This article explains how an organisation’s approach to risk influences legal decision-making. It outlines the concepts of risk appetite, tolerance, and management frameworks, showing how in-house lawyers can align advice with strategic objectives.
By using risk appetite statements and understanding organisational risk positions, legal teams can guide decisions effectively, mitigate misunderstandings, and enhance influence across the business, while ensuring risks are identified, categorised, and managed appropriately.
Key takeaways
- Risk appetite defines the level of risk an organisation is willing to accept to achieve objectives.
- Legal teams may own, manage, or oversee risks depending on responsibility and expertise.
- Risk appetite statements provide a framework for consistent decision-making and communication.
- Risk tolerance indicates the acceptable deviation from the defined risk appetite.
- Aligning legal advice with risk policies improves collaboration and business impact.
How they directly impact your role
It is often said that one of the key roles of an in-house lawyer is the management of legal risk.
You can find some core articles on defining and managing legal risk in our knowledge area – see Legal risk in an organisation, Legal’s role in managing legal risk and Revisiting legal risk.
These articles helpfully detail how risk can be identified and managed, what the legal team’s role can be in managing legal risk, and how you might create and operate a legal risk management process.
Underpinning all these practical steps, though, is your organisation’s attitude to risk and risk management – commonly referred to as your risk appetite. What risk, or level of risk, is regarded as acceptable? How is that risk categorised? And what happens when attitudes to risk are compromised?
The following paragraphs, we’ll briefly outline the core concepts, before looking in detail at attitudes to risk and risk management through risk appetite. You might find it useful to look at these three core articles too.
Legal risk in an organisation
Legal Risk in an Organisation helpfully identifies three lines of defence to risk – ownership and management, oversight, and assurance. Typically, a legal function will own and manage some risks and oversee others. It won’t normally give assurance that controls are effective – that is something more appropriate to an independent function such as an internal audit.
Legal’s role in managing legal risk
Legal’s role in managing legal risk looks in more detail at how the legal function can provide ownership, management, and oversight of particular risks. It might own and manage risks for which it has primary responsibility, such as litigation and the use of external lawyers. It might oversee risk in areas where it has expertise but isn’t primarily accountable – for example, competition law or regulatory compliance. The article also identifies seven personal strategies which in-house lawyers can use to manage risk – from talking to colleagues, getting involved in broader business activities, and managing their own risks.
Revisiting legal risk
Revisiting Legal Risk looks at the practical steps you can take to introduce a legal risk management process, through the preparation of a legal risk register, a legal risk map or matrix (sometimes known as a heat map) and a legal risk management plan.
It notes that once a risk is identified, there are several possible responses. You might mitigate it – perhaps by changing the activity in some way to reduce the risk. You might eliminate it – stop carrying out the activity altogether. You might manage the potential impact. You might transfer it to someone else – perhaps by contract, or by insurance. Or, of course, you might decide to accept the risk as a fundamental part of what the organisation does. Typically, you’d reach this conclusion only after considering all the other options.
Attitudes to risk – your risk appetite
In developing risk management processes – and deciding what to do about the risks identified – there must be a common understanding in the organisation about the nature and extent of the key risks that it is willing to take to achieve its objectives. That common understanding of attitude to risk is often referred to as your risk appetite.
Many organisations – private and third sector, as well as the public sector - use the UK Government’s guidance on risk management structures and control frameworks, commonly known as The Orange Book, which you can find at The Orange Book – Management of Risk – Principles and Concepts (publishing.service.gov.uk). It goes into much more detail about the concepts which underpin risk management and which are discussed in the three CLL articles mentioned above.
Linked to that guidance is an extremely useful Risk Appetite Guidance Note Risk Appetite Guidance Note (publishing.service.gov.uk). It notes that effective risk management frameworks systematically anticipate and prepare successful responses to risk – and that one of the key considerations is the determination of the organisation’s risk appetite.
It suggests that an organisation should identify its optimal risk position – the level of risk with which it aims to operate – and its tolerable risk position – the level of risk at which it is willing to operate given current constraints, on a journey to achieving its optimal risk position. These are critical, strategic, judgments which should be reviewed and adopted at the board level, not simply held as operational considerations.
In defining these risk positions, you will be very aware that risks are dynamic and can change dramatically, both in content and impact, in a short space of time. Add in a changing business environment, the effect of a pandemic, and regulatory and political developments and it will be seen that risks identified even last year are unlikely to be the same as those which impact your organisation now, and less still in the future.
Experience can be a very helpful factor in identifying and managing risks, but understanding too that it can lead to the assessment that a risk as limited because it hasn’t caused a problem in the past, rather than understanding that it might well be a problem for the future as the environment or other factors have changed.
The risk appetite statement
It is very helpful for an organisation to capture its appetite for risk in a risk appetite statement. This gives a framework to aid decision-making and describes its attitude to risk in each of the main areas of risk affecting the organisation.
