Understanding Risk Appetite

[00:00:00] Intro: Welcome to Minutes by boardcycle, where in each episode we pack the insights from one of Australia's boardroom leaders into just a few minutes.

[00:00:09] Intro: In today's episode, Richard Conway interviews Catherine Brenner, Chair of Australian Payments Plus, and Director of Scentre Group, Emmi, and the George Institute of Global Health, about risk appetite statements, their importance, their role, and how to get them right.

[00:00:29] Richard Conway: Welcome to Minutes by boardcycle. I'm your host, Richard Conway. And today, my guest on the podcast is Catherine Brenner. Catherine's the chair of Australian Payments Plus and a non executive director at Scentre Group, Emmi and the George Institute of Global Health. Previously, Catherine has had an extensive career as a non executive director on a number of ASX listed organisations and in investment banking.

[00:00:52] Richard Conway: Catherine, thank you for joining me today.

[00:00:55] Catherine Brenner: Hi Richard, lovely to have a chat.

[00:00:57] Richard Conway: Catherine, so I wanted to talk to you today [00:01:00] about how Boards and organisations can get their risk appetite right. So having an articulated risk appetite statements now a requirement for many organisations, but it's being broadly adopted by many more.

[00:01:14] Richard Conway: But their purpose on how to get that right is often a little bit difficult for organisations and so to start off with I wanted to ask you at just a high level, what you see as the purpose of having risk appetite statements and how they fit into the overall risk appetite framework in an organisation.

[00:01:35] Catherine Brenner: Sure. Well, risk appetite statements or the RAS, as they're often referred to, as shorthand, are really important because they provide guide rails that they outline the board's and the organisation's appetite and tolerance for risk in pursuit of the organisation's objectives. And It underpins sound risk governance, which goes to everything from culture to how [00:02:00] decisions are made.

[00:02:01] Catherine Brenner: Having it in a document, and it's usually part of a suite of documents, enables the board to communicate to the whole organisation the desired risk tolerance for specific risk to the organisation, to monitor and measure how the organisation is operating against the risk appetite. And also if something's out of risk appetite or getting close to being out of risk appetite, mobilising the resources and implementing strategies to bring that matter back inside appetite.

[00:02:31] Richard Conway: And in your experience, Catherine, are there some key things that a company or organisation has to do to make sure that they get those statements right and that they achieve their purpose? And conversely, are there some things that they, you know, definitely have to avoid in that process?

[00:02:49] Catherine Brenner: So it's more than just a piece of paper. That if it's something where a consultant comes in and drafts a risk appetite statement and it gets approved and then sits in a folder until next year [00:03:00] when it's on the calendar to re-look at, you might as well not have one.

[00:03:04] Catherine Brenner: A risk appetite statement as part of a suite of documents, along with a framework document, a risk register, different organisations call them different things, but a risk management policy, heat maps, all of those sorts of things are how it's brought to life and how it is converted into tools to be used in everyday decisions.

[00:03:24] Catherine Brenner: Great risk appetite statements become part of just this is how we do things around here day to day. So having a number of iterations on the preparation of your first risk appetite statement and then when you update it is really important.

[00:03:38] Catherine Brenner: And the bottom up process, which comes through different parts of the organisation. Identifying and talking about what sort of risks that they encounter, what the opportunities are, how they mitigate those risks is an important part of that and then that will cascade up through the organisation to the leadership team. And then organised under different headings.

[00:03:59] Catherine Brenner: I think [00:04:00] personally that having more than a dozen or so categories of major risks means that perhaps, a little bit more work and thinking needs to be done. Then having a sort of top down review of those risks, which is how the risk committee, and then the board will look at them and the leadership team will have done the same, helps stress test those risks. Helps understand and test what risks are we willing and able to accept.

[00:04:28] Catherine Brenner: It enables the team to understand that they can take risk in some areas and in other areas that more needs to be invested in mitigants. Because risk is a finite resource like any other resource, whether it's human capital, financial capital, et cetera, and it needs to be understood and applied accordingly,

[00:04:47] Richard Conway: I just wanted to pick up on one thing you said there, Catherine, because I think it can come across, I guess, from the name of a risk appetite statement that what these do for a management team is tell them what they [00:05:00] can't do. But you mentioned there the idea that it can tell you what you can do as well.

[00:05:05] Richard Conway: And I just wanted to ask your thoughts on a risk appetite as a statement as an enabling statement, as opposed to restricting one.

[00:05:14] Catherine Brenner: Well, businesses are in the nature of taking risk because to get rewards you need risk. And so there are some things where in order to grow, to meet customer needs, we will need to take some risk. The risk might be it's an uncharted area.

