Following on from our highly engaging webinar on the topic of “Risk Appetite”, we were inundated with questions from the audience who were keen to get even more insights from our accomplished panel. Although we ran out of time in the live session, we recently had the opportunity to sit down virtually once again with our panel of female risk leaders and get those all-important answers to your questions. Check out this Q&A session with ERM Manager at Norfolk Southern Corporation, Dafni Leflore, Merline Denis Barrington, Enterprise Risk Management at the Port Authority of New York & New Jersey, and Willis Towers Watsons’, Tamika Puckett, for an information packed Q&A session, where they answer your questions in relation to risk appetite statements, risk tolerance, KPI’s and metrics.
One attendee stated:
I usually think of risk appetite as the amount of risk, typically stated in financial terms, that an organisation is willing to expend in pursuit of its goals. This is compared to risk tolerance which addresses more variability around key risk indicators that the organisation is willing to tolerate.
They asked the panel if they “agreed” with this view.
Dafni didn’t completely agree with this statement, she added “For certain organisations, there are metrics and there are areas of the company that bare risk in a non-financial context, like ‘volume’ or ‘capacity’, so I don’t think it’s something just specific to financials. However, if you think of it in terms of qualitative vs quantitative, then I think a quantifiable risk appetite and risk tolerance statement tells a more compelling story.”
Merline added that “It’s important to understand qualitatively in specific terms what the risk posture is, to achieve certain strategies or objectives or even certain risks for the organisation. Tolerance works hand in hand, translating that posture into certain limits or bands that can be cascaded out across the organisation for the purpose of making decisions on the day-to-day. You need those quantitative or financial terms when it comes to risk tolerance so that you can tangibly inform-decision making for various levels of the organisation.”
Can you provide guidance on how an internal auditor might evaluate/assess the quality of risk appetite and tolerance statements? Are there any key ‘must have’ elements to include? Similarly, are there any red flags in risk appetite/tolerance statements that suggest the content may not meet the expected objective of these statements?”
Dafni pointed out that “You audit against what you have stated in governance documents to be your framework for constructing, monitoring, and improving your risk appetite statements. If you audit against a risk appetite statement it would have to be more of a compliance audit. But it really depends on the wording of your risk appetite statement, if you have measures in your risk appetite statement then, sure you can audit against it, it just depends on how detailed your risk appetite statements are.” She joked ‘If you can audit your risk appetite statement, maybe you’ve put too much into it!”
Tamika added “I agree completely with Dafni. You would typically not audit against your appetite and tolerance statements. What you are auditing are the controls that you have in place that allow you to maintain within the bounds of the statements that you have made. So, it is not really auditing against the actual statement itself, but the controls that define the build-up to those statements. “
Merline concurred “A risk appetite statement if done right is not necessarily an auditable entity but rather the governance around it, is what is an auditable entity.”
How important is it to move from qualitative risk rating (risk matrix – heat map) to quantitative risk rating if an organisation is wanting to effectively use risk appetite and risk tolerance and make decisions? How should one go about the transition from qualitative to quantitative?
Merline shared her thoughts “The premise of enterprise risk management goes beyond your traditional risks that can be quantitative, like financial risks. The intent is also to capture risks that stem from behavioural decisions such as reputational (risk) that can have quite a bit of a disruptive factor to financial risks – but you’re catching them where they start. I think the goal should always be to have both qualitative and quantitative so that you are not having a binary view of risks that can only be quantified because you might miss a lot. If you are doing root cause, you will certainly miss some root causes that are harder to quantify but can certainly be captured qualitatively. It is about having the right balance between qualitative and quantitative, and not necessarily dropping, either.”
Tamika added “When I was at Zoom, this was one of the things that we struggled with a lot. Trying to figure out if it’s necessary to mature the programme from being qualitative to being more quantitative. There was a desire to be able to put numbers around our tolerance and appetites and to be able to quantify the potential impacts from a financial standpoint, should a certain risk come to be realised. It was nearly impossible. I have had conversations with people that had come from other very large or mature organisations, both in the tech industry and outside of the tech industry, who all experienced the challenges of trying to quantify their risk. You must do it in a matrix because everything cannot be quantified on the same scale. I do not believe that quantitative applies to every risk.”
How often should you review your risk appetite?
Dafni thought risk appetite should be reviewed “Annually”. She added “There’s too much disruption occurring around us for anything less than that to be helpful to your organisation.”
Tamika added “I would say annually and post major any incident. Because businesses can definitely have some lessons learned after a major incident that can provide immediate insights about your tolerance and appetite.”
Do you think appetite needs to be reviewed and updated according to the annual strategic plan?
Merline suggested to “Align that sort of cyclical revisiting of risk appetite with your annual strategy setting, to make sure that you’re working in tandem.”
What is the best way to articulate an organisation’s risk management? The big picture across the different risk categories. We are trying to do it and it is a bit like nailing jelly (jello) to a wall!
Dafni suggested to “Try and make risk relatable”. She shared this analogy “Think about your Apple Watch. It tells you about siloed pieces of information about your health, but it doesn’t give you an overall health score.” She suggested we look at risk in a similar context, “Essentially, we have these different dashboards in our company that tell us different things about the health of our organisation, but we can’t see the ‘big picture’ of how one metric impacts the other. Being able to talk about risk management in a relatable way helps the messaging to sink in. It’s simple stuff like that example that I just gave, that makes that information so much more pronounced and captures the ears of your listeners and allows them to see things from a holistic standpoint.”
