Identifying the risk appetite of an organisation can be difficult. Writing a risk appetite statement can be even more difficult. And ensuring that the risk appetite statement serves a useful purpose is the most difficult thing of all. This article explores some of the practical considerations and discusses a recently published example.

Requirement to produce a risk appetite statement

There has been a great deal of discussion in the business community about how to define ‘risk appetite’, including how to develop a risk appetite statement. For many organisations, this has become an urgent issue because they are listed companies required to comply with guidance issued under the UK Corporate Governance Code.

The Financial Reporting Council (FRC) issued risk guidance in September 2014 requiring listed companies to report on their principal risks and risk appetite. The requirements include the need to undertake a robust assessment of risks to the business model and strategy, as well as clear identification of the risks the organisation is willing to take (its risk appetite).

These reporting requirements came fully into force for UK listed companies with a year end after 30 September 2015. Therefore, the first examples of annual report and accounts that take account of the new FRC requirements are now being published.

Statements for financial institutions

For financial institutions, identifying risk appetite in relation to credit risk is fairly straightforward. It is relatively simple to decide the basis on which a bank will lend money and the nature of a client that represents a good credit risk. Banks will normally seek a portfolio of clients with different credit ratings, so that they can charge different interest rates based on the level of credit risk each client represents.

A good example of a company that provides a detailed insight into its risk appetite is Nationwide Building Society. Its Report and Accounts 2014 uses the phrase ‘risk appetite’ a total of 50 times. Nationwide defines risk appetite as ‘the level and type of risk that the group is willing to assume in pursuit of the strategic goals’.

Recent example of a risk appetite statement

Network Rail has recently published its risk appetite statement and this is summarised below this article. Although it is not a quantitative statement, it provides a good example of how risk appetite statements are being structured. 

The Institute of Risk Management uses the FIRM risk scorecard to classify strategic risks. Risks can be considered to be financial, infrastructure, reputational and/or marketplace. The Network Rail risk appetite statement follows a similar structure to the FIRM risk scorecard.

When developing a risk appetite statement, the structure of the statement should be aligned with its own risk classification system. This is essential, because organisations will have different appetites for different types of risk. Almost all organisations will tend to have a low risk appetite for financial risks, such as fraud or the incorrect allocation of capital. Also, almost all organisations will have very low risk appetite for circumstances that can damage the reputation of the organisation. Indeed, Network Rail does identify itself as having a very low appetite for reputational risks.

Infrastructure risks include people, premises and processes. Generally speaking, organisations will have a very low risk appetite for safety risks that can cause injury or ill-health to people. However, the same organisations may have a higher risk appetite in relation to other components of their infrastructure. Some organisations are willing to take considerable risks with their processes and information systems. There may be a desire to outsource many activities within an extensive range of suppliers and contractors. For example, the willingness to accept low to moderate risks in relation to information systems is clearly stated by Network Rail.

Appetite for marketplace risks

It is, perhaps, in relation to marketplace risks that the greatest variation in risk appetite can be found between different organisations. Organisations involved in developing innovative products, especially in relation to electronic equipment, as well as companies involved in the development and testing of pharmaceuticals, are almost invariably going to have a high risk appetite for product development. When the organisation has a high risk appetite for product development, the risk management protocols will need to be extremely robust. 

Organisations are required to identify their principal risks and clearly state the risks that they are willing to take, so there is an explicit obligation to clearly identify and manage risks. It is generally accepted that the UK Financial Reporting Council is establishing world leading best practice guidance on risk reporting. In addition to assisting management within an organisation when making decisions, the risk appetite statement will also help shareholders and other stakeholders form an opinion of how seriously the organisation takes its risk management responsibilities. 

Case study: Network Rail

In the Annual Report and Accounts 2015, Network Rail defines its risk appetite statement as follows: 

‘Network Rail has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers and workforce. Safety drives all major decisions in the organisation. All safety targets are met and improved year on year. In the pursuit of its objectives, Network Rail is willing to accept, in some circumstances, risks that may result in some financial loss or exposure including a small chance of breach of the loan limit. It will not pursue additional income generating or cost saving initiatives unless returns are probable.

The company will only tolerate low to moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery and succession planning, breakdown in information systems or information integrity. The company wants to be seen as best in class and respected across industry. It will not accept any negative impact on reputation with any of its key stakeholders, and will only tolerate minimum exposure ie, minor negative media coverage, no impact on employees, and no political impacts.’

Paul Hopkin is technical director at the Institute of Risk Management and has previously been head of risk management at The Rank Group and the BBC.