Contenu connexe
Similaire à Conference 2010 Risk Appetite Includes Handouts And Output
Similaire à Conference 2010 Risk Appetite Includes Handouts And Output (20)
Conference 2010 Risk Appetite Includes Handouts And Output
- 1. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Risk Appetite
Copyright Liz Taylor
LIZ TAYLOR RISK CONSULTING
- 2. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Risk Appetite
What are we talking about? Is it –
• Appetite for taking individual or more risks?
• Capacity for taking individual / aggregated
risks?
• The risk Profile of the organisation?
• The Tolerance of the organisation for individual /
aggregation of risks?
- 3. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Risk Appetite
Risk appetite is a combination of risk
CAPACITY and risk TOLERANCE for single
risks and aggregation of risks. The risk profile
(summary of risks that the organisation
believes it is exposed to) of the organisation
is compared against the risk appetite to
determine actions needed.
- 4. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Arriving at a Risk Appetite Statement
This is a complex subject. We set out some
tools herein that can be adapted for the first
stage of setting a risk appetite statement, but
it’s a long journey and it must be undertaken
by the Board or Board equivalent. We
suggest that a series of nine facilitated
workshops will complete this.
- 5. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Setting the Risk Appetite
This is what BS31100 says about risk appetite and
risk profile:
“Considering and setting a risk appetite enables an
organization to increase its rewards by optimizing
risk taking and accepting calculated risks within an
appropriate level of authority.
“The org’s risk appetite should be established
and/or approved by the Board (or equivalent) and
effectively communicated throughout the org.
- 6. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Setting the Risk Appetite BS 31100 cntd
“Prepare a risk appetite statement, which may:
• provide direction and boundaries
• consider the understanding of value,
cost-effectiveness of management, rigour of
controls and assurance process
• recognize that the org might be prepared to
accept a higher than usual proportion of risk
• define the control, permissions and sanctions
environment
• be reflected in the org’s risk management policy
- 7. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Setting the Risk Appetite BS 31100 cntd
It should
“• include qualitative statements outlining specific
risks the org is or is not prepared to accept and
• include quantitative statements, described as
limits, thresholds or key risk indicators, which set
out how certain risks and their rewards are to be
judged and/or how the aggregate consequences of
risks are to be assessed and monitored.
- 8. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Setting the Risk Appetite BS 31100 cntd
“The risk profile provides an overall picture of risk across an
organization, within unit or for a defined area.
The risk profile should convey the nature and level of risks the
org faces, the impact and likelihood of risk incidents on the org
and its stakeholders, and the effectiveness of controls in place to
manage the risks.
Both the risk appetite and risk profile should be monitored by the
Board (or equivalent) and formally reviewed as part of the org’s
strategy and planning processes. This should consider whether
the org’s risk appetite remains appropriate to deliver the
organization’s objectives in light of internal and external drivers
and constraints.”
- 9. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Preparation that we suggest
• Agree the main drivers for the business
• Agree purpose of setting the risk appetite
statement (RAS)
• Agree who is going to sign off the RAS
• Agree that the RAS will be flexible
• Agree the timetable for establishing the RAS –
periodic and when certain risk occurrences
happen
- 10. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example of business drivers
Service
safety /
product
safety –
ie
quality
issues
Customer
satisfaction
Environm
ent
Staff
morale
ROI /
Cost £
Brand/rep
BIZ driver 3BIZ driver 2BIZ driver 1 BIZ driver 4 BIZ driver 6BIZ driver 5
- 11. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
What kind of risks are we talking about?
• Are we talking about risks that are only
negative – ie threats? These are STATIC
risks
• Are we talking about risks that could be
negative and or positive – ie threats and
opportunities? These are DYNAMIC risks.
