good governance institute board guidance on risk appetite · 2020-05-01 · good governance...
TRANSCRIPT
www.good-governance.org.uk
GoodGovernanceInstitute
Board guidanceon risk appetiteGood Governance Institute (GGI)
May 2020
Board guidance on risk appetiteRisk appetite, defined as ‘the amount and type of risk that an organisation is prepared to pursue, retain or take1’ in pursuit of its strategic objectives, is key to achieving effective risk management. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings, and therefore should be at the heart of an organisation’s risk management strategy – and indeed its overarching strategy.
It is important that boards understand and apply risk appetite because:
• If they do not know what their organisation’s collective appetite for risk is and the reasons for it, this may lead to erratic or inopportune risk-taking, exposing the organisation to a risk it cannot tolerate; or an overly cautious approach which may stifle growth and development
• If they do not know the levels of risk that are legitimate for them to take, or do not take important opportunities when they arise, then service improvements may be compromised and patient and user outcomes affected
• It can serve as the basis for consistent and explicit communication at different levels, and to different stakeholders. Risk appetite will be influenced by a number of factors including personal experience, political factors and external events among others.
Risk can generate significant opportunities and therefore should be considered in terms of both opportunities and threats:
• When considering threats, the concept of risk appetite embraces the level of exposure which is considered tolerable and justifiable should it be realised
• When considering opportunities, the concept embraces consideration of how much one is prepared to actively put at risk in order to obtain the benefits of the opportunity
• It is important that boards understand that in order to achieve their strategic objectives they may have to adopt a more assertive risk appetite, recognising that risk appetite should be forward-looking.
Risk tolerance is subtly different to risk appetite in that it reflects the boundaries within which the executive management are willing to allow the true day-to-day risk profile of the organisation to fluctuate while they are executing strategic objectives in accordance with the board’s strategy and risk appetite. It is the level of residual risk within which the board expects sub-committees to operate and management to manage. Breaching the tolerance requires escalation to the board for consideration of the impact on other objectives, competing resources, and timescales.
At least once a year, the board should set specific limits for the levels of risk the organisation is able to tolerate in the pursuit of its strategic objectives. The board should also review these limits during periods of increased uncertainty or adverse changes in the business environment.
In setting these risk appetite and tolerance levels, the board should consider risk factors in both the external and internal business environments. These levels could be measured quantitatively, qualitatively, or both, and should be specific to each of the relevant core activities and outcomes.
The board may also set limits regarding the enterprise’s risk appetite, i.e. the risk limits that the board desires, or is willing to take.
The board should monitor and audit the management of significant risk undertaken by managers and clinical staff and satisfy itself that decisions balance performance within the defined appetite and tolerance limits. The board should ensure that it understands the implications of risks taken by management in pursuit of better outcomes, as well as the potential impact of risk-taking by, and on, local communities, partner organisations, strategic providers and other stakeholders.
This process is dynamic; risk probability and impact as well as risk appetite can change through circumstances and experience. The perception of the public to risk and confidence in the organisation’s ability to identify and mitigate risk successfully can shift quickly in the light of publicity and risk failures often outside the direct control of the organisation. As such, risk awareness and communication play an important part in protecting the reputation of the organisation from such instances of outrage.
1. ISO 31000
GoodGovernanceInstituteGood Governance Institute
ISBN: 978-1-907610-57-8
© 2020 GGI Development and Research LLP
Published May 2020 by GGI Development and Research LLP, london
Good Governance Institute, (Company number 590301 Registered in the Republic of Ireland) Registered office: The Black Church St. Mary’s Place Dublin 7 D07 P4AX Republic of Ireland; GGI Limited (Company number: 06836117 Registered in England and Wales) Registered Office: Old Horsmans, New Road, Sedlescombe, Battle, East Sussex, TN33 0RL UK; GGI Development and Research LLP (Company number C384196 registered in England and Wales) Registered Office: Old Horsmans, New Road, Sedlescombe, Battle, East Sussex, TN33 0RL, UK
Applying risk appetite
Seek mitigationof risks, and delegate to management for delivery and to sub-committees and/or task-and-finish
groups for scrutiny and assurance.
Determine risk tolerance to inform
the scheme of delegation and clarify escalation procedures if breaches occur or
are inevitable.
Determine the organisation’s
strategic objectives and outcomes.
Clarify what success looks like for service users, staff, partners and board members.
Determine the overall risk appetite for the board, working through each
strategic objective, and generate a risk appetite statement to inform decision-making in connection with
risk.
Identify significant risks that could
compromise the delivery of outcomes.
Design an effective forward trajectory and
monitoring of performance with a
corresponding assurance
framework.