Merline was in agreement with Dafni, she added “There’s so many different data points and data sets, which when you pull them all together can yield a very powerful picture.” She suggested to “Think about how you aggregate your risk data. What are your categories of risks?” She shared that at the Port Authority they have “5 categories of risk including people, processes, systems & relationships”. She added that they tend to capture “strategic risks, external risks, and operational risks” as part of that. Merline recommended to “Start taking a hard look as to how you aggregate information because you’re conveying insights to high-level people who then need to make decisions on them, so it has to be consumable.” She suggested to “Have a top-down and a bottom-up approach. I always make sure to talk about that top-down because that’s where the higher-level folks have a call to action. The bottom-up is everyone else in the organisation. Those are the two tenants of my programme structure, which combines how data is aggregated”, she believes those components will give a good indication of an organisation’s risk posture.
What must a risk appetite document contain if you’re developing it for the first time?
Tamika was keen to point out that “You must first define whether you are going to have quantitative versus qualitative measures.” She added “I have determined that it’s not necessarily a single statement. It could be a matrix because risk looks different within different pillars of the organisation. You might not have a single statement for the organisation, you might have a series of statements that may be aggregated up to a single statement. She said it is essential to “Remember that different areas of the organisation will have different appetites and different tolerances for certain types of risk and that’s why it’s so hard to have a single statement.”
Would it not send the wrong message during decision-making if we draught different risk appetite documents for different risk categories?
Tamika quipped “I don’t think it sends a different message. I think that sometimes you have to have a matrix. Then you can aggregate those statements up to a single tolerance, different risk categories might have different tolerances and appetites.”
What comes first, the ERM framework/programme or the risk appetite statement?
Merline pointed out that “When you’re deciding on a framework, you will inevitably have to answer the question as to whether you’ll have a risk appetite, and what that will look like for your organisation. For some organisations, that risk appetite serves as the framework and the nucleus around which the entire programme revolves and exists. I think the framework and appetite questions are natural starting points for any programme.”
Dafni on the other hand believed “It is far easier to start with your framework and then go to your risk appetite because a lot of organisations do not even have risk appetite statements. If you were to establish your risk appetite first, you might put yourself in a situation where you are having to pivot and make changes to your framework.” She suggested “Your framework should not change as frequently as your risk appetite might. Even amidst disruption, your framework should not really change much, unless it is enhancing. But your risk appetite statement is more than likely to change as it requires several different components & influences outside of ERM. ERM has more control around the framework and what that framework looks like. So, it is easier to do what is within your control versus what is not within your control.”
Did you compile your risk registry within the organisation or was an external resource leveraged to initiate a starter risk registry?
Merline said at the Port Authority they “Based the frame for our risk register – the outline and how it is going to be organised & categorised – for a system that we had and built it on that frame.”
Tamika shared that when she was at “Zoom” they “Started their risk register internally.” She added “While we had a system to house our risk register, we had that system modified to fit our business needs. When you talk about, risk management information systems or your GRC software, a lot of entities build based on a predetermined off the shelf, out of the box system. Ultimately, you’re still creating a risk register. You need to think about; How do you want it organised? How do you want the information to flow? Who do you want it to flow to? In our case, we started with what we had built internally, we created the register, and it was in a spreadsheet, which is where most of us start. Then we moved that to a system. But then had that system further developed to fit our internal programme needs.”
What steps would you recommend someone take to become a Risk Manager? Are there any resources you recommend for someone who is looking for a mentor to help guide them?
Merline suggested “If you are already working somewhere, and you’re interested in moving into a risk management role at that organisation or company, I would really recommend getting to know the business model and the revenue generators, do a value chain analysis, know your business in and out….. And then try to detect potential risks and then pitch that to whoever oversees risk management. I suggest getting certified. RIMS in particular offer a great certification. There is also one for the federal government if you work in that industry. And there are also other certifications out there such as ISO & ARM. Certainly, getting a mentor is always a good step as well.”
Tamika rounded off by saying that, ‘’Historically, most people who have become risk managers did not have a risk management degree.” She suggested that “All of us are risk managers” to some extent and we can all learn the risk management principles. But to apply those principles within your business “You must learn your organisation so you can leverage that information. Once you learn the basic principles of risk management you can apply it in any industry.”
She too recommended seeking out your “Local RIMS chapter and connecting with their mentorship programme in your region”. Alternately she also suggested “Young Risk Professionals as a valuable network that caters to those 35 and under” and they offer mentorship programmes for rising risk professionals.
Thank you to our audience for asking those pertinent questions and getting the most out of our panel. It certainly resulted in a lively discussion and provided some interesting perspectives for other risk management professionals.
Determining the risk appetite for any business is critical for organisational success. Do you wish to know more about bringing your risk appetite to life with both qualitative and quantitative risk assessments? Simply reach out to us here at Camms for a demo of our solution. To watch the on-demand recording of the risk appetite webinar that provoked these questions, click here.