A discussion of Risk Appetite by thought leaders
Last month, I was privileged to speak at the Institute of Risk Management (IRM) in London. This is an interesting organization, focused on enterprise risk management. Their web site is www.theirm.org.
While there, I picked up a copy of their excellent magazine: Risk Management Professional – www.rmprofessional.com.
A couple of articles in their Risk Appetite column, from the March and September issues, caught my eye.
In the March issue, Philip Martin (page 22 at this link) started the discussion. He is chairman of the Institute of Operational Research (IOR) and clearly a respected thought leader on this topic.
I have always stressed that a risk appetite statement has no value unless you can measure actual risk levels against it, which lets you take action to manage the level of risk you take. Philip provides two examples of how this can be articulated.
- “We will invest a percentage of our funds in a particular asset and sell it when the price reaches X or drops to Y: our portfolio will be made up of A% equities, B% bonds and C% cash across certain sectors”
- “We will lend specific amounts to particular sectors and in certain geographic territories”
Philip closes his short article with a reference to an IOR paper – available at http://www.ior-institute.org.
In the September issue, Richard Archer picks up the discussion. I like his explanation of the difference between risk appetite and risk tolerance (the first is the level of risk you pursue to make profit, the second is how much you can tolerate before financial or other distress), as well as the discussion of practical challenges when setting risk appetite/tolerance levels.
Questions for you:
- Has your organization set risk appetite or tolerance limits?
- Are actual levels measured and compared to the limits?
- Are they communicated to all who need to act on them?
- Can you share your successes, recommendations, etc?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I have seen the concept of risk appetite primarily associated with ERM. Has anyone seen where the concept was applied to internal audit’s risk assessment or scoping of individual audits?
Where there is not a separate, enterprise risk management process, internal audit naturally places reliance on their own risk assessment.
It would certainly be valuable to include management’s risk tolerance in the IA risk assessment process. But it is hard to envisage a situation where a company does not have ERM but has a defined risk tolerance.
And – internal audit should not try to take over the management function of establishing risk tolerance levels. What IA can do is highlight risks where is clear that management believes risk levels are higher than tolerance.
I hope this helps.
Hello all,
I would like to share a response on the above, in particular to 1- Philip’s articulation of appetite, and 2-Richard’s definition of appetite versus tolerance.
I would be happy to discuss this further.
For 1- I would say the driver for this articulation which is meant to be at the busines line level, is in fact the corporate-wide appetite, which needs to be formalized as a percentage of the firm’s value. The business line then needs to agree a metric to translate the allocated portion of the corporate appetite and establish those appetite-satisfying limits.
For 2- I would establish the difference between appetite and tolerance as follows;
Risk appetite is a main component of risk management and can be defined as the amount and
nature of risk exposure the firm’s shareholders are willing to accept during a certain time
horizon in pursue of its business vision. This in consideration of both the firm’s internal state
and the market conditions during that time horizon.
A driver of risk appetite is the risk tolerance which can be defined as the degree of riskaversion
or risk-preferring of the firm’s shareholders when considering a specific business
venture and its specific profit-loss potential. This is in consideration of the firm’s internal
state.
Hope useful
Nice day
Amer Shashati
Prior to COSO’s 2004 ERM publication, the words appetite and tolerance were used interchangeably (this statement is based on research I did at that date).
COSO has muddied the water by creating an expectation that an organization can have a single risk appetite and also several tolerances. Anyone attempting this exercise quickly realizes that no organization can have a single “appetite”. I explain this by an analogy to humans who do not have a single risk appetite, by asking them about their risk appetite for chocolate and then for sky-diving. The result becomes obvious that there is no such thing as a single appetite.
ISO 31000 deals with this quite well by calling what is required “risk criteria” (we have called them “risk tolerances” since 2000 as we had to call them something. We could as easily have chosen to use the term risk appetites.
Risk criteria are essential to ERM as without such criteria one cannot properly identify risks nor allocate resources on a logical risk prioritization basis.
All of the above have been explained since 2002 with examples in my various publication on the Hydro One methodology.
One of the concerns I have is that we (management and auditors) limit our thinking. Risk management is not only about how we address risks inherent in a financial services company portfolio; it’s not only about the big events that might sink the ship all by themselves.
Risk should be part of how we make decisions all the time: from which candidate to hire, which vendor to select for a purchase, whether to move forward with a capital project, how to decide which price to offer in a customer negotiation, or whether to change previous strategies because of changes in risk levels.
It’s not only the big stuff, but it includes the small stuff – the ones that can destroy your business just as much as the large ones.
Primary principles:
1. Include a consideration of risk (including how you will manage it) in every decision
2. Have a way that lets you estimate, within a reasonable range, its likelihood and potential impact
3. Have criteria (tolerance and appetite) against which you can assess whether you want to take the risk or not (without acting to reduce or increase risk levels)
4. Then you can determine the actions to take in response to the risk
By the way, I (and I think most of the risk gurus) do not believe you can effectively aggregate risk across categories like compliance, strategy, financial, operational, reputation, etc. A 5% of income or 10% of market cap only works if you can aggregate risks.
You need to set risk appetite/tolerance at a granularity that enables risk-intelligent decisions.
Risk management is about resource management, a plan how to reduce losses and a specialized field of management.