[00:05:29] Catherine Brenner: But if significant opportunities have been identified, the organisation may have be receptive to that risk. But as part of being receptive to that risk, also we'll need to look at, providing a reasonable degree of protection from the aspects of the risks that can be mitigated. Understanding a risk can be of itself a competitive advantage.

[00:05:51] Richard Conway: And so you've, already, I think, alluded to there the possibility or that it is fine and appropriate for an organisation to decide that [00:06:00] it has a high risk appetite for something if the opportunity involved in it is, you know, appropriately high as well. On the flip side of that, you do sometimes see organisations state that they have no appetite for a particular risk.

[00:06:14] Richard Conway: And I wanted to ask you whether you think that that is a useful way of thinking about things. I guess my reason for that is that, for asking that question is that, obviously usually those things would be very extreme and obviously no one would want them to happen. But, as soon as they do happen, you're obviously going to be outside of your risk appetite.

[00:06:36] Richard Conway: So yeah, just wondering if you could talk a little bit about that scenario.

[00:06:41] Catherine Brenner: Sure. And look, language is really important here that I find the definitions of no appetite and receptive and what goes in between do vary between my different organisations. And so, if I'm understanding what a definition and appetite means is, very important.

[00:06:58] Catherine Brenner: So, when I think of my own [00:07:00] organisations that there's, no appetite for incidents that threaten the life, you know, the safety, you know, the fatalities, there's no appetite for that. That there's no appetite for material conduct risk and, you know. But, for example, on cyber, as much as you wish that there wasn't any cyber activity, to have no appetite, really means that you're not going to, for example, be connected to the web.

[00:07:26] Richard Conway: Yes.

[00:07:27] Catherine Brenner: And so cyber is an example where an organisation may have a very low appetite for a cyber attack or a data breach, which causes significant loss or harm or a sustained system outage. But they'll be receptive to the strategic use of emerging technologies provided that the risks associated with them are understood and mitigated. That there'll be no or little appetite for not investing to secure, appropriate service levels or privacy, et cetera. So it's multi leveled, [00:08:00] but it's a folly for a board to put zero risk appetite on something like cyber.

[00:08:04] Richard Conway: Yes, absolutely. And so does it follow from that, Catherine, that if you, if you say that you have no risk appetite for something that does occur, that is not consistent with that risk appetite, effectively, the board is saying that we will expend a very high level of resources in eliminating that risk to its entirety, to the extent that it's possible for us to do that. Whereas in the cyber scenario, I guess you're saying that your only ways of doing that would be crippling for your business. So you just accept that inherently there must be some risk if you want to do business there.

[00:08:41] Catherine Brenner: That's right, but you need to mitigate it as much as is possible. And sometimes there are risks which, even with lots of mitigants, still have a residual risk that's quite high. And so the role of the board and the risk function and all the front, you know, first line, is to [00:09:00] ensure that those mitigants are in place, that they're constantly tested and reviewed and uplifted when necessary.

[00:09:08] Catherine Brenner: You know, risk is not a once and done activity. It's a constant activity.

[00:09:12] Richard Conway: Great. The last question I wanted to ask you on this theme, Catherine, was about the process of landing your risk appetite statements. And what I particularly wanted to ask here is often that process is a multi layered process. It begins at a certain level in an organisation and will go through some management layers before it comes to the board.

[00:09:35] Richard Conway: And so it's quite easy in that process for each layer to kind of add additional conservatism into the process. And I wanted to ask whether you think that that's a problem, and if so, how you would go about combating that problem.

[00:09:52] Catherine Brenner: So once again, there are many factors that come into play here, and this, you know, risk appetite statements and the risk toolkit [00:10:00] is not a standalone item.

[00:10:01] Catherine Brenner: And so on the other side, there's the strategic objectives, the budgets, the KPIs that the management team have, and those into play to have that discussion. And what I find is really important is having the time to have those discussions.

[00:10:17] Catherine Brenner: So, for example, in risk committees, having on each agenda, a deep dive into one of the major risk areas so that we can test that and calibrate whether we do have sufficient mitigants, whether we aren't taking as much risk as we really need to be to meet our commercial objectives to stay ahead of the competition, to serve as customers. That tension is a good tension within an organisation.

[00:10:41] Catherine Brenner: I do think it's really important that those discussions aren't just amongst the set with the second line of defence, that it also includes the first line because the first line owns risk. If I look around a risk committee or a discussion on risk and it's all second line there, there's something wrong.

[00:10:56] Richard Conway: Can I just ask you to clarify to any of our [00:11:00] listeners who don't understand that terminology that you use there what the distinction between first and second line is?

[00:11:06] Catherine Brenner: Yes, apologies. So first line are the business unit leaders and people on the front line. The second line are people within the risk function, some organisations classify, for example, the company secretary is second line. And then the third line is usually external. So the external auditors, and so those three lines have different roles to play. But the risk ultimately has to be owned by the business owner.