An effective risk tolerance, appetite, criteria, etc. statement
Hopefully, you have seen the consultation paper on Risk Appetite and Risk Tolerance published by the Institute of Risk Management. While it doesn’t close the debate over risk appetite/tolerance, or how (in my opinion) to define and communicate related corporate expectations on evaluating risk, it has some interesting content. I hope you will read it and share your thoughts with IRM staff.
My response was based on a few principles. I believe any guidance for evaluating risk levels (whatever you call it: risk appetite statement, risk criteria, or something different) has to meet certain requirements:
- Managers making decisions need to understand the degree to which they (individually) are permitted to expose the organization to the consequences of an event or situation. Any ‘risk appetite’ or similar statement needs to be practical, guiding the manager to make what I call risk-intelligent decisions. So, guidance has to be effective at the level of the manager’s decision
- Executives need to be able to understand the aggregated and interlinked ‘risk level’ so they can determine whether it is acceptable or not. So, guidance has to be effective at the aggregated level
- The board and executive leadership need to understand the above for the organization as a whole. So, guidance has to be effective at the entity level
- Risk appetite is not constant. It should change as the environment and business conditions change. Any guidance for managers and executives has to realize this. Anything approved by the board has to have some flexibility built in
- Risk decisions need to be made with full consideration of reward. Guidance needs to help managers and executives take an appropriate level of risk for the business, given the potential for reward. Consider the ROI standard on capital projects: sometimes it is appropriate to set a standard that the reward (likelihood and potential magnitude) has to be some multiple of the risk (likelihood and potential magnitude). Setting levels for risk without regard to reward is a recipe for failure
Do you agree with these principles? If not, how would you change them?