside their personal risk appetites in order to make risk decisions that are in the best interests of the organisation. This is a complex and often contentious process. You may need to engage the services of a qualified board risk expert to assist.

Note that this checklist is about setting the appetite and reporting on risk against the targets set in the appetite statement. It does not cover managing risk which is the topic of a separate checklist.

Additional reading and reference sources

  • Australian Compliance Institute Sydney, 2010, Quick Guide to Compliance, Ethics, Governance, Risk and Corporate Social Responsibility, Sydney.
  • Australian Securities & Investments Commission, 2019, Corporate Governance Taskforce—Director and officer oversight of nonfinancial risk report.
  • R Baxt, 2016, Duties and Responsibilities of Directors and Officers,
  • 21st edn, Australian Institute of Company Directors, Sydney.
  • P L Bernstein, 1996, Against the Gods—A History of Risk, Wiley, New York.
  • N Buck, 2005, “Corporate Governance: More than a State of Mind”, in J O’Brien, Governing the Corporation: Regulation and Corporate Governance in an Age of Scandal and Global Markets, John Wiley and Sons, Oxford.
  • J D Frame, 2003, Managing Risk in Organisations, A Guide for Managers, Jossey-Bass, San Francisco.
  • J Garland McLellan, 2011, All Above Board; Great Governance for the Government Sector, Australian Institute of Company Directors, Sydney.
  • A Hopkins, 2005, Safety, Culture and Risk, CCH, Macquarie Park.
  • M Power, 2007, Organized Uncertainty: Designing a World of Risk Management, Oxford University Press, Oxford.
  • J Reason, 1996, Managing the Risks of Organisational Accidents, Ashgate, Farnham.
  • G E Rejda, 2016, Principles of Risk Management and Insurance 13th edn, Pearson.