Risk Appetite Statements

Putting a focused lens on risk

The Banking Royal Commission laid bare the need for major change on a national scale. At the company level, too, it sharpened the focus on better non-financial and compliance risk management for all stakeholders. 

This is not new in terms of risk focus for many sectors, but it was a tipping point for regulatory involvement and oversight of risk management. For many years we have had ASX Corporate Governance Principles that talk to risk appetite and management, and the APRA regulated entities examining risk. But now more action needs to be taken.

Review of risk appetite statements

While the banking and financial services sector remains at the forefront of scrutiny in Australia from a regulatory perspective, ASIC is showing greater interest in broadening that scope. There is also an increased focus on Dutch and UK financial services regulatory authority approaches, specifically their interventionist policies towards board and executive accountability for risk.

Now, there is a greater need to undertake reviews of risk appetite statement (RAS) processes and examine how risk frameworks and activities connect to that risk appetite, through the lens of regulatory expectations.

The purpose of reviewing the RAS is:

  • to check if the RAS is appropriately broad and clear;
  • to check if metrics work to assess the full spectrum of risk; and
  • to check if governance and accountability regarding financial, non-financial and compliance risk is effective.

Our team of experts are here to lend a hand and help you navigate the RAS in the most effective way possible.

Scoping out risk

Key questions to help you identify, asses, control and respond to emerging risks:

Does the board and executive understand the full spectrum of risks posed to your business?


  • financial;
  • non-financial; and
  • compliance.
How does the board set risk appetite and capture that in a statement for financial, non-financial and compliance risk?

  • What is the board’s process? Both at audit and risk committee (ARC) level and at full board level?
  • What are the metrics used for measuring and assessing risk?
  • Is the RAS clearly articulated in relation to financial, non-financial and compliance risk?
How does the board manage alignment with the RAS on a day to day basis?

  • How are risk issues considered by the board and ARC on a regular basis?
  • Who reports to the board on risk? What is the scope and frequency of their reporting?
  • Do reports to the board explicitly address the RAS? Do they align with RAS metrics?
  • Does the board understand who is responsible for various risks in the organisation?
  • Do the board, executive governance frameworks and skill sets allow achievement of best practice in management of these risks?
What if there is identified non-alignment with the RAS?

  • How do you hold management accountable when outside the risk appetite?
  • What role does remuneration play?
  • Do you require management to undertake root cause analysis?
How does board consideration of risk appetite connect to executive leadership team responsibilities and risk management more broadly?

  • Who is responsible for risks identified at an executive level? And what are their roles?
  • How do governance and systems relating to risk, facilitate these executives and their functions working together in risk identification, assessment and management?
  • Can each of these executives clearly articulate their role in relation to risk?
  • Do they know what the RAS of the company is and how it is relevant to the risks they are responsible for?
  • How is the RAS reflected in the policies, procedures and reporting that these various executives and functions engage in?
Risk function and risk management framework (RMF)

  • How does the RMF reflect the breadth of risks to which the business is subject?
  • Practically, how does it identify, assess and then plan for those risks?
  • Are indicators and metrics aligned with the RAS? Are they increasingly forward looking?
  • What data is available/collated/relied upon in assessing risk?
  • How is the risk register collated and reviewed? And how often?