Guidance Paper - The Institute of Risk Management

Develop 

408 

The development of the risk 

appetite approach should now 

be well-informed by the 

background work, the 

preliminary sketch and the dialogue with 

relevant stakeholders. The amount of 

detail that is required will vary from 

organisation to organisation. Of course, 

the detail needs to be tailored and 

proportionate to the organisation. 

Approve 

409 

If we are right in thinking that 

the development of risk 

appetite thinking in 

organisations has the 

potential to change the way that 

organisations are run, then it goes 

without doubt that boards, and in the 

event that they exist, risk oversight 

committees should review and approve 

the risk appetite document. 

Implement 

410 

Implementation is going to 

take some time. It is unlikely 

that an organisation will be 

able to get the risk appetite framework 

right first time. In particular the cultural 

aspects, the data gathering and the 

ramifications of divergences from the 

statement will need to be worked 

through. 

There is little point in defining 

411 an appetite without clearly 

articulating consequences. 

Further, it is important the 

organisation is seen to take action in 

conjunction with the appetite. For 

example, some Boards and senior 

management state they have a zero 

tolerance risk appetite regarding any 

compliance or regulatory breaches. All 

well and good, but the organisation’s staff 

policy handbook must clearly follow the 

same lines and one would expect that 

once proved, disciplinary proceedings for 

the staff responsible would be automatic. 

For the risk appetite statement to be 

taken seriously throughout the firm it 

cannot be defined in isolation to the rest 

of the organisation. 

Report 

412 

We envisage that reporting 

against risk appetite 

statements will broadly take 

two forms: 

• Internal: this will require reporting on 

a frequency similar to regular internal 

management reporting,; and 

• External: this will require annual 

reporting to relevant stakeholders, 

including (where they exist) 

shareholders, and perhaps others 

included in the stakeholder 

engagement stage above. 

Review 

413 

At the end of each reporting 

cycle, and before the risk 

appetite statement is resketched, 

there should be a review, 

perhaps undertaken by the board or the 

risk oversight committee into what 

worked well, what failed, and what needs 

to be done differently next time. Learning 

the lessons, especially in the early days of 

implementing a risk appetite statement 

will be critically important. 

Implementing 

a risk appetite - 

questions for 

the boardroom 

• Has the organisation followed a 

robust approach to developing 

a risk appetite 

• Who are the key external 

stakeholders and have 

sufficient soundings been taken 

of their views Are those views 

dealt with appropriately in the 

final documentation 

• Is the risk appetite tailored 

and proportionate to the 

organisation 

• Did the risk appetite undergo 

appropriate approval processes, 

including at the board (or risk 

oversight committee) 

• What is the evidence that the 

organisation has implemented 

the risk appetite effectively 

32

Previous page

Next page

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

42

Guidance Paper - The Institute of Risk Management

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?