Risk Appetite

1. Introduction

1.1.The Orange Book – Management of Risk, Principles and Concepts (2019) advises ‘the Board should determine and continuously assess the nature and extent of the principal risks that the organisation is exposed to and is willing to take to achieve its objectives – its risk appetite – and ensure that planning and decision-making reflects this assessment. Effective risk management should support informed decision-making in line with this risk appetite, ensure confidence in the response to risks, transparency over the principal risks faced and how these are managed’. This guidance has been developed by risk practitioners in the public sector to support colleagues in implementing effective risk management arrangements, aligned with the Orange Book principles.

1.2. Public sector organisations cannot be risk averse and be successful. Effective and meaningful risk management in government remains more important than ever in taking a balanced view to delivering public services. Risk management is an integral part of good governance and corporate management mechanisms. An organisation’s risk management framework harnesses the activities that identify and manage uncertainty, allows it to take opportunities and to take managed risks not simply to avoid them, and systematically anticipates and prepares successful responses. A key consideration in balancing risks and opportunities, supporting informed decision-making and preparing tailored responses is the organisation’s risk appetite.

1.3. This guidance has been developed to provide key considerations for organisations to apply when formalising and strengthening their existing practices to support and inform decision-making.

1.4. Whilst there is wide-ranging guidance on the development of Risk Appetite Statements, much of it is focused on the financial services sector. Clear and helpful Risk Appetite Statements are more easily developed in organisations which can apply consistent units of measure to inputs and outcomes and can look at aggregated portfolio risks in these units, such as ￡x. Risk appetite development in the public sector requires a different approach, as public services realise value to diverse timeframes and utilise varied units of measure to assess public value in these outcomes.

1.5. The concept of risk appetite is further challenged in public sector organisations by the need to demonstrate, often over a shorter period of time, that public funds achieve value for money. Risk appetite helps organisations establish a threshold of impacts they are willing and able to absorb in pursuit of objectives, which may include but is not limited to financial loss. This concept of calculated risk and acceptable loss may be difficult to reconcile with the essential nature of many public services. If properly applied and maintained, however, understanding risk appetite results in improved organisational health, as resources can be prioritised and allocated where most needed to support the management of risks to achieving objectives, whilst maintaining performance and demonstrating value for money.

1.6. The good practice guidance outlined in this document can be used to direct decisionmaking at the point investment and prioritisation choices are made, as well as in management’s periodic reviews of risks and performance. The good practices detailed in this guide have been gathered from experience across the Civil Service risk management community. They have been tested through practical application and have been proven especially beneficial in times of heightened uncertainty, such as the COVID-19 pandemic, when decisions need to be made quickly and often with incomplete information.

1.7. This guide should be considered alongside the Orange Book and other associated good practice guides. These documents can be accessed via gov.uk or OneFinance.

1.8. The Government Finance Function is grateful to all involved in the production of this guide. A full list of contributors is provided at Appendix B. Particular thanks is given to Simon King from the Ministry of Defence, who chaired the working group that developed this guidance. 2. Assumptions

2.1. This guide has been developed to support organisations to implement the concepts and principles outlined in the Orange Book. The information provided in this guidance is framed around the assumption that an organisation’s risk framework aligns with the Orange Book. 2.2. To maximise the benefit of this guidance, organisations should recognise the following: ? It is often not possible to manage all risks at any point in time to the most desirable level;

? Outcomes cannot be guaranteed when decisions are made in conditions of uncertainty;

? It is often not possible, and not financially affordable, to fully remove uncertainty from a decision;

? Decisions should be made using the best available information and expertise;

? When decisions need to be made urgently, the information relied upon and the considerations applied to it should be retained; and

? The risk culture must embrace openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation.

3. What is Risk Appetite?

3.1.Risk appetite is often referenced in organisations, without clearly defining what it is. Similarly, risk appetite and risk tolerance are often used interchangeably. It is equally true that many organisations already apply the principles contained in this guidance without necessarily fully acknowledging them as part of a risk management framework where risk appetite is actively considered in decision-making.