Use risk appetite to inform board and sub-committee
agendas.
Review risk appetite and risk tolerance
and delegations on an annual basis.
GoodGovernanceInstituteGood Governance Institute
GGI believes that it helps to identify different types of risk (including, but not limited to, finance, regulation, quality, reputation, and people) but it is important to always assess these in the round. To support this, we have developed the risk appetite matrix.
The matrix sets five levels of risk appetite for each of the risk types. There are no right answers, but the matrix allows board members to articulate their appetite and tolerances and arrive at a corporate view, considering the risk appetite of others and the capacity for management to communicate and deliver.
Boards should consider each strategic objective against the matrix and agree its level of risk appetite, what it can delegate, and what additional assurance it requires. The matrix can also be used for individual initiatives and emerging problems and should help the board to better manage its agenda and the level of routine reporting required.
Breaches of agreed appetite must be escalated with agility.
Strategic risks and the board assurance frameworkA critical role of any board is to focus on the risks that may compromise the achievement of the organisation’s strategic objectives. In order to be confident that the systems of internal control are robust, a board must be able to provide evidence that it has systematically identified its strategic objectives and managed the principal risks to achieving them.
A good board assurance framework (BAF) is a live tool that helps boards to undertake this duty by providing a simple yet comprehensive means by which to effectively manage the principal risks to meeting the strategic objectives. The Audit Committee Handbook identifies the BAF as ‘the key source of evidence that links strategic objectives to risks and assurances, and the main tool that the board should use in discharging its overall responsibility for internal control’.2 .The BAF, therefore, is the key document that should be driving the board and committee agendas. It provides a structure that enables the board to focus on the significant risks, highlights any key controls (management actions to avoid or mitigate risks) that have been put in place to manage the risk, any areas requiring further action, sources of evidence or assurance, and any gaps.
The BAF is, in GGI’s view, the original invest-to-save scheme for boards. Time spent on getting the various elements of the BAF right will help boards streamline assurance, locate where and how assurance is tested and develop proportionality in board reporting.
Key to this will be boards taking responsibility for identifying their risk appetite and risk tolerance for each strategic objective and agreeing what is sufficient in terms of controls and the assurances that the controls are operating effectively. The greater the risk appetite, the more controls should be put in place by management to avoid or mitigate the risk.
2. DH/HFMA, 2005, Gateway Ref 5706
Risk appetite Risk tolerance
Strategic objectives
Rare Insignificant
Unlikely Minor
Possible Moderate
Likely Major
Almost Certain Severe
ConsequenceLikelihood
None Financial
Minimal Regulatory
Cautious Quality
Open Reputational
Seek People
Significant
TypeLevel
The amount and type of risk that an organisation is prepared to pursue, retain or take in pursuit of its
strategic objectives
The boundaries within which the executive are willing to allow the true day-to- day risk profile of the organisation to fluctuate, while they are executing strategic objectives in accordance with the board’s strategy and risk appetite
GoodGovernanceInstituteGood Governance Institute
RISK
APP
ETIT
E LE
VEL
RISK
TYP
ES
N
ON
E0
MIN
IMA
L1
CAU
TIO
US
2O
PEN
3SE
EK4
SIG
NIF
ICA
NT
5
We
have
no
appe
tite
for
deci
sion
s or
act
ions
that
may
re
sult
in fi
nanc
ial l
oss.
We
are
only
will
ing
to a
ccep
t th
e po
ssib
ility
of v
ery
limite
d fin
anci
al ri
sk.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of l
imite
d fin
anci
al ri
sk. H
owev
er, V
FM is
ou
r prim
ary
conc
ern.
We
are
prep
ared
to a
ccep
t so
me
finan
cial
risk
as
long
as
appr
opria
te c
ontr
ols
are
in
plac
e. W
e ha
ve a
hol
istic
un
ders
tand
ing
of V
FM w
ith
pric
e no
t the
ove
rrid
ing
fact
or.
We
will
inve
st fo
r the
bes
t po
ssib
le re
turn
and
acc
ept
the
poss
ibili
ty o
f inc
reas
ed
finan
cial
risk
.
We
will
con
sist
ently
inve
st fo
r th
e be
st p
ossi
ble
retu
rn fo
r st
akeh
olde
rs, r
ecog
nisi
ng
that
the
pote
ntia
l for
su
bsta
ntia
l gai
n ou
twei
ghs
inhe
rent
risk
s.
FIN
ANCI
ALH
ow w
ill w
e us
e ou
r res
ourc
es?
We
have
no
appe
tite
for
deci
sion
s th
at m
ay
com
prom
ise
com
plia
nce
with
sta
tuto
ry, r
egul
ator
y of
po
licy
requ
irem
ents
.
