Just what is risk appetite and how does it differ from risk tolerance?
How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as clarify is “risk appetite’. What does it mean, and how does it differ from risk tolerance?
Let’s look first at the COSO ERM Framework. It defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” In their Strengthening Enterprise Risk Management for Strategic Advantage, COSO says:
“An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broadbased description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”
They continue:
“So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”
Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.
In other words, these are risk criteria: criteria for assessing whether the risk level is OK or not. Before progressing to see how ISO 31000 tackles the topic, I want to stop and see what one of the major auditing/consulting organizations has to say.
Ernst & Young has an interesting perspective, which they explain in Risk Appetite: the strategic balancing act. In the referenced PDF version, they include definitions of multiple terms:
- Risk capacity: the amount and type of risk an organization is able to support in pursuit of its business objectives.
- Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.
- Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.
- Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific business goal.
- Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action.
There are similarities to the COSO ERM definitions, with both using appetite for the organization’s overall acceptable level of risk, and tolerance to describe risk at a lower, more granular level. Personally, I find the EY examples and usage a little better than the COSO one – the idea of a variance from objectives is not appealing and I am not confident it is very practical.
Coming back to the idea of risk criteria. One common practice is for risk managers (and consultants, vendors, etc) to talk about risk as being high, medium, low, etc; another is to quantify it in some way, often in monetary terms. (Just think of a typical heat map.) But, just because a risk is considered “high” doesn’t necessarily mean that it is too high. Similarly, just because a risk is “low” doesn’t mean that the risk level is desirable.
Think about somebody in one of the Libyan cities being shelled this week. They are considering whether to stay or leave the city, and then whether to go to family in Tripoli or try to get across the border into Egypt. All of the options, including doing nothing, are high risk – but they need to take one.
Maybe that is an extreme example. COSO talks about balancing risk and reward, and the notion that you need to take risks – even high ones – in order to obtain rewards. An example of this could be a decision to enter a new market. The risks may be high, but the rewards justify taking them.
Exploring that example a little more, there may be several options for entering the market: slowly dipping the toe in, going full blast, or partnering with a company that already has a major presence. If you just look at the level of risk without considering the rewards that can be obtained from each option, you may make a poor decision.
Where am I going? To assess whether a risk level is acceptable or not, it is not enough to say it is high, medium, $5 million, etc. You have to say whether it is acceptable given the potential rewards by reference to your risk criteria. This is where, for me, appetite and tolerance play – and risk target, as explained by EY.
So, to ISO. Here are a few definitions from ISO Guide 73, Risk Management – Vocabulary.
- Risk attitude: organization’s approach to assess and eventually pursue, retain, take or turn away from risk
- Level of risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood
- Risk criteria: terms of reference against which the significance of a risk is evaluated
- Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
- Risk appetite: amount and type of risk that an organization is willing to pursue or retain
- Risk tolerance: organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives
It is worth noting that the ISO 31000:2009 standard doesn’t use all these terms. Rather than getting into a detailed discussion around risk appetite and tolerance, the standard says you should establish risk criteria and then evaluate risks against those criteria to determine which risks need treatment.
Frankly, I would prefer more detailed guidance on this, as the decision on how much risk to take is the key to effective risk management. But, we will have to wait for more practical guidance from ISO and its national organizations.
Here’s my view. I like and use the ISO definitions (from Publication 73) I listed above. Companies have to take risk to make a profit, or deliver value to their stakeholders. They level of risk they pursue is their appetite for risk. But they may be able to tolerate, or absorb, a different level of risk without significant pain and impact on achieving their strategic objectives. This is their tolerance.
A colleague with IIA Canada, Eric Lavoie, shared with me a model he has used with one of his financial services clients. My representation is shown below.
Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-optimal. When risk levels exceed the organization’s risk tolerance, it becomes more critical to take action.
So, what is your opinion? What do these terms mean in your language?
Other references:
Food for Thought on Risk Appetite
Leave a reply to Veronica Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman: Thanks for making me think a second time. The ISO definitions are much clearer. My internal challenge is to make these definitions applicable to my clients who understand COSO. Interesting…
Good article Norm.
I was on the Ireland expert group which wrote the guidance to ISO 31000. Prior to that I did considerable work on codifying COSO between ’01-‘04. We essentially broke the document down into discrete tasks which are required to be undertaken at each level within an entity. We retained tasks which are naturally weighted (i.e. tasks repeated more than once) in the code. We developed a process flow around the tasks and used a communications application to facilitate notifications of when things actually get done …right up to automated exception reports. We got to the point of a Dutch auction between two of the top three insurance brokers but Elliot Spitzer got in the way and some chief level officers (with whom we were dealing directly) had to depart the scene.
Back to your post. Had board directors simply applied COSO the way it was intended we might not have had the GFC?
Most directors (and chief officers) are not really capable of conducting meaningful discussions as to risk appetite. A fundamental reason for this, in my opinion, is that most NEDs and chief officers rarely think beyond the first horizon (5 years). In practical terms most are committed to journeys from NYC to DC but dare not ask if the long term plan is really to get to New Orleans or Tampa. Objectives therefore are more linked to compensation than long term sustainable growth for shareholders.