The Risk Appetite Guidance Note gives some examples of the use of a risk appetite statement in practice. For example, risk appetite may be defined by risk categories into five appetite levels – averse, minimal, cautious, open, and eager.
|
Risk Appetite |
Description |
|
Averse |
Avoidance of risk and uncertainty in the achievement of key deliverables or initiatives is a key objective. Activities undertaken will only be those considered to carry virtually no inherent risk. |
|
Minimalist |
Preference for very safe business delivery options that have a low degree of inherent risk with the potential for benefit/return is not a key driver. Activities will only be undertaken where they have a low degree of inherent risk. |
|
Cautious |
Preference for safe options that have a low degree of inherent risk and only limited potential for benefit. Willing to tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant benefit and/or realise an opportunity. Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent. |
|
Open |
Willing to consider all options and choose one most likely to result in successful delivery while providing an acceptable level of benefit. Seek to achieve a balance between a high likelihood of successful delivery and a high degree of benefit and value for money. Activities themselves may potentially carry, or contribute to, a high degree of residual risk. |
|
Eager |
Eager to be innovative and to choose options based on maximising opportunities and potential higher benefits even if those activities carry a very high residual risk. |
The guidance suggests that risk appetite is defined for each of the Orange Book risk categories of strategy, governance, operations, legal, property, financial, commercial, people, technology, information, security, project/programme, and reputational.
While many of these specific areas may include legal elements, as a theoretical example of categorisation of legal risks, the Guidance suggests that sample responses might include:
|
Averse |
Minimal |
Cautious |
Open |
Eager |
|
Play safe and avoid anything which could be challenged, even unsuccessfully |
Want to be very sure we would win any challenge |
Want to be reasonably sure we would win any challenge |
Challenge will be problematic, we are likely to win, and the gain will outweigh the adverse impact |
Chances of losing are high but exceptional benefits could be realised |
|
Legal/Regulatory compliance risks |
|
We have adopted a cautious stance for compliance, seeking a preference for adhering to responsibilities, and safe delivery options with little residual risk. The Board will have annual assurance that compliance regimes are in place. |
These are, of course, just examples, and you will want to identify your organisation’s own risk appetite, but the Orange Book examples can serve as a useful starting point.
Risk appetite v. Risk tolerance
Although sometimes the terms risk appetite and risk tolerance are used interchangeably, risk tolerance is perhaps better seen as the acceptable deviation from the level set by the risk appetite statement – in essence, the boundary of risk-taking that the organisation is willing to accept. You can find a useful explanation of the difference in Risk Appetite vs. Risk Tolerance: What is the Difference? (isaca.org).
How does this directly impact you?
Sadly, there are still perceptions in some organisations that the in-house legal team is a blocker – the ‘business-prevention department’ – often seeming to use an assessment of risk to prevent commercial activities. Many such perceptions are unfounded – see for example Legal as a blocker – how to confront the perception. https://www.legalleadership.co.uk/knowledge/leading-the-team/managing-the-function/legal-as-a-blocker-how-to-confront-the-perception/
At the heart of the issue, though, is ensuring that the legal team and the broader organisation understand one another and crucially use the same vocabulary.
Nowhere is this more important than in the risk arena. If it seems the legal team is working in a vacuum, or with a different agenda than colleagues, inevitably tensions will arise. There are, of course, times when it is legal’s role to stand firm and to say ‘no’, or at least to offer an alternative solution, even if it may not be popular.
If there is a clear, board-driven, statement of the organisation’s risk appetite, that is an excellent starting point for helpful advice and discussion. If the legal team can describe its analysis and concerns in the language of the risk appetite statement, it’s possible to transform the presentation of the position. Instead of it appearing that ‘legal would say that’, you can move the narrative to show the issue in the context of the board’s policies, and better still, to use them to indicate what is possible.
For example, if the board has adopted a ‘cautious’ appetite for legal and compliance risks – and made clear in the risk appetite statement what it means by that – then the legal team’s advice can be presented in that context.
The team can also use the risk appetite statement proactively with clients to work with them to define what that means about particular legal risks – for example by defining what are unacceptable contractual terms and conditions or identifying negotiating positions which meet the board’s requirements. A forward-looking use of the risk appetite statement can allow you to build legal’s influence and impact within the organisation.
It's sometimes said that lawyers and their clients speak different languages. In the area of risk, at least, a common definition of the organisation’s attitude to risk through the use of a risk appetite statement can provide a helpful dictionary.
Some further resources
CLL Resources
Legal’s role in managing legal risk
Legal as a blocker – how to confront the perception
Other resources
The Orange Book: Management of Risk – Principles and Concepts The Orange Book – Management of Risk – Principles and Concepts (publishing.service.gov.uk)
Risk Appetite Guidance Note Risk Appetite Guidance Note (publishing.service.gov.uk)
Using Risk Tolerance to Support Enterprise Strategy ISACA Foundation Risk Appetite vs. Risk Tolerance: What is the Difference? (isaca.org)
BS 31000 Risk Management - Principles and Guidelines, and BS 31100 Risk Management – Code of Practice
Fundamentals of Risk Management Paul Hopkin (Kogan Page)
The Risk Management Handbook Ariane Chapelle (Kogan Page)
References to material from the Orange Book and Risk Appetite Guidance Note are used under the terms of the Open Government Licence.