How should a Risk Appetite Statement (RAS) be Developed & What should a RAS Achieve?
Mohammad Salman Khan
Founder & CEO at KYR Consulting, Training & Advisory Solutions | Empowering Organizations with Resilient, Sustainable Risk Management Solutions | Guiding Businesses to Confidently Navigate Today’s Complex Risk Landscape
Awareness: Start the conversation
The first stage aligns the organisation’s risk appetite with its strategic objectives, risk profile and management capability.
? Agree value of articulating risk appetite
? Determine how the risk appetite will be used in the organisation
? Define the material risk categories that are relevant to the organisation? Confirm strategic objectives, key risks and risk profile.
2. Articulation: Construct a RAS
The second stage focuses on the value derived from a quality, robust discussion between the Board and the executive team to capture key financial, operational and strategic risks.
? Collate information on perceived appetite for each key risk
? Discuss with Board and management to identify and reconcile expectations? Develop first-cut risk categories and identify potential dimensions
? Draft the RAS
? Stress test the RAS
? Present to the Board/Executive Management for approval/endorsement.
3. Embedding: Alignment and application
The third stage embeds the RAS within the risk management framework andoperating rhythm of the organisation.
- Select appropriate metrics and establish tolerances required for risk information to be monitored and reported
- Capture how the governance structure supports the monitoring and reporting of a RAS
- Incorporate RAS into Board/executive team conversations
- Design additional stress testing and scenario analysis to evaluate RAS impacts
- Incorporate into behaviours, performance and rewards system
- Decision making underpinned by explicit risk consideration
- Review periodically
What should a RAS achieve?
The core objective of a RAS is to provide a statement, developed in partnership with key stakeholders, on the amount of risk the organisation is willing to accept and within which management will operate at all times. It provides structure such that:
- only permitted activities are undertaken
- the scale of permitted activities and subsequent risk profiles do not lead to potential
- losses that exceed the organisation’s approved risk appetite
- risk is expressed quantitatively via limits and tolerances where appropriate
- management focus is brought to bear on key and emerging risk issues andmitigating actions
- risk is linked to the business by informing, guiding and empowering the businessin executing strategy.