AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

28 September 2022

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Institute's welcome

Good afternoon and thank you for joining us today. I am Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland.   

The topic for today is ‘Risk Appetite / Risk Tolerance’.

Our speaker today is Clive Thompson CFIRM Technical Advisor from the Institute of Risk Management – it is worth visiting their website to access their content, much of which is readily available.

I thought I would introduce today’s session by quoting what the Institute of Risk Management has to say:

‘Risk appetite today is a core consideration in any enterprise risk management approach. As well as meeting the requirements imposed by corporate governance standards, organisations in all sectors are increasingly being asked by key stakeholders, including investors, analysts and the public, to clearly express the extent of their willingness to take risk to meet their strategic objectives.’

This is particularly relevant for us now in the volatile market we find ourselves in and those of you who have attended any of our Risk in Focus 2023 launches, will know just how volatile the risk environment is now. Organisational leaders e.g. your s151, your CEO, leader of the council, chair of the audit committee, are under constant pressure to meet stakeholder expectations which can lead to taking more risk than normal and operating outside of comfort zones. At the same time there has never been greater demand for good governance across all sectors. Council, boards and audit committees cannot avoid the question as to ‘how much risk they are prepared to take’.

Let’s make sure we don’t just think about risk in terms of something to mitigate or stop. Risk is also an opportunity, so let’s widen our thinking to think about the opportunity that risk presents.

Setting risk appetite requires an investment of time combined with sufficient risk maturity to deliver a meaningful outcome. It is not about defining a single magic number, a set of statements that act as rules/principles for steering the direction of the organisation.

A clear risk appetite is an enabler for delivering on strategic objectives because it can be used for decision making by the board, audit committee and managers at all levels. 

How the organisation sets its risk appetite is a board decision. Understanding the process of setting risk appetite enables auditors to encourage their organisations to engage with the concept and provide assurance that it is doing so in a robust way. Risk appetite is subjective and fluid; changing with organisational conditions, strategic goals as board, audit committee members leave and join. 

I am sure our speaker for today Clive Thompson from the Institute of Risk Management will have more to say.

I am joined today by:  

  • Piyush Fatania, Chair for today and a member of the Institute’s Council
  • Derek Jamieson, Regional Director for the Institute in the UK and Ireland.

Chair's opening comments

Thank you, Liz, and good afternoon everyone. I am really excited by the subject of this afternoon’s session and what our guest speaker has to say.

Risk management and internal audit share a symbiotic relationship – each one feeds the other. Our councils’ risks inform our work, and our work then informs how the council can manage their risks more effectively. Indeed, part of internal audit’s role, as per the Public Sector Internal Audit Standards, is to evaluate and contribute to the effectiveness and the improvement of risk management processes. So, this is particularly relevant when it comes to providing our annual assurance opinion to the audit committee, for inclusion in the Annual Governance Statement. It is also relevant when undertaking individual audit assignments where our aim is to ensure significant risks are identified and assessed, and that there are appropriate management responses that align to the council’s risk appetite.

Now the approach taken by internal audit will depend on our individual council’s risk maturity and whether their risk appetite is clearly defined, communicated, and understood at all levels of the organisation. As part of a mature risk management approach, a defined risk appetite provides a framework which enables management to make better informed decisions. By defining both optimal and tolerable positions, management can then set out both the target and acceptable risks are whilst pursuing strategic objectives. The benefits of adopting a risk appetite include:

  • Having a better and more consistent decision-making and governance process across the council
  • Reducing uncertainty whilst also supporting improvements in performance
  • Focusing on priority areas within an organisation whilst utilising ever more scarce resources

I’d like to give a very warm welcome to our speaker today, Clive Thompson CFIRM who is Technical Advisor at the Institute of Risk Management (IRM).

Key takeaways

Slides from the session are attached here and it would be helpful to have these open to review the key takeaways. Notes below are supplementary.

Clive Thompson CFIRM, Technical Advisor at the Institute of Risk Management (IRM)

