Home > Risk > Just what is risk appetite and how does it differ from risk tolerance?

Just what is risk appetite and how does it differ from risk tolerance?

How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as clarify is “risk appetite’. What does it mean, and how does it differ from risk tolerance?

Let’s look first at the COSO ERM Framework. It defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” In their Strengthening Enterprise Risk Management for Strategic Advantage, COSO says:

“An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broadbased description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”

They continue:

“So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”

Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.

In other words, these are risk criteria: criteria for assessing whether the risk level is OK or not. Before progressing to see how ISO 31000 tackles the topic, I want to stop and see what one of the major auditing/consulting organizations has to say.

Ernst & Young has an interesting perspective, which they explain in Risk Appetite: the strategic balancing act. In the referenced PDF version, they include definitions of multiple terms:

  • Risk capacity: the amount and type of risk an organization is able to support in pursuit of its business objectives.
  • Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.
  • Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.
  • Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific business goal.
  • Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action.

There are similarities to the COSO ERM definitions, with both using appetite for the organization’s overall acceptable level of risk, and tolerance to describe risk at a lower, more granular level. Personally, I find the EY examples and usage a little better than the COSO one – the idea of a variance from objectives is not appealing and I am not confident it is very practical.

Coming back to the idea of risk criteria. One common practice is for risk managers (and consultants, vendors, etc) to talk about risk as being high, medium, low, etc; another is to quantify it in some way, often in monetary terms. (Just think of a typical heat map.) But, just because a risk is considered “high” doesn’t necessarily mean that it is too high. Similarly, just because a risk is “low” doesn’t mean that the risk level is desirable.

Think about somebody in one of the Libyan cities being shelled this week. They are considering whether to stay or leave the city, and then whether to go to family in Tripoli or try to get across the border into Egypt. All of the options, including doing nothing, are high risk – but they need to take one.

Maybe that is an extreme example. COSO talks about balancing risk and reward, and the notion that you need to take risks – even high ones – in order to obtain rewards. An example of this could be a decision to enter a new market. The risks may be high, but the rewards justify taking them.

Exploring that example a little more, there may be several options for entering the market: slowly dipping the toe in, going full blast, or partnering with a company that already has a major presence. If you just look at the level of risk without considering the rewards that can be obtained from each option, you may make a poor decision.

Where am I going? To assess whether a risk level is acceptable or not, it is not enough to say it is high, medium, $5 million, etc. You have to say whether it is acceptable given the potential rewards by reference to your risk criteria. This is where, for me, appetite and tolerance play – and risk target, as explained by EY.

So, to ISO. Here are a few definitions from ISO Guide 73, Risk Management – Vocabulary.

  • Risk attitude: organization’s approach to assess and eventually pursue, retain, take or turn away from risk
  • Level of risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood
  • Risk criteria: terms of reference against which the significance of a risk is evaluated
  • Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
  • Risk appetite: amount and type of risk that an organization is willing to pursue or retain
  • Risk tolerance: organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives

It is worth noting that the ISO 31000:2009 standard doesn’t use all these terms. Rather than getting into a detailed discussion around risk appetite and tolerance, the standard says you should establish risk criteria and then evaluate risks against those criteria to determine which risks need treatment.

Frankly, I would prefer more detailed guidance on this, as the decision on how much risk to take is the key to effective risk management. But, we will have to wait for more practical guidance from ISO and its national organizations.

Here’s my view. I like and use the ISO definitions (from Publication 73) I listed above. Companies have to take risk to make a profit, or deliver value to their stakeholders. They level of risk they pursue is their appetite for risk. But they may be able to tolerate, or absorb, a different level of risk without significant pain and impact on achieving their strategic objectives. This is their tolerance.

A colleague with IIA Canada, Eric Lavoie, shared with me a model he has used with one of his financial services clients. My representation is shown below.


Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-optimal. When risk levels exceed the organization’s risk tolerance, it becomes more critical to take action.

So, what is your opinion? What do these terms mean in your language?

Other references:

Food for Thought on Risk Appetite

A discussion of Risk Appetite by thought leaders

Understanding and articulating risk appetite (KPMG)

About these ads
  1. Timothy Hediger
    April 15, 2011 at 3:44 AM

    Norman: Thanks for making me think a second time. The ISO definitions are much clearer. My internal challenge is to make these definitions applicable to my clients who understand COSO. Interesting…

  2. April 15, 2011 at 7:51 AM

    Good article Norm.