- 12. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
How to deal with complexity – divide up into
specific tasks or actions
Action 8Action 4Agreed tolerance several risk
events (less than capacity)
Action 7Action 3Agreed tolerance single risk
event (less than capacity)
Action 6Action 2Capacity several risk events
in a year
Action 5Action 1Capacity single risk
event
DYNAMICSTATIC
- 13. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Action 1 - Determining the organisation’s
CAPACITY for risk
• Need to list some specific risk events – even though you
know that when it happens it will be different
• Use an escalation process to see where the sensitivity
occurs to the risk event – the risk pain threshold
• Use a simple formula for impact
– high = business meltdown / total catastrophe,
– medium = serious effect, long term problems but survivable
– Low = lower than medium
• Set those risk events against the business drivers
• Remember we are talking about the CAPACITY – not the
tolerance
- 14. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Action 1 – Define impacts (ignore likelihood) by
circling the h/m/l indicator for each risk event
under each business driver
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEscalated again
h/m/l
h/m/l
h/m/l
BIZ
driver
3
h/m/l
h/m/l
h/m/l
BIZ
driver
2
h/m/l
h/m/l
h/m/l
BIZ
driver
1
h/m/l
h/m/l
h/m/l
BIZ
driver
4
And so on
h/m/lh/m/lEscalated
h/m/lh/m/lHigher level
h/m/lh/m/lLow level
BIZ
driver
6
BIZ
driver
5
Risk event 1
- 15. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Action 1 Scenario 1 – Denial of access HQ
Safety
of client
Cust
satis
Enviro
nment
Staff
morale
ROI /
Cost £
Brand/
rep
lhlhhmDenial of access to main HQ
building > 4 days
h
h
m
l
BIZ driver 3
h
m
l
l
BIZ driver 2
h
l
l
l
BIZ driver 1
l
l
l
l
BIZ driver 4
lhDenial of access to main HQ
building > 5 days
lmDenial of access to main HQ
building > 3 days
llDenial of access to main HQ
building > 2 days
llDenial of access to main HQ
building > 1 day
BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of
access to HQ – could be from
any cause, from terrorism to
major fire or contamination
- 16. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Action 1 example – Denial of access HQ
?Cust
satis
Enviro
nment
Staff
moral
e
ROI /
Cost £
Brand/
rep
lhlhhmDenial of access to main HQ building > 4
days
h
h
m
l
BIZ
driver 3
h
m
l
l
BIZ
driver 2
h
l
l
l
BIZ
driver 1
l
l
l
l
BIZ
driver 4
lhDenial of access to main HQ building > 5
days
lmDenial of access to main HQ building > 3
days
llDenial of access to main HQ building > 2
days
llDenial of access to main HQ building > 1
day
BIZ
driver 6
BIZ
driver 5
Now you have an indication of
where the risk pain threshold is
for this risk scenario.
Starts getting painful at three
days,
but only verging on
catastrophic when longer than
5 days.
- 17. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Workshop
• Using the pain threshold cards work out in
groups the sensitivity to each risk scenario under
the business drivers.
• Circle your results on each card.
• Work out the point at which the sensitivity gets to
an overall medium and an overall high by
allocating a score to each eg low = 1 med = 3
high = 5
• Show results as RAG score card or graph
- 18. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Cards for Static Risks (action 1)
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l5 Bad Debt
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l4 Complaints / lawsuits
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l2 Staff injury/fatality
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/l8 Environmental incident
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Environ
ment
h/m/lh/m/l9 Loss of key people
h/m/lh/m/l7 Fraud
h/m/lh/m/l6 Loss of investments
h/m/lh/m/l3 Injury / fatality customers
Safety
of client /
product
Cust
satis
Each of the risk events below appear
and are escalated on each card.
- 19. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
To recap – having completed action 1, then
tackle other actions
Action 8Action 4Agreed tolerance several risk
events (less than capacity)
Action 7Action 3Agreed tolerance single risk
event (less than capacity)
Action 6Action 2Capacity several risk events
in a year
Action 5Action 1Capacity single risk
event
DYNAMICSTATIC
- 20. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Summary
We just completed Action 1. There are
several more actions to go through to get to a
good statement of risk appetite, having
determined the CAPACITY of the
organisation for risk and the TOLERANCE
level;
- 21. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Summary
Once those pain threshold cards are completed, you have then to
look at the vertical sensitivities – ie by business driver and pick out
the “cornerstones” of risk capacity and tolerance.
The controls behind each of the risk scenarios are then determined
and measured.
Early warning indicators and Risk Performance Indicators are then
developed from the outcomes and reporting mechanisms agreed
upon.
The risk appetite statement needs to be revisited from time to time
or as things change, eg reputation is lowered resulting in a lower
tolerance for reputation risks (although capacity might remain the
same).