We
will
avo
id a
ny d
ecis
ions
th
at m
ay re
sult
in h
eigh
tene
d re
gula
tory
cha
lleng
e un
less
ab
solu
tely
ess
entia
l.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of l
imite
d re
gula
tory
cha
lleng
e. W
e w
ould
see
k to
und
erst
and
whe
re s
imila
r act
ions
had
be
en s
ucce
ssfu
l els
ewhe
re
befo
re ta
king
any
dec
isio
n.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of s
ome
regu
lato
ry c
halle
nge
as lo
ng
as w
e ca
n be
reas
onab
ly
conf
iden
t we
wou
ld b
e ab
le
to c
halle
nge
this
suc
cess
fully
.
We
are
will
ing
to ta
ke
deci
sion
s th
at w
ill li
kely
resu
lt in
regu
lato
ry in
terv
entio
n if
we
can
just
ify th
ese
and
whe
re th
e po
tent
ial b
enef
its
outw
eigh
the
risks
.
We
are
com
forta
ble
chal
leng
ing
regu
lato
ry
prac
tice.
We
have
a
sign
ifica
nt a
ppet
ite fo
r ch
alle
ngin
g th
e st
atus
quo
in
orde
r to
impr
ove
outc
omes
fo
r sta
keho
lder
s.
REG
ULAT
ORY
How
will
we
be
perc
eive
d by
our
re
gula
tor?
We
have
no
appe
tite
for
deci
sion
s th
at m
ay h
ave
an
unce
rtain
impa
ct o
n qu
ality
ou
tcom
es.
We
will
avo
id a
nyth
ing
that
m
ay im
pact
on
qual
ity
outc
omes
unl
ess
abso
lute
ly
esse
ntia
l. W
e w
ill a
void
in
nova
tion
unle
ss e
stab
lishe
d an
d pr
oven
to b
e ef
fect
ive
in
a va
riety
of s
ettin
gs.
Our
pre
fere
nce
is fo
r ris
k av
oida
nce.
How
ever
, if
nece
ssar
y w
e w
ill ta
ke
deci
sion
s on
qua
lity
whe
re
ther
e is
a lo
w d
egre
e of
in
here
nt ri
sk a
nd th
e po
ssib
ility
of i
mpr
oved
ou
tcom
es, a
nd a
ppro
pria
te
cont
rols
are
in p
lace
.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of a
sho
rt-te
rm
impa
ct o
n qu
ality
out
com
es
with
pot
entia
l for
lo
nger
-ter
m re
war
ds. W
e su
ppor
t inn
ovat
ion.
We
will
pur
sue
inno
vatio
n w
here
ver a
ppro
pria
te. W
e ar
e w
illin
g to
take
dec
isio
ns
on q
ualit
y w
here
ther
e m
ay
be h
ighe
r inh
eren
t ris
ks b
ut
the
pote
ntia
l for
sig
nific
ant
long
er-t
erm
gai
ns.
We
seek
to le
ad th
e w
ay a
nd
will
prio
ritiz
e ne
w
inno
vatio
ns, e
ven
in
emer
ging
fiel
ds. W
e co
nsis
tent
ly c
halle
nge
curre
nt w
orki
ng p
ract
ices
in
orde
r to
driv
e qu
ality
im
prov
emen
t.
QUA
LITY
How
will
we
deliv
er s
afe
serv
ices
?
We
have
no
appe
tite
for
deci
sion
s th
at c
ould
lead
to
addi
tiona
l scr
utin
y or
at
tent
ion
on th
e or
gani
satio
n.
Our
app
etite
for r
isk
taki
ng is
lim
ited
to th
ose
even
ts
whe
re th
ere
is n
o ch
ance
of
sign
ifica
nt re
perc
ussi
ons.
We
are
prep
ared
to a
ccep
t the
po
ssib
ility
of lim
ited
repu
tatio
nal
risk
if ap
prop
riate
con
trols
are
in
plac
e to
limit
any
fallo
ut.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of s
ome
repu
tatio
nal r
isk
as lo
ng a
s th
ere
is th
e po
tent
ial f
or
impr
oved
out
com
es fo
r our
st
akeh
olde
rs.
We
are
will
ing
to ta
ke
deci
sion
s th
at a
re li
kely
to
brin
g sc
rutin
y of
the
orga
nisa
tion.
We
outw
ardl
y pr
omot
e ne
w id
eas
and
inno
vatio
ns w
here
pot
entia
l be
nefit
s ou
twei
gh th
e ris
ks.