  • The IRM’s thoughts around risk tolerance and risk appetite was from the point of view of corporate governance and the point of view of private business as opposed to public authorities, although there is definite mapping across different sectors.
  • There is a wealth of information available on our website (link in slides), some of which will cover risk appetite.
  • Looking at the Risk Universe slide, the current direction of travel refers to performance over time..
  • There are a certain number of risks which could affect performance over time – these are opportunities and threats, which could have a positive or negative effect on performance. The area between these is your total risk universe – all the risks which could affect your organisation.
  • Within the total risk universe, there is an area in which you would be able to operate – your risk tolerance.
  • The areas between the risk tolerance lines and the outer edges of your risk universe are those which you shouldn’t venture into in terms of threats and would probably not want to in terms of opportunities.
  • Within the risk tolerance area, you have your risk appetite. You can exist outside of your risk appetite to your risk tolerance levels, but you don’t want to be there.
  • Risk appetite and risk tolerance must be measurable. If you don’t put a metric onto your appetite or tolerance, it becomes vacuous and meaningless. Metrics will depend on your organisation’s objectives.
  • Appetite is where you want to operate.
  • Appetite will vary across risks and time. You will need to work out how frequently this need to be reviewed.
  • Looking at the Levers to manage slide – how we look at risk and particularly relevant for this group in terms of exercising control, coming from the internal audit angle. It’s about how you measure that control, how you measure the efficiency of controls. This model looks at how that integrates with the risk appetite.
  • The bottom end is about control, how this is exercised and how these areas should be audited within that operational risk area. Go up to the top of the risk level – strategic risk – the appetite is greater for taking strategic risks rather than how you would exercise control over that. Metrics will be around stakeholder value here.
  • Governance – particularly interesting in these times – we’re surrounded by data therefore surrounded by ability to analyse that data, which is going to inform setting the risk appetite. This is what the board will look at in terms of wanting assurance and how it will see its risk appetite being set.
  • It is important to set the appetite and tolerance against the organisation’s risk maturity because the more mature you are in handling risk, the more mature you can be in setting your appetite.

Chair's closing comments

Thank you so much, Clive. That was that was fascinating.

One thing that occurs to me, for all of us who work in a political environment, is that where we talk about the maturity of the organisation it does depend on whose maturity you're talking about.  There are so many examples I can talk about, such as Northamptonshire County Council, my former Council up the road, Warrington or Nottingham, Robin Hood Energy, where council officers were trying desperately to tell members not to go ahead with certain things.  Members often have a different view and a different focus to officers, which is the next election, etc. So even within a quite mature and risk aware organisation, a lot can be undone because of the tensions and politics which exist within councils.

Your comment about tolerance and having a time limit I think is critical because otherwise the tolerance becomes your new risk appetite. If you just let it continue you will have extended your risk appetite.

Thank you, Clive.

Institute's closing comments

Please remind your teams or indeed come along yourself to the Drop-In Clinic where Laura and I answer your questions and discuss hot topics. The next one is 7th October 2022.

Our session on 26 October 2022 is Wellbeing - Future Generations exploring the legislation introduced by the Welsh Government to see if the concept, lessons to be learnt are of value to your Council.

Thank you everyone, see you in October.

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith.

Q&A and chatbox comments

Q: I’m interested in the risk appetite with other LA's and if this differs across departments or if a different approach is taken?

A: I would have thought your appetite would differ because your risk maturity levels would be different across different areas within an organisation e.g., adult or children services. If your risk maturity levels are different, then your risk appetite is going to be very different, as will how you state your risk appetite.  

Q: How do you get 'Leaders' to make a clear decision on risk appetite?

A: The IRM Executive Summary (linked in the slides) is nice summary of what risk appetite is about and, how important it is.

(Institute) We have done the same, you'll all be familiar with Risk in Focus, where we have produced a board briefing. Working on the premise that some of the boards, audit committees, senior leadership team are very busy people so if we can give them something that is short, focused and something they can easily read, that's got to be a positive. Do share this document with them.

Q: We have a number of risks that are sitting outside of what we would consider to be our risk appetite, but within our tolerance levels. They’ve been sitting there for a considerable period of time, particularly over the last two years. Should we have time scales to say, we will tolerate this for so long, but actually we want it to move back towards what our normal appetite is for that risk?

A: Yes, I would think so. Yes, because you because if you're operating outside your appetite, you really ought to do something about it as soon as possible. Of course, we're not operating in a perfect world and so there will be events which might be outside of your control, and which puts things outside of your risk appetite. If they are outside of your risk appetite, then that's where you need to escalate, and people need to take responsibility for those risks. Your risk appetite will change all the time, e.g. the Ukraine War and current financial turmoil. This must be held under review and addressed as soon as possible.

Q: I have a dual role as the head of internal audit and risk management. One of the difficulties I have found is that we can be very risk averse. Our risk appetite is approved by our Cabinet annually and the strategic risks quarterly. Given the need to be fluid is this sufficiently timely? The IIA has guidance on undertaking risk maturity assessments does the IRM?

A: No we don’t have any guidelines because each organisation’s risk is different and there are very different contexts for those particular risks and how that risk landscape materialises. We don't necessarily have guidelines, but we do have guidance. It is interesting how you combine the roles. There is that spectrum area which still applies now, there are certain areas for example risk and internal audit risk should not go into internal audit and internal audit similarly should not stray into the risk area.