- 22. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Workshop
• The pain threshold cards that follow are for
adaptation / use during a workshop.
• Sample outputs are included for illustration
only
- 23. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 1
Safety
of client
Cust
satis
Enviro
nment
Staff
morale
ROI /
Cost £
Brand/
rep
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lDenial of access to main HQ
building > 4 days
h/m/l
h/m/l
h/m/l
h/m/l
BIZ driver 3
h/m/l
h/m/l
h/m/l
h/m/l
BIZ driver 2
h/m/l
h/m/l
h/m/l
h/m/l
BIZ driver 1
h/m/l
h/m/l
h/m/l
h/m/l
BIZ driver 4
h/m/lh/m/lDenial of access to main HQ
building > 5 days
h/m/lh/m/lDenial of access to main HQ
building > 3 days
h/m/lh/m/lDenial of access to main HQ
building > 2 days
h/m/lh/m/lDenial of access to main HQ
building > 1 day
BIZ driver 6BIZ driver 5Risk Scenario 1 Denial of
access to HQ – could be from
any cause, from terrorism to
major fire or contamination
- 24. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example of output - Denial of access
0
1
2
3
4
5
6
Brand/repRO
I/Cost£Staffm
oraleEnvironm
ent
CustsatisSafety
ofclient
scoreforrisk1=low,3=med5=high
Denial of access to
main HQ building > 1
day
Denial of access to
main HQ building > 2
days
Denial of access to
main HQ building > 3
days
Denial of access to
main HQ building > 4
days
Denial of access to
main HQ building > 5
days
22
20
14
8
6
total
- 25. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 2
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lSeveral staff fatalities
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lMany staff fatalities
h/m/lh/m/lOne staff fatality
h/m/lh/m/lSeveral major injuries
h/m/lh/m/lMajor staff injury
Safety
of client /
product
Cust
satis
Staff includes temporary staff and
contractors
- 26. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example of output – Staff injury
0
1
2
3
4
5
6
Brand/repRO
I/Cost£Staffm
oraleEnvironm
entCustsatis
Safety
ofclient
Major staff injury
Several major injuries
One staff fatality
Several staff fatalities
Many staff fatalities 14
8
8
8
6
total
Scoreforrisk;1=low,3=med,5=high
- 27. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 3
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lFatality >100 customers
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lFatality more than 1000
customers
h/m/lh/m/lFatality several customers
h/m/lh/m/lFatality one customer
h/m/lh/m/lMajor injury several
customers
Safety
of client /
product
Cust
satis
Customer is any one who is not a
member of staff / contractor and
could include members of the
public affected by the business.
- 28. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
0
1
2
3
4
5
6
Brand/repRO
I/Cost£Staffm
oraleEnvironm
entCustsatis
Safety
ofclient
Major injury several
customers
Fatality one
customer
Fatality several
customers
Fatality >100
customers
Fatality more than
1000 customers
Example output – injury to customers
22
18
14
14
10
Total
Scoreforrisk;1=low,3=med,5=high
- 29. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 4
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lThousands of complaints
and lawsuits
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lSeveral thousands of
complaints and lawsuits
h/m/lh/m/lSeveral lawsuits
h/m/lh/m/lHundreds of complaints
about quality/biz conduct
h/m/lh/m/lSeries of complaints about
quality/biz conduct
Safety
of client /
product
Cust
satis
Complaints could be from any
number of sources from poor
service / product, to the operation
of the business.
