In the same way that a good enterprise risk management (ERM) framework can help federal agencies better allocate resources under tightening budgets, aligning strategy and a risk appetite framework can empower federal agencies to make better-informed decisions. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk appetite as “the articulation of the amount of risk, on a broad level, an organization is willing to accept in pursuit of strategic objectives and the value to the enterprise.” Clearly defined risk appetite statements should help an organization verbalize, at a high level, how much risk it is willing to take and in what areas.
Defining risk appetite helps guide organizational risk management activities. But too often, risk appetite statements have been relegated to standalone documents that are either loosely connected to organizational strategy or not connected at all. Additionally, risk appetite statements are seen only as a means to limit or control risk-taking. As many federal executive leaders know, some amount of risk-taking is necessary to drive innovation and transformation. Risk-taking should be closely aligned to an agency’s strategic goals and objectives to optimize value. The President’s Management Agenda (PMA) lays out a long-term vision for modernizing the federal government into a 21st century entity that is more agile, less bureaucratic, and focused on improving mission outcomes. To this end, developing a dynamic risk appetite framework will help federal leaders manage the full spectrum of risks within their agencies, while capitalizing on opportunities to improve performance, save costs, and innovate. A strategy-integrated risk appetite framework provides a structured approach to the management, measurement, and control of risk, while focusing on the biggest risks to the achievement of strategic goals and objectives, as depicted in Figure 1.
Below are five important considerations for developing your agency’s risk appetite framework:
- Identify and understand your agency’s strategic goals and objectives
An agency’s risk appetite is directly related to its strategic goals and objectives. By highlighting what the agency wants to accomplish, federal leaders can articulate how much risk the organization is willing to take to achieve those goals. Review your agency’s strategic plans, as each presents the long-term objectives an agency hopes to accomplish at the beginning of each new presidential term and describes both general and long-term goals. Your strategic plan offers a great starting point to begin identifying the work needed to accomplish strategic goals and objectives. Performance reports and capability models are good documents to use as well.
- Develop a simple risk appetite statement
After identifying strategic goals and objectives that your agency needs to achieve to meets its mission, the next step is to articulate the types and amount of risk the organization is willing to take to achieve those objectives. The cornerstone for any effective risk appetite framework involves the development of a risk appetite statement. By communicating the agency’s risk appetite in a clear and concise manner, all stakeholders, both internal and external, should be able to make more intelligent risk-based decisions within the agency’s risk appetite. This can only happen if risk appetite statements are expressed using common language that is used throughout the enterprise. Agencies should ensure that a common, consistent risk taxonomy is used in strategic plans, operational manuals, performance reports, and capability models throughout the organization.
- Measure your organization’s risk appetite
Some objectives may require an agency to be more risk-seeking (high risk appetite) when devising solutions with limited resources, particularly those related to the adoption of new technologies, while others may require the agency to be more risk-averse (low risk appetite), such as requirements to comply with laws and regulations. Risk managers should develop ways to measure risk appetite. Measurement may include using balanced scorecards or specific strategy-focused key risk indicators (KRIs).
- Embed knowledge of risk appetite into agency culture
Once an agency’s efforts to achieve its strategic goals and objectives have been clearly outlined and methods have been developed to consistently measure how much risk an organization is willing to take, agency leadership needs to provide input and set the tone at the top. Senior executives should encourage one another to provide clear expectations of how much risk they feel the organization is willing to take in pursuit of agency objectives. By collecting, aggregating, and integrating feedback, leadership can articulate the agency’s risk appetite in a way that is easily understood across the enterprise. In every discussion and decision, management’s actions should reflect the organization’s appetite for risk, whether high, medium, or low. To embed risk further into an agency’s organizational culture, leadership should communicate the agency’s risk appetite regularly, both horizontally and vertically across all levels of the organization, because as most of us know, managing risk is everyone’s job.
- Monitor and manage changes to risk appetite
Finally, as risks change, risk appetite may change, too. It is imperative that risk appetite is reviewed and tested at scheduled intervals (at least annually) and when important changes happen to ensure that the risk appetite remains on strategy. Certain circumstances are likely to give rise to changes in an agency’s risk appetite, including:
- Changes in key leadership
- Changes in the regulatory environment
- Multiple or new initiatives arising requiring reprioritization
- Additional budget constraints.
Consider mechanisms to brief new stakeholders and keep leadership engaged on risk management and risk appetite. These can include disseminating surveys, facilitating roundtables, or discussing risk and risk appetite in performance review meetings. This will ensure that decision making adheres to the principles established around risk appetite. As your agency reviews and tests risk appetites against objectives, its willingness to accept risk may increase as leadership becomes more confident that the risk monitoring process works well and that emerging or changing risks are being identified and escalated appropriately.
For federal managers, a risk appetite framework is a fundamental tool in sustaining ERM capabilities to effectively manage risks to strategic goals and objectives. However, a risk appetite framework is only as good as its implementation. To effectively apply a risk appetite across the enterprise, it needs to be aligned to strategic goals and objectives, as well as integrated into the agency’s existing ERM infrastructure and key support functions.
By managing risks with the greatest impact to the organizational mission, agency leadership can make more risk-informed decisions that better balance limited resources and focus the necessary time and attention toward innovation and enterprise performance.