In times of crisis we are often focussed on the crisis itself and can sometimes overlook how it may impact your future operations, and the risks your entity was managing prior to the crisis. It is important to take a step back and think about:
- How is the crisis going to affect your entity’s ability to achieve its strategic objectives?
- Has the crisis changed any of your entity’s current risks? Is your Executive comfortable with retaining those risks as is, or do they want to do something about them?
Risk appetite and tolerances can be useful in addressing these concerns.
Both risk appetite and risk tolerance set boundaries to define how much risk an entity is prepared to take. Risk appetite describes the amount of risk that an entity is willing to accept or retain in order to achieve its objectives, while risk tolerance uses risk appetite on a more micro level to set the acceptable levels of risk taking for a specific risk or category of risk.
From a strategic perspective, it is important to consider how your response to a crisis will impact your entity’s operations and the risks it may now be exposed to. Understanding this impact, and the constraints on your organisation, will assist in designing the best approach to deliver on your organisation’s objectives.
As part of this design process, consider your entity's risk appetite to ensure that any proposed approach does not expose your entity to risks outside its appetite. This can be particularly useful when:
- developing new legislation, regulations or policies,
- delivering new programs or services, or even
- implementing internal organisational restructures.
Managing the now
From a program or project level perspective, in addition to reflecting on risk appetite, it is also important to consider your entity’s risk tolerance. Your risks could have increased as a result of the crisis.
Comparing your risk tolerance levels with potentially changed risk ratings can assist in deciding how best to manage the risks. For example, it can help with:
- reprioritising your risks,
- working out how best to rebalance your resources to manage your risks, and
- identifying which risks need to be escalated to key decision makers or communicated to stakeholders.
During a crisis it is vital to report the risks that have exceeded risk tolerance to the relevant key decision makers within your entity. In addition to the risks themselves, it is best to provide as much information about the risks as possible to assist with decision making. This could include:
- why the crisis has changed the risk, for example by increasing its likelihood or consequence,
- what current controls are in place to manage the risks and their effectiveness, and
- potential new treatments to manage the risks and required resources to implement them.
It is also important to remember that there may be instances where you need to temporarily operate outside of your entity’s risk tolerance in times of a crisis. While this is sometimes appropriate, it is important to continue monitoring and reporting on those risks to relevant Senior Executives. However, if you find that your entity is operating outside its tolerance for a large number of risks, it may mean that your entity needs to recalibrate its risk appetite and tolerance to better suit its operating environment. This, of course, would be at the discretion of your Executive.
In closing, it is important to remember that a crisis will likely cause a significant change to your operating environment, and with this change will come potential changes to your risk environment.
These changes may require you to do things differently, which could present opportunities to do things more efficiently or effectively or engage with risk in ways you weren’t able to before.
Don’t get blindsided by change. Understand what it means to your entity’s ability to deliver on its strategic objectives. Be proactive by using your entity’s risk appetite and tolerance to assist your Executive to both plan ahead and manage the present in a changed environment.