- 30. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example output – quality of output
0
1
2
3
4
5
6
Brand/rep
RO
I/Cost£
Staffm
orale
Environm
ent
CustsatisSafety
ofclient
Series of
complaints about
quality/biz conduct
Hundreds of
complaints about
quality/biz conduct
Several lawsuits
Thousands of
complaints and
lawsuits
Several thousands
of complaints and
lawsuits
22
18
14
12
8
Total
Scoreforrisk;1=low,3=med,5=high
- 31. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 5
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of bad debts
>15% turnover
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Environ
ment
h/m/lh/m/lOne or series of bad debts
>20% turnover
h/m/lh/m/lOne or series of bad debts
>10% turnover
h/m/lh/m/lOne or series of bad debts
>5% turnover
h/m/lh/m/lOne or series of bad debts
>1% turnover
Safety
of client /
product
Cust
satis
Bad Debt – could be from a
number of causes, but determined
to be a failure of income for longer
than six months
- 32. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example output – bad debt
20
16
12
8
6
Total
0
1
2
3
4
5
6
Brand/rep
RO
I/Cost£
Staffm
orale
Environm
ent
CustsatisSafety
ofclient
One or series of
bad debts >1%
turnover
One or series of
bad debts >5%
turnover
One or series of
bad debts >10%
turnover
One or series of
bad debts >15%
turnover
One or series of
bad debts >20%
turnover
Scoreforrisk;1=low,3=med,5=high
- 33. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 6
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of investments
lost >15% turnover
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lOne or series of investments
lost >20% turnover
h/m/lh/m/lOne or series of investments
lost >10% turnover
h/m/lh/m/lOne or series of investments
lost >5% turnover
h/m/lh/m/lOne or series of investments
lost >1% turnover
Safety
of client /
product
Cust
satis
Loss of investment, could be a
share price fall, loss of an
installation, currency fluctuation
etc
- 34. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example output – loss of investment
0
1
2
3
4
5
6
Brand/repRO
I/Cost£Staffm
oraleEnvironm
entCustsatis
Safety
ofclient
One or series of
investments lost
>1% turnover
One or series of
investments lost
>5% turnover
One or series of
investments lost
>10% turnover
One or series of
investments lost
>15% turnover
One or series of
investments lost
>20% turnover
28
22
14
14
8
Total
Scoreforrisk;1=low,3=med,5=high
- 35. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 7
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lOne or series of frauds >15%
turnover
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lOne or series of frauds >20%
turnover
h/m/lh/m/lOne or series of frauds >10%
turnover
h/m/lh/m/lOne or series of frauds >5%
turnover
h/m/lh/m/lOne or series of frauds >1%
turnover
Safety
of client /
product
Cust
satis
Fraud – could be internal or
external, impact determined by
cost
- 36. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example output - fraud
0
1
2
3
4
5
6
Brand/rep
RO
I/Cost£
Staffm
orale
Environm
ent
CustsatisSafety
ofclient
One or series of
frauds >1%
turnover
One or series of
frauds >5%
turnover
One or series of
frauds >10%
turnover
One or series of
frauds >15%
turnover
One or series of
frauds >20%
turnover
21
22
20
12
6
Total
Scoreforrisk;1=low,3=med,5=high
- 37. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 8
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lEnvironment incident/s
affecting >1000 people
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Enviro
nment
h/m/lh/m/lEnvironment incident/s
affecting >10000 people
h/m/lh/m/lEnvironment incident/s
affecting >100 people
h/m/lh/m/lEnvironment incident/s
affecting >20 people
h/m/lh/m/lOne environmental incident
affecting >five people
Safety
of client /
product
Cust
satis
Environmental incident –
determined by the impact on
people’s lives, welfare or
livelihoods
- 38. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
0
1
2
3
4
5
6
Brand/repRO
I/Cost£Staffm
oraleEnvironm
ent
Custsatis
Safety
ofclient
One environmental
incident affecting
>five people
Environment
incident/s affecting
>20 people
Environment
incident/s affecting
>100 people
Environment
incident/s affecting
>1000 people
Environment
incident/s affecting
>10000 people
28
24
16
14
8
Total
Scoreforrisk;1=low,3=med,5=high
- 39. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Pain Threshold Card 9
h/m/lh/m/lh/m/lh/m/lh/m/lh/m/lPerm loss of more than 20
key people
h/m/l
h/m/l
h/m/l
h/m/l
Staff
morale
h/m/l
h/m/l
h/m/l
h/m/l
ROI /
Cost £
h/m/l
h/m/l
h/m/l
h/m/l
Brand/
rep
h/m/l
h/m/l
h/m/l
h/m/l
Environ
ment
h/m/lh/m/lPerm loss of more than 100
key people
h/m/lh/m/lPerm loss of more than 5
key people
h/m/lh/m/lPerm loss of key person
h/m/lh/m/lTemp loss of key person
Safety of
client /
product
Cust
satis
Key people – where involved in
major biz decisions or projects and
their loss could result in project
failure or business loss
- 40. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Example output – loss of key people
0
1
2
3
4
5
6
Brand/rep
RO
I/Cost£
Staffm
orale
Environm
ent
CustsatisSafety
ofclient
Temp loss of key
person
Perm loss of key
person
Perm loss of more
than 5 key people
Perm loss of more
than 20 key people
Perm loss of more
than 100 key
people
22
18
12
6
6
Total
Scoreforrisk;1=low,3=med,5=high
- 41. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Summary of example outputs – capacity for
single risk events
1 Denial of
access to
main site /
HQ etc
2 Staff injury/
fatality
3 Injury /
fatality
customers
4 Complaints
/ lawsuits
5 Bad
Debt
6 Loss of
investments
7 Fraud 8
Environme
ntal
incident
9 Loss of
key
people
6 6 10 8 6 8 6 8 6
8 8 13 12 8 14 12 14 6
14 8 14 14 12 14 20 16 12
20 8 18 18 16 22 22 24 18
22 14 22 22 20 28 21 28 22
code
18 or above = red
11 or above = yellow
below 11 = green
In this example, the output shows that this
organisation has a large CAPACITY for staff
injuries, and a low CAPACITY for fraud. The
TOLERANCE levels, however, may be different.
