Risk appetite Writing a statement of risk appetite

Risk appetite Writing a statement of risk appetite Examples to guide you in writing your own vmia. vic. gov. au

A definition How much and what type of risk are we as an organisation willing to take, and create, to pursue our objectives? Each of us makes this calculation implicitly or explicitly in pursuit of our goals. It is part of the natural flow of decision making. A decision about what to do is shaped by our understanding of the risks we must take to achieve our objectives. But every decision to act also creates risk. Both need to be kept in mind. In an organisation, it needs to be made explicit so that the organisation acts in a consistent and unified way on risk and spends resources wisely. Decide your objectives June 21 Decide how much and what type of risk you'll take, and create, in pursuing them Make your decisions 2

Deciding what must go right and what can’t go wrong The responsible body of your organisation will come to a consensus on what aspects of the organisation’s functions and activities are a priority. The resulting list could include descriptions of objectives, strategies, programs, assets, types of risk or emerging features of its internal and external context. What that means is that you may need to state your appetite in different ways. In the following slides we will give you • some linguistic strategies to help construct your statements • tables for organising priorities, risks and statements. We will also give examples. June 21 3

Linguistic strategies These uses of language make explicit, what is mostly an implicit judgement about risk appetite. They are a useful way to elicit the qualitative information needed for a risk appetite statement. Strategy 1 To [INSERT goal] we are willing to/must [INSERT action] even if it means [INSERT the potential undesirable consequence]. For example, a) To provide better care to our patients we are willing to implement an innovative service model, even if it means increased expenditure on research and testing in the current financial year and slower delivery of service in limited circumstances during trial periods. b) We must find new ways to deliver training to our students even if it means that we reduce the number of qualifications we offer in order to manage the change to a new operating model. c) We must reduce water consumption over the coming ten years even if means loss of revenue on our current business model. June 21 4

Linguistic strategies Strategy 2 We are keen to [INSERT action and objective], but not at the expense [INSERT undesirable consequence]. For example, a) We are keen to increase the number of sites our officers inspect in the course of the week, but not at the expense of their safety or the quality of the inspection. b) We are keen to take a leadership role in our sector when it comes to transitioning the Victorian economy to net-zero emissions but not at the expense of multi-lateral action on shared risks. c) We are keen to increase the range of education and training opportunities we provide to our students but not at the expense of equity of access. June 21 5

Linguistic strategies Strategy 3 We prefer to [INSERT action] rather than [INSERT the potential undesirable alternative action or consequence] For example, a) We prefer to enter contracts with IT services partners that can demonstrate previous experience in the government and a record of successful delivery for clients in the health sector rather than higher-risk start ups with innovative products. b) We prefer to seek funds to develop a new business model in order to ensure the long-term viability of our organisation, rather than sink more public money in maintaining the current model. c) We prefer to consider a budget over-run of 10% rather than fail to deliver the outcomes we seek through our new contract management system. June 21 6

Linguistic strategies Strategy 4 We welcome/will not accept [INSERT the type of action] For example, a) We welcome new techniques, technologies and behaviours where it can be shown that they will make a material difference to our ability to achieve our objectives. b) We will not accept any violations of the Victorian Government’s Code of Conduct from any of our staff wherever they work in the organisation and will take the appropriate action to address them and show leadership to the rest of the organisation and the sector. c) We welcome opportunities to collaborate with other organisations in the Victorian Public sector to manage the risks associated with economic and demographic changes underway in our region. June 21 7

Linguistic strategies Strategy 5 We have a lower appetite for [INSERT the type of action] We have a higher appetite for [INSERT the type of action] Note that they come in pairs For example, a) We have a higher appetite for new techniques, technologies and behaviours where it can be shown that they will make a material difference to our ability to achieve our objectives. b) We have a lower appetite for engaging small entrepreneurial businesses offering products that would disrupt core services and capabilities. And another example a) We have a higher appetite for new methods of online service delivery. b) We have a much lower appetite for breaching our clients’ privacy. June 21 8

Table showing priority, risk types and appetite Priority INSERT here a description of the objective, strategy, program, assets, type of risk or emerging features of its internal and external context that your responsible body is focused on. Risk category Risk appetite Strategic Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. Operational Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. Reputation Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. Financial Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. Legal Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. People and safety Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk. Environmental Use the linguistic strategies outlined earlier to state your responsible body’s appetite for risk.

Example Priority Public, private and confidential information held by our organisation will be kept secure and used only for business purposes and public good. Risk category Risk appetite Strategic We are keen to use the public data we hold to create value for our clients and Victorians, but not at the expense of the security of confidential and private information. Operational We are keen to improve the efficiency of our information management but not at the expense of security, accountability and the transparency of public information. Reputation We must put in place effective governance for managing information, even if our engagement with stakeholders or collaboration with partners is slower because of our efforts to safeguard information. Financial We are keen to finalise our plans to invest in new information management systems to protect the data we hold and create new public value, but not at the expense of thoroughly developing a business case and careful implementation. Legal We will not accept any breaches of State and Commonwealth laws in relation to managing data and information. People and safety We will not accept any breaches of governance or procedures when in comes to the private and confidential information that we hold. Environmental We welcome opportunities to use our data to reduce our exposure to insurable climate and environmental risk.

Table highlighting significant types of risk against a priority Priority INSERT here a description of the objective, strategy, program, assets, type of risk or emerging features of its internal and external context that your responsible body is focused on Risk category Risk appetite statement Financial (for example) … … … Legal (for example) …

Example Business objective Manage delivery of services sustainably over the life of our current strategy Maintain high levels of information governance, security and accountability Risk category Risk appetite statement Financial We are keen to identify ways to reduce the cost of delivering our services in order to invest in improving their quality. People and safety We will not accept any products, services or processes that could harm either our employees or the people we deliver services to. Environmental We welcome any delivery models that will help us achieve our goal to achieve net-zero emissions across our business. Legal We will not accept any breaches of State and Commonwealth laws in relation to managing data and information.

INSERT here a description of the objective, strategy, program, assets, type of risk or emerging features of its internal and external context that your responsible body is focused on Risks Priority Table for comparing appetite • • Describe the risk to this priority … Risk appetite We have a lower risk appetite for: • Describe the event, action, activity We have a higher risk appetite for: • Describe the event, action, activity

Table for comparing appetite for specific risks Improve patients’ access and safety and the quality of clinical experience Risks Priority • • Patients receive inadequate clinical care in any part of the hospital. Property, plant and equipment can’t support objectives. The reputation of the hospital as a research institution suffers. ICT infrastructure cannot meet service delivery requirements. Risk appetite We have a lower risk appetite for: • Failure to meet clinical healthcare and quality targets including National Elective Surgery Targets • Failure to deliver on formal commitments made to political stakeholders • Losing status as a teaching hospital • Embarking on initiatives without detailed consultation with the government to understand expectations and tolerances • Closing facilities and ending services without public consultation. We have a higher risk appetite for: • Exceeding budget to enable delivery of improved health outcomes for the population • Some negative media attention in relation to provision of quality healthcare and pursuit of population health initiatives • A drop in our patients’ rating of their experience