3.2.Both risk appetite and risk tolerance will be referenced in this guide, defined as follows: ? Risk Appetite: the level of risk with which an organisation aims to operate.

? Risk Tolerance: the level of risk with which an organisation is willing to operate.

The diagram below demonstrates the interaction between these concepts.??

Please note: The definition of risk tolerance in this guide relates specifically to an organisational position. A risk tolerance position should not be confused with tolerating a risk, by choice, as a risk response: An organisation may be tolerating a risk which sits within the tolerance or appetite positions. Each organisation will have its own scale of risk acceptance and this guide is not suggesting that a risk appetite or tolerance position must be set to a low / green position on local risk assessment scales.

4. Why is Risk Appetite Important?

4.1. Risk appetite provides a framework which enables an organisation to make informed management decisions. By defining both risk appetite and risk tolerance, an organisation clearly sets out both an optimal and acceptable position in the pursuit of its strategic objectives. The benefits of adopting a risk appetite include:

? Supporting informed decision-making;

? Reducing uncertainty;

? Improving consistency across governance mechanisms and decision-making;

? Supporting performance improvement;

? Focusing on priority areas within an organisation; and

? Informing spending review and resource prioritisation processes.

5. Risk Appetite Development

5.1. When developing its risk appetite, an organisation needs to consider the norms of the environment and the sectors in which it operates, its own culture, as well as governance and decision-making processes.?

5.2. The application of a more technical and quantitative approach, utilising specialised terms, can be beneficial in some circumstances and within risk mature organisations. In organisations where the risk management culture is being developed and embedded, this approach may be counterproductive. In these instances, the application of simplified terminology may improve engagement, as colleagues may be more willing to participate in a process positioned as informed decision-making, rather than more formalised organisational risk management. People may be less inclined to engage with overt technical language about taking risks, but instead may be more comfortable and confident talking about making informed and balanced decisions. This may be more important in instances where there is clear uncertainty and/ or where the information available to inform the decisions is recognised as imperfect but the best available.

5.3. Those responsible for risk management should assess organisational maturity and develop an appropriate response which will deliver the benefits of a risk appetite approach to inform decisions and enhance outcomes. This may be badged as a Decision Framework rather than Risk Appetite Statements, although the latter will continue to be referenced in this document.

5.4. The following principles should be considered and applied when developing an organisational approach to risk appetite:

? In addition to having an overarching Risk Appetite Statement, organisations should develop statements which describe their attitude, at a point in time, to accepting risk in each of their areas of principal risk1. These should include an appetite and tolerance position and should provide coverage and link to each of the organisation’s principal risks. An example is provided in Section I of Appendix A. A list of the Orange Book recommended risk categories is provided in Section II of Appendix A;

? Organisations should determine their areas of principal risk in relation to their purpose, resources and the views of their stakeholders. It is recommended these areas are considered using the risk categories detailed in the Orange Book;

? Risk Appetite Statements should:

o provide a structure for an organisation to work within. When correctly applied, statements describe acceptable outcomes relating to decisions being taken. An example is provided in Section III of Appendix A;

o drive thinking about results and outcomes the organisation seeks to realise, as well as about what would need to change if outcomes were not acceptable;

?describe the organisation’s typical challenges and the basis on which different outcomes are justified;

o describe the organisation’s acceptable behaviour in reasonable circumstances. In circumstances where a decision is to be made and there are no directly comparable situations, Risk Appetite Statements can provide illustrative guidance that can be adapted, documented and applied; and

o be set against a five-point scale, with descriptors which are relevant to the organisation. Illustrative examples are provided in Section IV of Appendix A. The five-point scale should demonstrate and reinforce the range of outcomes that are acceptable in different situations. These scales should be separate from scales used to assess the likelihood and impact of a risk.

o be dynamic and updated as necessary to reflect any significant changes in the context their organisations operate within, whether driven by societal, economic or political changes, for example.

