On February 21, 2020, the Association of Federal Enterprise Risk Management (AFERM) and the Senior Executives Association (SEA), with the support of Guidehouse, hosted a seminar on defining and operationalizing risk appetite. This seminar is part of an ongoing seminar series on Enterprise Risk Management.
The event featured presentations and a panel discussion by:
- Tom Brandt, Chief Risk Officer, Internal Revenue Service (IRS)
- George Jenkins, Chief Financial Officer, National Institute of Standards and Technology (NIST)
- Nahla Ivy, Enterprise Risk Management Officer, NIST
- Eugene Schied, Acting Chief Financial Officer, National Credit Union Administration (NCUA)
David Fisher, ERM Practice Leader, Guidehouse moderated the event.
Risk appetite is the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Mr. Fisher noted that the development of risk appetite should align with the strategy of an organization. Misalignment can lead to tension in the types and amount of risk being accepted and negatively impact an organization’s ability to balance risk and opportunity.
Each panelist described their agency’s approach to defining, assessing, and/or operationalizing risk appetite. Following the presentation, the panelists facilitated a workshop to help attendees create a risk appetite statement for their own agencies.
Defining Risk Appetite
Each of the three agencies tailored their approach to defining risk appetite, taking into account factors such as the agency’s mission and culture.
Mr. Brandt emphasized the importance of considering culture in the approach for defining risk appetite. Before articulating a formal agency risk appetite statement, the IRS familiarized itself with the concept of risk appetite. IRS introduced a tool called the Risk Acceptance Form and Tool (RAFT) which documented business decisions in the context of risk appetite. Mr. Brandt reported that the tool, because it aligned well with the mission, culture, and existing governance processes at the IRS, was widely used and facilitated conversations around risk and risk appetite that laid the foundation for developing a risk appetite statement. The RAFT provided IRS leadership with experience applying the concept of risk appetite to business decisions, and as a result, the IRS was able to successfully develop a risk appetite statement that framed the attitudes of leadership around risk.
Similarly, NIST’s approach to defining risk appetite is informed by their mission and culture, however, NIST does not have a formal agency risk appetite statement. Mr. Jenkins and Ms. Ivy emphasized that risk appetite discussions must be framed in the appropriate context in order to be useful. For example, being overly risk averse in areas related to the advancement of science and technology would run counter to NIST’s mission to promote U.S. innovation and competitiveness. Therefore, NIST should be more willing to pursue options with high uncertainty and high potential gains in these areas. In lieu of a formal risk appetite statement, NIST opted to create a data driven view of risk appetite across key areas of the organization. NIST surveyed senior leadership to understand their current and desired states of risk acceptance across five key “slices” of the agency in the context of NIST’s mission and goals. This ensured that the results spoke to alignment with the agency’s mission and provided an enterprise view of the agency’s risk appetite. The survey results identified some areas with a gap between leadership’s perceived current risk appetite and the desired risk appetite. This realization helped link strategy with the daily operations to ultimately guide business decisions because staff felt secure and supported by leadership in carrying out their duties within clearly defined boundaries.
Value of Risk Appetite
All three agencies discussed the benefits of operationalizing risk appetite. Mr. Brandt noted that, among other benefits, the IRS’s risk appetite statement helps to guide decisions around risk acceptance and the risk responses that in place to address risks. In some instances, the organization may need to accept a level of risk that is outside of the preferred risk appetite. In these situations, the RAFT is a helpful tool to think through the impacts of this type of decision and articulate why a certain level of risk should be accepted. Mr. Jenkins and Ms. Ivy also noted that their approach to risk appetite helps the organization to explore and evaluate options, considering both the upside and downside of risks and making an informed decision.
Mr. Schied provided use cases to illustrate the value that NCUA found in operationalizing risk appetite. NCUA developed an overall risk appetite statement that frames the agency’s overall philosophy towards risk, as well as more specific risk appetites aligned with strategic priorities. NCUA uses risk appetite to conduct a gap analysis and identify areas of misalignment where the organization should consider changes. NCUA’s approach entails determining the residual risk in an area and comparing it against the risk appetite. A gap between the residual risk and risk appetite serves as a signal that leadership should consider changes to risk responses and/or risk appetite. In one instance, the agency had a low risk appetite for a particular industry risk. In parsing through this risk, and considering both the residual risk and risk appetite, NCUA decided to modify both the risk appetite and the risk responses in place to narrow the gap between residual risk and risk appetite. In another scenario, NCUA used risk appetite to evaluate a planned agency action that posed a potential IT security risk around PII information. The review affirmed NCUA’s low risk appetite in this area and resulted in the organization deciding to forgo the activities, consistent with risk appetite.
Conclusion
According to the most recent Federal Enterprise Risk Management Survey conducted by AFERM and Guidehouse, only 36% of the federal agencies that responded have a risk appetite statement. For agencies interested in articulating a risk appetite, the diverse experiences and approaches of the presenters in defining, assessing, and operationalizing risk appetite illustrate that—just as there is no one risk appetite statement that applies to all organizations—there is no one-size-fits-all approach to risk appetite. Agencies should take careful inventory of their mission, culture, and other unique factors of their organization in order to most effectively implement and obtain the greatest value from risk appetite-related activities.
Don’t Miss the Next AFERM Event
Look for upcoming events on AFERM’s Event Page and join the mailing list using the form on the right (or below) to be notified of new events by email.