We
are
com
forta
ble
to ta
ke
deci
sion
s th
at m
ay e
xpos
e th
e or
gani
satio
n to
si
gnifi
cant
scr
utin
y or
cr
itici
sm a
s lo
ng a
s th
ere
is a
co
mm
ensu
rate
opp
ortu
nity
fo
r im
prov
ed o
utco
mes
for
our s
take
hold
ers.
REPU
TATI
ON
ALH
ow w
ill w
e be
pe
rcei
ved
by th
e pu
blic
and
our
pa
rtne
rs?
App
lyin
g ris
k ap
petit
e m
atrix
WW
W.G
OO
D-G
OVE
RNA
NC
E.O
RG.U
K
Avo
idan
ce o
f risk
is a
key
or
gani
satio
nal o
bjec
tive.
Pref
eren
ce fo
r ver
y sa
fe d
eliv
ery
optio
ns th
at h
ave
a lo
w d
egre
e of
in
here
nt ri
sk a
nd o
nly
a lim
ited
rew
ard
pote
ntia
l.
Pref
eren
ce fo
r saf
e de
liver
y op
tions
th
at h
ave
a lo
w d
egre
e of
resid
ual
risk
and
only
a li
mite
d re
war
d po
tent
ial.
Will
ing
to c
onsid
er a
ll po
tent
ial
deliv
ery
optio
ns a
nd c
hoos
e w
hile
al
so p
rovi
ding
an
acce
ptab
le le
vel
of re
war
d.
Eage
r to
be in
nova
tive
and
to
choo
se o
ptio
ns o
fferin
g hi
gher
bu
sines
s re
war
ds (d
espi
te g
reat
er
inhe
rent
risk
).
Con
fiden
t in
setti
ng h
igh
leve
ls of
ris
k ap
petit
e be
caus
e co
ntro
ls,
forw
ard
scan
ning
and
resp
onsiv
e sy
stem
s ar
e ro
bust
.
We
have
no
appe
tite
for
deci
sion
s th
at c
ould
hav
e a
nega
tive
impa
ct o
n ou
r w
orkf
orce
dev
elop
men
t, re
crui
tmen
t and
rete
ntio
n.
Sust
aina
bilit
y is
our
prim
ary
inte
rest
.
We
will
avo
id a
ll ris
ks re
latin
g to
our
wor
kfor
ce u
nles
s ab
solu
tely
ess
entia
l.In
nova
tive
appr
oach
es to
w
orkf
orce
recr
uitm
ent a
nd
rete
ntio
n ar
e no
t a p
riorit
y an
d w
ill o
nly
be a
dopt
ed if
es
tabl
ishe
d an
d pr
oven
to b
e ef
fect
ive
else
whe
re.
We
are
prep
ared
to ta
ke lim
ited
risks
with
rega
rds t
o ou
r w
orkf
orce
. Whe
re a
ttem
ptin
g to
in
nova
te, w
e w
ould
seek
to
unde
rsta
nd w
here
sim
ilar
actio
ns h
ad b
een
succ
essf
ul
else
whe
re b
efor
e ta
king
any
de
cisio
n.
We
are
prep
ared
to a
ccep
t th
e po
ssib
ility
of s
ome
wor
kfor
ce ri
sk, a
s a
dire
ct
resu
lt fro
m in
nova
tion
as
long
as
ther
e is
the
pote
ntia
l fo
r im
prov
ed re
crui
tmen
t an
d re
tent
ion,
and
de
velo
pmen
tal o
ppor
tuni
ties
for s
taff.
We
will
pur
sue
wor
kfor
ce
inno
vatio
n. W
e ar
e w
illin
g to
ta
ke ri
sks
whi
ch m
ay h
ave
impl
icat
ions
for o
ur w
orkf
orce
bu
t cou
ld im
prov
e th
e sk
ills
and
capa
bilit
ies
of o
ur s
taff.
W
e re
cogn
ize
that
inno
vatio
n is
like
ly to
be
disr
uptiv
e in
the
shor
t ter
m b
ut w
ith th
e po
ssib
ility
of l
ong
term
gai
ns.
We
seek
to le
ad th
e w
ay in
te
rms
of w
orkf
orce
in
nova
tion.
We
acce
pt th
at
inno
vatio
n ca
n be
dis
rupt
ive
and
are
happ
y to
use
it a
s a
cata
lyst
to d
rive
a po
sitiv
e ch
an.
PEO
PLE
How
will
we
be
perc
eive
d by
the
publ
ic a
nd o
ur
part
ners
?
© 2
020
GG
I Dev
elop
men
t and
Res
earc
h LL
P, L
ondo
n
GoodGovernanceInstituteGood Governance Institute