? While an overall level of appetite and description can be used to describe an organisation’s current appetite for risk in a certain risk category, it may be useful to describe relevant specific areas within this. When speaking about financial risk, for example, it would help to explain the different approaches the organisation takes to fraud and propriety. See Section III of Appendix A for examples; and

? Facilitated sessions engaging stakeholders are required to support the development of risk appetite and tolerance levels. This approach may range from in-depth processes involving wide ranging stakeholder engagement, to focused engagement with senior management. This guidance recommends direct senior engagement, focused on developing agreed descriptions of acceptable behaviours and outcomes, as an efficient approach which ensures buy-in at the senior level. Ultimately, the Board should determine and continuously assess its risk appetite and agree the descriptions.

5.5. As organisations consider and maintain their risk appetite to reflect context and changing environmental factors, there may be circumstances, such as those experienced dealing with government’s response to the COVID-19 crisis, when it becomes necessary to significantly alter the level, nature and balance of risks which an organisation is willing to, or is required to, operate within to deliver public services. Where this occurs, it is important that there is openness and transparency of these decisions and arrangements, active monitoring and reporting of consequences and clarity over recovery and retrospective actions. If necessary easement decisions are one-offs, they should be documented and available for scrutiny. If the circumstances are expected to endure, if only temporarily, then the organisation should re-state its tolerance and appetite for risk in these areas.?

5.6. As recognised in Managing Public Money2, in circumstances where these needs or requirements, and the associated risk trade-offs, create conflict between a minister’s instructions and an accounting officer’s duties, these matters should be drawn to the attention of the responsible minister to see whether they can be resolved. Where the minister decides to continue, the accounting officer should ask for a formal written direction to proceed to document these decisions and to support the necessary openness and transparency.

6. How Should Risk Appetite be Applied?

6.1. The Orange Book describes risk management as an essential part of governance and leadership, and fundamental to how an organisation is directed, managed and controlled at all levels. The application of an organisational risk appetite, subject to consideration at appropriate decision making and governance mechanisms, is necessary for this. Section A of the Orange Book describes the role of risk management within governance and leadership arrangements as follows: ‘Risk should be considered regularly as part of the normal flow of management information about the organisation’s activities and in significant decisions on strategy, major new projects and other prioritisation and resource allocation commitments’ 3. As part of decisionmaking, an organisation’s considerations should include whether:

? Intended benefits justify the range of outcomes;

? The plausible outcomes are within the current appetite;

? Available resources can be reallocated, if necessary, to allow benefits to be realised within the stated appetite; and

? The consequences of taking a decision which could be outside the organisation’s risk appetite have been transparently accepted within the organisation’s delegation framework. 6.2. Risk Appetite Statements outlining appetite and tolerance positions are key enablers to ensuring effective decision-making. The robust application of risk appetite and risk tolerance positions in driving organisational decisions ensures continuity and consistency across an organisation. In addition, risk appetite and tolerance positions may inform evidence to inform and support Spending Review processes, as well as internal prioritisation, investment and budget allocation processes.

7. Review of Risk Outcomes

7.1. Within the Civil Service, the nature of the services provided, changing external demands and fiscal constraints mean it is neither feasible nor practical to fully prevent or mitigate all risks at any point in time.

7.2. Individual organisations may find, if they have meaningful assessments of the uncertainty they face, that they are required to carry more risk than is desired. In this case, as per Figure 1, an organisation must assess if this risk is within organisational?

tolerance levels, or whether active interventions are required to guide the organisation to the preferred position outlined in the appetite statements over time.