    I was on the Ireland expert group which wrote the guidance to ISO 31000. Prior to that I did considerable work on codifying COSO between ’01-‘04. We essentially broke the document down into discrete tasks which are required to be undertaken at each level within an entity. We retained tasks which are naturally weighted (i.e. tasks repeated more than once) in the code. We developed a process flow around the tasks and used a communications application to facilitate notifications of when things actually get done …right up to automated exception reports. We got to the point of a Dutch auction between two of the top three insurance brokers but Elliot Spitzer got in the way and some chief level officers (with whom we were dealing directly) had to depart the scene.

    Back to your post. Had board directors simply applied COSO the way it was intended we might not have had the GFC?

    Most directors (and chief officers) are not really capable of conducting meaningful discussions as to risk appetite. A fundamental reason for this, in my opinion, is that most NEDs and chief officers rarely think beyond the first horizon (5 years). In practical terms most are committed to journeys from NYC to DC but dare not ask if the long term plan is really to get to New Orleans or Tampa. Objectives therefore are more linked to compensation than long term sustainable growth for shareholders.

    This is compounded by the fact, in my opinion, that very few organisations actually measure consistently across all silos such that the basic metrics for tolerance can be assembled. For those that do embrace measurement (balanced scorecard etc.) I have never seen a risk register which goes into detail as to how risks are to be actually treated. Statements as to periodic review by management are made when what is required is an articulation of specified tasks, to be executed by named individuals, defined in units of measure and thereafter independently audited as to completeness. Of course you and I know that were such attention to detail given to risk treatment then the ROI on RM can be visually presented in a demonstrably credible way in the form of simple comparison between initial and residual risk/heat maps.

    I am sadly at the point where I wonder if we (RM professionals) are not complicit in the mismanagement of so many companies. We engage in technical jargon which has no place beyond the board room door where risks (whilst regulated) are mostly not policed. We are mostly tea boys to boards as we do not really influence the quality of discussions making pertaining to strategic and macro operational decisions.

    I have expressing some of these views in the discussion (Traditional Risk Management has Failed) which I started in the Risk Managers Group (Linkedin)

    Comments have flowed in, and some of them are quiet good.

    P.S. I enjoy you posts and contribution to Gov DG as well

    Regards

    Peadar

  3. Shahnaz Merenkov
    April 15, 2011 at 8:36 PM

    Very interesting article indeed, Norman.

    Learning to differentiate the types of risks is always very refreshing and bring us back to the importance of ensuring that the risk term used is understood by all.

    I used to analyze the administrative policies of a healthcare facility in the Middle East and I had always factor in the risk associated with the policies- defining the particular term of the associated risk was most important.

  4. Umesh Tiwari
    April 17, 2011 at 11:44 AM

    Norman: Good article. I liked your color coded representation of Risk Appetite and Risk Tolerance. The challenge is in maintaining enterprise wide risk register and being able to break down risk levels and get business stakeholders to weigh in on those to define Tolerance and Appetite on a consistent basis. Adding to the already complex challenge the dynamic cyclical nature of businesses and turnovers at the top.

  5. Francois Grobler
    April 18, 2011 at 4:57 PM

    Thought-provoking stuff Norman. Peadar is correct in saying that sadly we are but tea boys to board rooms and whatever we endeavor can so easily be vetoed and waved off by uneducated top management – so educating boards on this topic should be high priority in my opinion. The area in which risk appetite comes up most often for me is not in enterprise or operational RM but project evaluation. In evaluating a project, the “risk-reward trade off” (yet another contribution to the jargon jar) needs to be considered. Which introduces another interesting yet difficult to quantify alliance…Good luck to us all in figuring out how all of this fits together?

  6. Wally Walter
    April 26, 2011 at 5:28 AM

    Different perspective Norman, thanks for that contribution. Being a fan and follower of academics in this stream, often I get jumbled with these kind of terminologies. In fact not only to you, but for other contributors on this forum; can we cite couple of examples, which can be related directly to these terms ? Just to make it simple for naive people like me :)

  7. Norman Marks
    April 26, 2011 at 8:57 AM

    Wally, let me have the first go at some examples. I can think of a few situations where a local manager wants to take a risk, such as extending credit to a customer. But, when total credit exposure across the organization is aggregated, the corporate credit manager decides the exposure of the additional credit would be too much. The appetite is there for additional risk, because of the potential profit that would be earned. But the tolerance is exceeded.

    Some domestic examples make sense as well. Often, I have an appetite for more chocolate, but my tolerance is not as great.

    Anybody else?

  8. Wally Walter
    April 27, 2011 at 6:48 AM

    Thanks indeed for that insight !

    Here is an hypothetical example. Would invite thoughts from the members to disseminate that and throw some light on how would you correlate the risk framework terminologies.