- 42. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Determining Risk Appetite
We have show some tools that can be used
for the first stage of working out the risk
appetite for an organisation – risk capacity for
single risk events. There is a lot more work to
do. We suggest a project time line of about
nine months to complete a risk appetite
statement taking about an hour per month of
the Board’s time.
- 43. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Articulating Risk Appetite
Risk appetite can be articulated in a number of ways
• As a graph showing output along the vertical axis and
time along the horizontal. Variations up or down around
that line of performance can be drawn showing
CAPACITY and TOLERANCE
• As a series of matrices showing risk impact against
likelihood. One matrix per risk scenario. Show
unacceptable risks in red, barely acceptable in amber
and tolerable risks in green
• As a set of words, charts and data.
- 44. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
12 point action plan
1. Agree the main drivers for the business
2. Agree purpose of setting the risk appetite statement (RAS)
3. Agree who is going to sign off the RAS
4. Agree that the RAS will be flexible
5. Agree the timetable for establishing the RAS
6. Understand that risk appetite includes a view of risk CAPACITY
and risk TOLERANCE
7. Set up your action plan to deal with Capacity and Tolerance of
risk for both Static and Dynamic risks as follows;
STATIC DYNAMIC
Capacity single risk event Action 1 Action 5
Capacity several risk events in a year Action 2 Action 6
Agreed tolerance single risk event (less than capacity) Action 3 Action 7
Agreed tolerance several risk events (less than capacity) Action 4 Action 8
- 45. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Action 1 Determining the organisation’s capacity for single risk events
Need to list some specific risk events – even though you know that when it happens it will
be different – concentrate on the “effect” of risk not the cause as the cause could be from
many quarters, but effects on the business activity are easier to predict
Use an escalation process to see where the sensitivity occurs to the risk event – the risk
pain threshold
Use a simple formula for impact eg
high = business meltdown / total catastrophe – score 5
medium = serious effect, long term problems but survivable – score 3
Low = lower than medium – score 1
Set those risk events against the business drivers
Remember we are talking about the CAPACITY – not the tolerance
Run a workshop using adapted versions of the pain threshold cards (see later)
8. Action 2 Determining the organisation’s capacity for multiple risk events
9. As above but considering multiple events
10. Action 3 Determining the organisation’s tolerance for single risk events; Do
scenario testing with top management on the highest evaluated risk events
as determined by the risk capacity exercise. Push them to articulate their
TOLERANCE for risk. Remember tolerance changes more frequently than
capacity, and should be stress tested often.
11. Action 4 As above but considering multiple events
12. Actions 5,6,7 & 8 – more complex still, so call in the experts!
- 46. ©2010/11 Liz Taylor Risk Consulting www.liztaylorriskconsulting.co.uk tel +44 1626 337626
Copyright Liz Taylor
LIZ TAYLOR RISK CONSULTING
+44 1626 337626
www.liztaylorriskconsulting.co.uk
email
liz.taylor@liztaylorriskconsulting.co.uk