Risk Management - Establishing Risk Appetite and Tolerance

Your Risk Management Framework could have the most comprehensive consequence and likelihood indicators, and a risk matrix everyone agrees on, but how will you apply this process without first specifying the amount of risk your organisation is willing to take? A risk assessment allows Council to understand its exposure to risks, but it is by defining your risk appetite and tolerance that enables decision-making based on whether or not that level of risk is acceptable. Elected members should expect that their decisions and selected strategies will be carried out within the parameters of a predetermined and established risk appetite which is reflective of their attitude towards taking risks.

Risk appetite is the amount of risk that an entity is willing to retain or accept in order to achieve its objectives. In Council’s context, this means considering how much risk are you willing to take to advance the strategic direction set in the Corporate Plan and deliver services to your constituents. By determining and articulating the risk appetite for your organisation, Council will benefit from having a resource which encourages consistent decision-making that considers risk more effectively. Council should also understand and acknowledge that its appetite and tolerance for risk will change over time in response to events such as changes in priorities, strategy, leadership, the external environment and expectations from stakeholders. As such, it should be reviewed and updated on a regular basis to ensure currency.

Defining and differentiating risk appetite and tolerance

Risk Appetite – The amount of risk an entity is willing to accept or retain in order to achieve its objectives. Risk appetite is generally presented qualitatively in the form of a statement or series of statements which describe an organisations attitude towards risk taking. It is recommended that these statements are prepared through a thorough and collaborative approach amongst an entity’s executives, as it should reflect their collective view on what decisions should be made and how they are to be implemented by the administration. Risk appetite statements are typically aligned to categories or types of risk e.g. financial, environmental and safety. If risk appetite statements are not utilised effectively, then subsequent actions may be skewed either too lightly (e.g. no action required) or result in an over-controlled risk response (which may hinder operations).

Risk Tolerance – Risk tolerance represents the practical application of risk appetite and is also typically aligned to types or categories of risk. Whilst risk appetite is usually presented in qualitative statements, risk tolerance operationalises the statements by using quantitative measures where possible. This allows for more efficient and effective monitoring and review of individual risks.

Benefits of defining risk appetite and tolerance levels

Supporting informed risk taking – by defining the amount of risk your organisation is willing to accept, its employees can make informed decisions and present the executive and elected members with choices and recommendations aligned with the set risk appetite. This provides a structure and framework for decision-making through increased communication around what is acceptable.

Promoting more consistent risk management – an organisations risk appetite communicates in broad terms how much risk is acceptable, thereby enabling and facilitating more consistent risk taking throughout the entity.

Guiding risk decision making and seizing opportunities – risk appetite statements can increase the openness and transparency of an organisations decision-making process by enabling employees to better understand expectations around risk taking. This is relevant to local governments in Queensland, as it is in keeping with the local government principles as per the Local Government Act 2009. Defining your Councils risk appetite allows for employees to better identify areas for opportunity, as well as ascertain when unacceptable risk taking may be occurring.

Underpinning the risk assessment process – A typical Risk Management Framework will include a likelihood and consequence table, which is utilised to assess the severity of an individual risk against a ‘heatmap’ or risk matrix. The resulting risk rating typically determines the acceptability of the risk or leads to a decision on the type of treatment required. In the absence of a define risk appetite, there is no indication as to whether the level of risk is acceptable or what course of action is required.

Applying risk appetite and tolerance in a Council context

Councils should start by reviewing their capacity for risk i.e. how much risk can your organisation take? Some considerations to that end include community and other stakeholder expectations of Council, Council resources, previous events (positive and negative), and Corporate Plan objectives.

Next, I would recommend that Council’s executive team and elected members collectively discuss the amount of risk the organisation should accept or retain in the pursuit of its objectives. To provide a structure to this discussion, Council should consider the categories or types of risk in its Risk Management Framework and prepare a statement (1-2 sentences) which provides a broad overview of their attitude to risk taking with respect to this type of risk. For example:

Following this, to provide some quantitative parameters which operationalise these statements and enable them to be used in a practical sense, Council can consider including tolerance levels aligned with its risk matrix:

This above example provides a risk appetite statement for four risk categories and includes additional guidance for employees via the inclusion of a risk tolerance. For example, the above table indicates that Council is only willing to tolerate financial risks with a low rating (following a risk assessment). In accordance with this example, a financial risk assessed as anything other than low would require further treatment.

This methodology can be utilised when preparing reports to Council for decision. For example, the following table has been taken from a Council report presented to the January 2024 Ordinary Meeting of Blackall-Tambo Regional Council:

BTRC have taken this approach and embedded it into some Council reports, which provides the elected members with a quick overview of whether or not there is something they should pay particularly close attention to with respect to the item being reported (i.e. if something is assessed as high risk and there is orange or red in the table, they know to read with particular focus on the risks involved).

Council’s with a higher level of risk maturity and more resources may consider also embedding risk tolerance into their strategic documents, such as their Operational Plan. This could be achieved by including metrics for each action item in the plan. For example:

For further support reviewing, developing and workshopping your Council’s risk appetite and tolerance, and embedding this throughout your organisation, LGMS Member Council’s should contact their Regional Risk Coordinator.

The RRC program is a key feature of your membership and our teams’ mission is to assist you with the development, implementation and review of your approach to enterprise risk management.