    An airport management company is considering expansion plans. They are vying to be a major hub in the region with a expected passenger traffic of 20 million by by end of current year. They want to deploy new baggage handling system and improve on customer service. Objectives are

    1…Accepted error rate is one in one million by end of this year
    2…This being one part of “Arrivals” , it should contribute to process time reduction by 10 minutes in next six months and incremental 5 minutes by end of year.

    Any inputs or some more info is required to be fed in ?

  9. April 29, 2011 at 11:59 AM

    Risk appetite and risk tolerance have little practical value. In the banking sector, these words led to misleading compliance…

    The ISO 31000 Risk Management Standard uses the word “risk attitude” instead.
    You can find the ISO reference and our related discussion in our forum Comments on ISO31000 _ 2. Terms and definitions :

    http://www.linkedin.com/groupItem?view=&gid=3813785&type=member&item=45864730&qid=f2774f25-1422-4467-ac9c-840d247d2cf1&goback=.gmp_3813785

  10. Brian Warren
    May 16, 2011 at 1:38 PM

    Peadar Duffy’s comment above resonates with my experience trying to implement ERM, particularly the bit where he says, “very few organisations actually measure consistently across all silos such that the basic metrics for tolerance can be assembled.” Risk appetite and risk tolerance are intellectually valid concepts, but most organizations are not willing to commit the resources required to track and measure them. To some degree, this is often because the largest, most important risks are very difficult to measure, or are commonly known to exceed a company’s “existential” risk threshold (i.e. one occurrence would put them out of business). If I’m running a moderate sized, substantially leveraged business with a limited number of products at a 5% profit margin, and I learn that the multinational corporation headquartered across town has decided to sell competing products for a 20% lower price, well, all my other risks suddenly fade into irrelevance. I’d posit that a high percentage of companies routinely operate in such a mode, where their actual risk exposure always exceeds their existential risk tolerance at some non-trivial probability. The implication is that risk appetite, expressed as a range of probabilities of default, always includes some positive probability of failure, e.g. “there’s a 5% chance that something will happen that will cause my company to go under this year,” and for the CEO’s of these companies, that’s just an irreducible fact of life.

    ERM has not “caught on” with many CEOs because it often does not focus on the risks that truly drive to the heart of corporate survival or competitiveness, which are the risks with which CEOs and boards of directors must be most concerned.

    Finally, I could go on about how it is inherently incorrect to define any risk valuation as a single number instead of as a probability distribution, as if a “risk appetite” could be defined as some specific dollar limit in all circumstances, but that’s a different rant.

  11. May 30, 2011 at 1:35 PM

    Again a great thread. Thanks Norman. My take on the tea boy tag is that it resonates almost perfectly (with men ;-). My overall view is that risk language must be consistent across the business functions (we see them as silos but CXOs don’t). I also think that risk assessment needs to be a lot more scientific in its approach – as long as it stays highly subjective it will suffer and consequent acceptance, (along with the different perspectives of that acceptance) will also remain highly subjective. Along with subjectivity comes plausible deniability and inappropriate praise/remuneration, two aspects of boardroom politics that are all too common.

    I see real value for risk managers to hang up the old [tea] towel and move closer to (but not in bed with) the audit ideal in terms of true and respected independence. Perhaps reporting to a ‘special NED’ (can such a person exist ;-) but free/required to report to the shareholders and regulators about the degrees of respect that the board pay to structured risk management.

  12. August 4, 2011 at 4:11 AM

    I can see that you are putting a lot of time and effort into your post.I love every single piece of information you post here.Will be back often to read more updates!
    iso 9000

  13. February 2, 2012 at 11:18 AM

    Norman,
    I like your careful thought and well organized presentation. I have included a link on my blog to this one. you can see my blog listed below. If you would like me to remove the link, just drop me an email. Kind Regards,

    Richard Ellis PMP PRM

    • Norman Marks
      February 2, 2012 at 11:20 AM

      Thanks, Richard! An honor!

  14. sakeer husain
    June 15, 2012 at 8:36 AM

    useful and fantastic explanations……

  1. April 20, 2011 at 6:51 PM
  2. April 22, 2011 at 9:51 PM
  3. April 24, 2011 at 8:54 AM
  4. January 17, 2012 at 9:43 PM
  5. March 7, 2013 at 11:30 AM
  6. April 14, 2014 at 2:21 AM
  7. June 2, 2014 at 1:49 AM
  8. June 6, 2014 at 12:00 PM
  9. June 6, 2014 at 10:16 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,177 other followers

%d bloggers like this: