This new requirement presents a real opportunity to “place risk management, and in particular risk appetite, right at the centre of the debate on effective corporate governance and the role of the board in running organisations,” said Mr Anderson, who is also Managing Director of Crowe Horwath Global Risk Consulting.

With the introduction of the 8th EU Company Law Directive and the recent EC green paper on corporate governance, which specifically addresses the question of boards’ responsibility for risk appetite and risk tolerance, the same opportunities are being presented to risk professionals across Europe.

As such the guidance in the paper is universal and whilst some specifics may differ between country and type of company the IRM believes that its underlying principles hold true for all sectors and all geographical locations.

Organisations can only progress by taking those risks that they need to embrace and managing down those that they wish to avoid. As such managing risk appetite represents a massive challenge, said the IRM.

Although risk professionals have been divided as to how to determine risk appetite, and there is precious little on offer in terms of useful guidance, the IRM believes that organisations must better deal with this issue.

“It is our view that risk appetite, correctly defined, approached and implemented, should be a fundamental business concept that could make a substantial difference to how businesses and organisations are run. We fully expect that the initial scepticism about risk appetite will be gradually replaced as boards and executive directors gain greater insight into its usefulness,” said Mr Anderson.

“Increasingly boards are turning to risk management to help them address their performance issues, or in helping them simply to make better decisions. What is apparent is that simplistic approaches to ERM have not been working desperately well. People are looking for more and better insight, and we believe that by following the guidance set out in this paper, boards will be better served by their risk management process,” he added.

Jill Douglas, Head of Risk at Charterhouse Risk Management, admits that getting to grips with risk appetite is the most tricky of all ERM disciplines, but key to any risk framework.

“The risk appetite statement is generally considered the hardest part of any Enterprise Risk Management implementation. However, without clearly defined, measurable tolerances the whole risk cycle and any risk framework is arguably at a halt,” she said.

The IRM agreed that risk appetite can be a complex subject but, as a key concept of its guidance, warned that excessive simplicity leads to ‘dangerous waters’. It is far better to acknowledge the complexity and deal with it, rather than ignoring it, the education provider said in the paper’s executive summary.

It also argues that risk appetite needs to be measurable. “Otherwise there is a risk that any statements become empty and vacuous. We are not promoting any individual measurement approach but fundamentally it is important that directors should understand how their performance drivers are impacted by risk.”

The guidance also says that risk appetite should be developed in the context of an organisation’s risk management capability, which is a function of risk capacity and risk management maturity. It is not a single or fixed concept and within organisations there will be a range of appetites for different risks that need to align and these appetites may well vary over time, continued the IRM.

“Risk management remains an emerging discipline and some organisations, irrespective of size or complexity, do it much better than others. This is in part due to their risk management culture, partly due to their systems and processes, and partly due to the nature of their business. However, until an organisation has a clear view of both its risk capacity and its risk management maturity it cannot be clear as to what approach would work or how it should be implemented,” it said.

And risk appetite must be integrated with the control culture of an organisation, the IRM guidance explains. Its framework explores this by looking at both the propensity to take risk and the propensity to exercise control. “The framework promotes the idea that the strategic level is proportionately more about risk taking than exercising control, while at the operational level the proportions are broadly reversed. Clearly the relative proportions will depend on the organisation itself, the nature of the risks it faces and the regulatory environment within which it operates.”

The IRM paper states that this dual focus on taking risk and exercising control is both innovative and critical to a proper understanding of risk appetite and risk tolerance.

“The innovation is not in looking at risk and control—all boards do that. The innovation is in looking at the interaction of risk and control as part of determining risk appetite. Proportionately more time is likely to be spent on risk taking at a strategic level than at an operational level, where the focus is more likely to be on the exercise of control. One word of caution though, we are not equating strategy with board level and operations with lower levels of the organisation,” said the IRM.

It believes that both risk appetite and risk tolerance are inextricably linked to performance over time and that while risk appetite is about the pursuit of risk, risk tolerance is about what you can allow the organisation to deal with.

“Organisations have to take some risks and they have to avoid others. The big question that all organisations have to ask themselves is: just what does successful performance look like? This question might be easier to answer for a listed company than for a government department, but can usefully be asked by boards in all sectors.”

The IRM was keen to stress that its guidance should be tailored to the needs and maturity of an organisation and it is not advocating a one size fits all approach.

Determining risk appetite and control must promote debate in the boardroom, rather than becoming a tick box activity, and needs to be aligned with actual decision-making, particularly in early implementation, said the IRM.

“Developing a risk appetite framework should be high on the board’s agenda. It might be a suitable subject for a board risk committee or the full board. However, there needs to be a robust development process for the risk appetite framework and appropriate measurement and reporting. At the moment, too much of risk management is a data-free or data-light zone: that is no longer appropriate,” said Mr Anderson.

“At the end of the day, the real challenge is that armed with the risk appetite framework, non-executive directors and others should be able to act as the disruptive intelligence that pierces perfect-place arrogance, which after all has been the downfall of so many organisations,” he concluded.

The guidance has been endorsed by the Chartered Institute of Internal Auditors, the Chartered Institute of Management Accountants, the Institute of Chartered Secretaries and Administrators, the Chartered Institute of Public Finance and Accountancy, and Alarm, the public risk management association.

The IRM paper Risk Appetite and Tolerance is available to download for free at http://www.theirm.org/publications/risk_appetite.html. The main author can be reached at richard.anderson@crowehorwathgrc.net.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Risk Management News