This is compounded by the fact, in my opinion, that very few organisations actually measure consistently across all silos such that the basic metrics for tolerance can be assembled. For those that do embrace measurement (balanced scorecard etc.) I have never seen a risk register which goes into detail as to how risks are to be actually treated. Statements as to periodic review by management are made when what is required is an articulation of specified tasks, to be executed by named individuals, defined in units of measure and thereafter independently audited as to completeness. Of course you and I know that were such attention to detail given to risk treatment then the ROI on RM can be visually presented in a demonstrably credible way in the form of simple comparison between initial and residual risk/heat maps.
I am sadly at the point where I wonder if we (RM professionals) are not complicit in the mismanagement of so many companies. We engage in technical jargon which has no place beyond the board room door where risks (whilst regulated) are mostly not policed. We are mostly tea boys to boards as we do not really influence the quality of discussions making pertaining to strategic and macro operational decisions.
I have expressing some of these views in the discussion (Traditional Risk Management has Failed) which I started in the Risk Managers Group (Linkedin)
Comments have flowed in, and some of them are quiet good.
P.S. I enjoy you posts and contribution to Gov DG as well
Regards
Peadar
Very interesting article indeed, Norman.
Learning to differentiate the types of risks is always very refreshing and bring us back to the importance of ensuring that the risk term used is understood by all.
I used to analyze the administrative policies of a healthcare facility in the Middle East and I had always factor in the risk associated with the policies- defining the particular term of the associated risk was most important.
Norman: Good article. I liked your color coded representation of Risk Appetite and Risk Tolerance. The challenge is in maintaining enterprise wide risk register and being able to break down risk levels and get business stakeholders to weigh in on those to define Tolerance and Appetite on a consistent basis. Adding to the already complex challenge the dynamic cyclical nature of businesses and turnovers at the top.
Thought-provoking stuff Norman. Peadar is correct in saying that sadly we are but tea boys to board rooms and whatever we endeavor can so easily be vetoed and waved off by uneducated top management – so educating boards on this topic should be high priority in my opinion. The area in which risk appetite comes up most often for me is not in enterprise or operational RM but project evaluation. In evaluating a project, the “risk-reward trade off” (yet another contribution to the jargon jar) needs to be considered. Which introduces another interesting yet difficult to quantify alliance…Good luck to us all in figuring out how all of this fits together?
Different perspective Norman, thanks for that contribution. Being a fan and follower of academics in this stream, often I get jumbled with these kind of terminologies. In fact not only to you, but for other contributors on this forum; can we cite couple of examples, which can be related directly to these terms ? Just to make it simple for naive people like me 🙂
Wally, let me have the first go at some examples. I can think of a few situations where a local manager wants to take a risk, such as extending credit to a customer. But, when total credit exposure across the organization is aggregated, the corporate credit manager decides the exposure of the additional credit would be too much. The appetite is there for additional risk, because of the potential profit that would be earned. But the tolerance is exceeded.
Some domestic examples make sense as well. Often, I have an appetite for more chocolate, but my tolerance is not as great.
Anybody else?
Thanks indeed for that insight !
Here is an hypothetical example. Would invite thoughts from the members to disseminate that and throw some light on how would you correlate the risk framework terminologies.
An airport management company is considering expansion plans. They are vying to be a major hub in the region with a expected passenger traffic of 20 million by by end of current year. They want to deploy new baggage handling system and improve on customer service. Objectives are
1…Accepted error rate is one in one million by end of this year
2…This being one part of “Arrivals” , it should contribute to process time reduction by 10 minutes in next six months and incremental 5 minutes by end of year.
Any inputs or some more info is required to be fed in ?
Risk appetite and risk tolerance have little practical value. In the banking sector, these words led to misleading compliance…
The ISO 31000 Risk Management Standard uses the word “risk attitude” instead.
You can find the ISO reference and our related discussion in our forum Comments on ISO31000 _ 2. Terms and definitions :
http://www.linkedin.com/groupItem?view=&gid=3813785&type=member&item=45864730&qid=f2774f25-1422-4467-ac9c-840d247d2cf1&goback=.gmp_3813785
Peadar Duffy’s comment above resonates with my experience trying to implement ERM, particularly the bit where he says, “very few organisations actually measure consistently across all silos such that the basic metrics for tolerance can be assembled.” Risk appetite and risk tolerance are intellectually valid concepts, but most organizations are not willing to commit the resources required to track and measure them. To some degree, this is often because the largest, most important risks are very difficult to measure, or are commonly known to exceed a company’s “existential” risk threshold (i.e. one occurrence would put them out of business). If I’m running a moderate sized, substantially leveraged business with a limited number of products at a 5% profit margin, and I learn that the multinational corporation headquartered across town has decided to sell competing products for a 20% lower price, well, all my other risks suddenly fade into irrelevance. I’d posit that a high percentage of companies routinely operate in such a mode, where their actual risk exposure always exceeds their existential risk tolerance at some non-trivial probability. The implication is that risk appetite, expressed as a range of probabilities of default, always includes some positive probability of failure, e.g. “there’s a 5% chance that something will happen that will cause my company to go under this year,” and for the CEO’s of these companies, that’s just an irreducible fact of life.
