Institute's welcomeGood afternoon and thank you for joining us today. I am Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland. The topic for today is ‘Risk Appetite / Risk Tolerance’. Our speaker today is Clive Thompson CFIRM Technical Advisor from the Institute of Risk Management – it is worth visiting their website to access their content, much of which is readily available. I thought I would introduce today’s session by quoting what the Institute of Risk Management has to say: ‘Risk appetite today is a core consideration in any enterprise risk management approach. As well as meeting the requirements imposed by corporate governance standards, organisations in all sectors are increasingly being asked by key stakeholders, including investors, analysts and the public, to clearly express the extent of their willingness to take risk to meet their strategic objectives.’ This is particularly relevant for us now in the volatile market we find ourselves in and those of you who have attended any of our Risk in Focus 2023 launches, will know just how volatile the risk environment is now. Organisational leaders e.g. your s151, your CEO, leader of the council, chair of the audit committee, are under constant pressure to meet stakeholder expectations which can lead to taking more risk than normal and operating outside of comfort zones. At the same time there has never been greater demand for good governance across all sectors. Council, boards and audit committees cannot avoid the question as to ‘how much risk they are prepared to take’. Let’s make sure we don’t just think about risk in terms of something to mitigate or stop. Risk is also an opportunity, so let’s widen our thinking to think about the opportunity that risk presents. Setting risk appetite requires an investment of time combined with sufficient risk maturity to deliver a meaningful outcome. It is not about defining a single magic number, a set of statements that act as rules/principles for steering the direction of the organisation. A clear risk appetite is an enabler for delivering on strategic objectives because it can be used for decision making by the board, audit committee and managers at all levels. How the organisation sets its risk appetite is a board decision. Understanding the process of setting risk appetite enables auditors to encourage their organisations to engage with the concept and provide assurance that it is doing so in a robust way. Risk appetite is subjective and fluid; changing with organisational conditions, strategic goals as board, audit committee members leave and join. I am sure our speaker for today Clive Thompson from the Institute of Risk Management will have more to say. I am joined today by:
|
Chair's opening commentsThank you, Liz, and good afternoon everyone. I am really excited by the subject of this afternoon’s session and what our guest speaker has to say. Risk management and internal audit share a symbiotic relationship – each one feeds the other. Our councils’ risks inform our work, and our work then informs how the council can manage their risks more effectively. Indeed, part of internal audit’s role, as per the Public Sector Internal Audit Standards, is to evaluate and contribute to the effectiveness and the improvement of risk management processes. So, this is particularly relevant when it comes to providing our annual assurance opinion to the audit committee, for inclusion in the Annual Governance Statement. It is also relevant when undertaking individual audit assignments where our aim is to ensure significant risks are identified and assessed, and that there are appropriate management responses that align to the council’s risk appetite. Now the approach taken by internal audit will depend on our individual council’s risk maturity and whether their risk appetite is clearly defined, communicated, and understood at all levels of the organisation. As part of a mature risk management approach, a defined risk appetite provides a framework which enables management to make better informed decisions. By defining both optimal and tolerable positions, management can then set out both the target and acceptable risks are whilst pursuing strategic objectives. The benefits of adopting a risk appetite include:
I’d like to give a very warm welcome to our speaker today, Clive Thompson CFIRM who is Technical Advisor at the Institute of Risk Management (IRM). |
Slides from the session are attached here and it would be helpful to have these open to review the key takeaways. Notes below are supplementary.
Clive Thompson CFIRM, Technical Advisor at the Institute of Risk Management (IRM)
Chair's closing commentsThank you so much, Clive. That was that was fascinating. One thing that occurs to me, for all of us who work in a political environment, is that where we talk about the maturity of the organisation it does depend on whose maturity you're talking about. There are so many examples I can talk about, such as Northamptonshire County Council, my former Council up the road, Warrington or Nottingham, Robin Hood Energy, where council officers were trying desperately to tell members not to go ahead with certain things. Members often have a different view and a different focus to officers, which is the next election, etc. So even within a quite mature and risk aware organisation, a lot can be undone because of the tensions and politics which exist within councils. Your comment about tolerance and having a time limit I think is critical because otherwise the tolerance becomes your new risk appetite. If you just let it continue you will have extended your risk appetite. Thank you, Clive. |
Institute's closing commentsPlease remind your teams or indeed come along yourself to the Drop-In Clinic where Laura and I answer your questions and discuss hot topics. The next one is 7th October 2022. Our session on 26 October 2022 is Wellbeing - Future Generations exploring the legislation introduced by the Welsh Government to see if the concept, lessons to be learnt are of value to your Council. Thank you everyone, see you in October. Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith. |
Q: I’m interested in the risk appetite with other LA's and if this differs across departments or if a different approach is taken?
A: I would have thought your appetite would differ because your risk maturity levels would be different across different areas within an organisation e.g., adult or children services. If your risk maturity levels are different, then your risk appetite is going to be very different, as will how you state your risk appetite.
Q: How do you get 'Leaders' to make a clear decision on risk appetite?
A: The IRM Executive Summary (linked in the slides) is nice summary of what risk appetite is about and, how important it is.
(Institute) We have done the same, you'll all be familiar with Risk in Focus, where we have produced a board briefing. Working on the premise that some of the boards, audit committees, senior leadership team are very busy people so if we can give them something that is short, focused and something they can easily read, that's got to be a positive. Do share this document with them.
Q: We have a number of risks that are sitting outside of what we would consider to be our risk appetite, but within our tolerance levels. They’ve been sitting there for a considerable period of time, particularly over the last two years. Should we have time scales to say, we will tolerate this for so long, but actually we want it to move back towards what our normal appetite is for that risk?
A: Yes, I would think so. Yes, because you because if you're operating outside your appetite, you really ought to do something about it as soon as possible. Of course, we're not operating in a perfect world and so there will be events which might be outside of your control, and which puts things outside of your risk appetite. If they are outside of your risk appetite, then that's where you need to escalate, and people need to take responsibility for those risks. Your risk appetite will change all the time, e.g. the Ukraine War and current financial turmoil. This must be held under review and addressed as soon as possible.
Q: I have a dual role as the head of internal audit and risk management. One of the difficulties I have found is that we can be very risk averse. Our risk appetite is approved by our Cabinet annually and the strategic risks quarterly. Given the need to be fluid is this sufficiently timely? The IIA has guidance on undertaking risk maturity assessments does the IRM?
A: No we don’t have any guidelines because each organisation’s risk is different and there are very different contexts for those particular risks and how that risk landscape materialises. We don't necessarily have guidelines, but we do have guidance. It is interesting how you combine the roles. There is that spectrum area which still applies now, there are certain areas for example risk and internal audit risk should not go into internal audit and internal audit similarly should not stray into the risk area.