7.3. Risk Appetite Statements help to inform resource allocation at decision points, and additionally when the organisation periodically reviews its performance. The following principles should be applied in conducting this review:

? Organisations should consider what level of outcomes the best available performance information suggests they will achieve and how this informs their assessment of uncertainty and risk;

? Organisations should periodically consider whether the latest assessment of its risks, both individually and aggregated into their exposure areas, is in line with its appetite for risk in those areas;

? Risk Appetite Statements should not be re-baselined to change the perception of tolerated risks, but organisations should consider whether the assumptions behind their previous statements remain valid and whether the organisation might, of necessity, need to recognise an increased risk appetite;

? Organisations should consider how available resources can most effectively be reallocated to improve assessments of either individual risks or a category of risk, or a combination of both;

? In choosing which risks or categories of risk to prioritise bringing back into or towards its appetite, organisations will need to consider the difference that available resources can make on the impact, likelihood or the speed with which the effects of a risk event would be experienced, and which would most improve the deliverability of outcomes; and

? It is neither feasible nor practical to fully prevent or mitigate all risks and some, which are beyond the stated appetite, may almost always need to be tolerated and actively monitored. 8. Further Information

8.1. For more information, or to provide feedback on this guidance, please email [email protected]. 8.2. Information on the development of Orange Book Good Practice Guides can be found on OneFinance. Please refer to the Heads of Risk Network pages for the latest news.?

Appendix A: Risk Appetite Tools

The following tools have been developed by the Civil Service risk community to support the implementation of an organisational risk appetite.

I. Example Appetite levels defined by Risk Categories

II. Orange Book Example Risk Categories

III. Example Risk Appetite Description

IV. Risk Appetite Scales

II. Orange Book Example Risk Categories

The Orange Book recommends risks should be organised by taxonomies or categories of risk. Grouping risks in this way supports the development of an integrated and holistic view of risks. Annex 4 of the Orange Book provides the following example categories. These are not intended to be exhaustive. Failure to manage risks in any of these categories may lead to financial, reputational, legal, regulatory, safety, security, environmental, employee, customer and operational consequences.

Strategy risks

– Risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro-environment (e.g. political, economic, social, technological, environment and legislative change).

Governance risks

– Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision-making and/or performance. Operations risks – Risks arising from inadequate, poorly designed or ineffective/inefficient internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and/or poor value for money.

Legal risks

– Risks arising from a defective transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets (for example, intellectual property).

Property risks

– Risks arising from property deficiencies or poorly designed or ineffective/ inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public.

Financial risks

– Risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.

Commercial risks

– Risks arising from weaknesses in the management of commercial partnerships, supply chains and contractual requirements, resulting in poor performance, inefficiency, poor value for money, fraud, and /or failure to meet business requirements/objectives.

People risks

– Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability,?

industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in negative impact on performance.

Technology risks

– Risks arising from technology not delivering the expected services due to inadequate or deficient system/process development and performance or inadequate resilience. Information risks

– Risks arising from a failure to produce robust, suitable and appropriate data/information and to exploit data/information to its full potential.

Security risks

– Risks arising from a failure to prevent unauthorised and/or inappropriate access to key government systems and assets, including people, platforms, information and resources. This encompasses the subset of cyber security.

Project/Programme risks

– Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality.

Reputational risks

– Risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and or destruction of trust and relations.??

III. Example Risk Appetite Description

The following example demonstrates how risk appetite statements may guide organisational activity and decision making.

Financial: The Organisation’s appetite for financial risk is cautious. Our financial decisions are heavily scrutinised, with value for money being a key factor in decision making. We will accept risks that may result in some small-scale financial loss or exposure on the basis that these can be expected to balance out but will not accept financial risks that could result in significant reprioritisation of budgets. Our appetite for risks associated with business as usual activity is naturally lower than with our transformation activity. Within this our risk appetite is:

? Averse for financial propriety and regularity risks with a determined focus to maintain effective financial control framework accountability structures.

? Averse in terms of risks related to our qualification of accounts, associated process and deviation from reporting timetables.

? Minimal as to risk relating to breaching individual control totals.

? Cautious for risks related to our business partnering model.

? Open in relation to our budget spend with the intention that we should maximise the use of resource each year. We are prepared to over-programme by ￡Xm at the start of each year with this amount being actively monitored and managed, if necessary, to ensure it reduces at each quarter during the year.