ERM has not “caught on” with many CEOs because it often does not focus on the risks that truly drive to the heart of corporate survival or competitiveness, which are the risks with which CEOs and boards of directors must be most concerned.
Finally, I could go on about how it is inherently incorrect to define any risk valuation as a single number instead of as a probability distribution, as if a “risk appetite” could be defined as some specific dollar limit in all circumstances, but that’s a different rant.
Again a great thread. Thanks Norman. My take on the tea boy tag is that it resonates almost perfectly (with men ;-). My overall view is that risk language must be consistent across the business functions (we see them as silos but CXOs don’t). I also think that risk assessment needs to be a lot more scientific in its approach – as long as it stays highly subjective it will suffer and consequent acceptance, (along with the different perspectives of that acceptance) will also remain highly subjective. Along with subjectivity comes plausible deniability and inappropriate praise/remuneration, two aspects of boardroom politics that are all too common.
I see real value for risk managers to hang up the old [tea] towel and move closer to (but not in bed with) the audit ideal in terms of true and respected independence. Perhaps reporting to a ‘special NED’ (can such a person exist 😉 but free/required to report to the shareholders and regulators about the degrees of respect that the board pay to structured risk management.
I can see that you are putting a lot of time and effort into your post.I love every single piece of information you post here.Will be back often to read more updates!
iso 9000
Norman,
I like your careful thought and well organized presentation. I have included a link on my blog to this one. you can see my blog listed below. If you would like me to remove the link, just drop me an email. Kind Regards,
Richard Ellis PMP PRM
Thanks, Richard! An honor!
useful and fantastic explanations……
Honestly I’m Still confused, but that I can conclude is risk appetite means low risk, risk tolerance is Medium and intolerance risk means High. this concept i think is same with risk rating and residual risk.
Let me see if I can explain. Your risk appetite is the level of risk you are willing to accept. Sometimes you are willing to accept a high level of risk because of the potential for reward. Sometimes you are not willing to take risk, such as the possibility of being arrested for non-compliance with law.
well noted Norman
I consider you as an expert in Risk Management field, however this article has me confused as it seems the fundamental differences between Risk Tolerance and Risk Appetite as described by you here are no longer acceptable and relevant as per the COSO 2017 framework. Even back in 2012, COSO’s deification of Risk Tolerance and Risk Appetite were different than what is being described by you. Kindly help me understand why your definitions and explanations are different. Am I missing something?
” Risk tolerances guide operating units as they implement risk appetite within their sphere of operation. Risk tolerances communicate a degree of flexibility, while risk appetite sets
a limit beyond which additional risk should not be taken.” Ref: https://www.coso.org/Documents/ERM-Understanding-and-Communicating-Risk-Appetite.pdf
The diagram shown and the explanation in your article makes the opposite assumption or that is how I am reading it (which could be my fault too!).
Risk Tolerance limits should fall within overall Risk Appetite – if you agree with this, and if this is what is meant by COSO, your diagram shows Risk Tolerance beyond Risk Appetite and should that not be wrong?
Also COSO 2017 states that “Closely linked to risk appetite is tolerance—the acceptable variation in performance. It describes the range of acceptable outcomes related to achieving a business objective within the risk appetite.”
Hope to hear from you soon.
Thank you for the kind words and observations. Of course, the post was written in 2011 – well before the 2017 update.
I have quoted in the article a paper by COSO. It includes explanation and guidance that extends what was in the 2004 framework.
I have a lot of problems with the COSO explanations of risk appetite and tolerance.
When it comes to appetite, it is not an “amount”. When you think about whether to cross the road, you consider the likelihood of a severe impact (pun intended), not just the amount. There may be other factors. In addition, any organization has to take risk to survive and may need to take a minimum level of risk to achieve its goals.
COSO risk tolerance makes no sense. If you have an acceptable level of variation from your objective, that is then your objective. In addition, it is the likelihood of missing the objective by an unacceptable amount that guides your risk-taking decision.
I hope that helps. The key is for management and the board to help those taking risks (as part of every day decisions) to take the desired level of the right risks.
Good Article
really helpful
Very Informative & usefull
useful information and fantastic explanation on these issue
Good Article Mr. Norman
Briefly understood about the Risk level and how to balance. Nice explanation and very informative
It is very helpful to everyone. Very usefull
Nice Article …! This Strategies help us to decision Making
Very Informative
(:
Very useful!
very useful
usefull information
Great
Useful information
useful
informative and useful. Thanks!
This is very useful! Thanks for the info.
Amazing & very well explained!!
Amazing material.
Useful information-Thank you
Amazing
Very interesting and useful
Very interesting
Muy buen artículo para esclarecer conceptos.-
Muy buen artículo para esclarecer conceptos.-
Nice