The Board is responsible for overseeing the risk appetite of the Group. Executive Directors set the risk appetite of the Group based on the level of risk that the Group is willing to take in order to deliver against strategic, operational and financial objectives.
The risk appetite processes ensure that risks are consistently managed across the Group with decisions being made regarding the right level of risk, and that the appropriate resources and controls are put in place at each level of risk. This also ensures that risks are escalated appropriately and proportionately in line with overall appetite.
1. Set acceptable risk level
Potential impacts are assessed against a combination of likelihood and risk impact with the tolerance being categorised from risk-averse to positive.
An example of an area of risk-averse tolerance would be our approach towards seeking to comply with all relevant laws and regulations.
An example of where the Group has an open or positive tolerance to risk would be in seeking strategic growth opportunities, including acquisitions, which may require accepting a higher level of risk in order to achieve returns against our strategic objectives.
2. Compare risk assessment
Risk appetite will vary across different types of risk, and therefore appetite is further analysed between underlying, operational and strategic risks where tolerance for accepting risk will vary.
3. Determine action
Principal risks including inherent and mitigated risk are measured against the risk appetite framework to ensure that they are within tolerance of overall risk appetite. If principal risks are outside or towards the top end of risk appetite tolerance, measures will be taken including taking further mitigating actions or increasing oversight or controls. If risks are below the risk appetite tolerance level then action should be taken to consider being more open towards risk in order to facilitate achievement of our strategic objectives including higher returns or growth.
4. Describe potential impacts
Risk appetite is assessed for potential impacts across different impact categories:
- Reputational risks: considered separately across each identified stakeholder group
- Financial risk
- Operational disruption
- Legal and regulatory compliance
- Health and safety
- Environment
| Risk appetite category | Risk tolerance | Explanation |
|---|---|---|
| Averse | Very low | Activities undertaken will only be those considered to carry very low or virtually no residual risk. |
| Low | Minimal | Activities will only be undertaken where they have a low degree of residual risk. Preference for very safe business delivery with the potential for benefit or higher return not a key driver. |
| Cautious | Medium | Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent so that the residual risk is medium. Willing to tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant benefit or realise an opportunity. |
| Open | High | Activities themselves may potentially carry, or contribute to, a high degree of residual risk. Willing to consider wider range of options and choose one most likely to result in successful delivery while providing an acceptable level of benefit. Seek to achieve a balance between a high likelihood of successful delivery and a high degree of benefit and value for money. |
| Positive | Very high | Willing to be innovative and to consider opportunities offering higher business rewards despite elevated levels of inherent risk even if those activities carry a very high residual risk. |
