New guidance on risk appetite and tolerance. I like some parts, disagree with others
The institute of Risk Management has just published their ‘guidance paper’ on this very important topic. It is available from their web site, in both executive summary and full versions. (By way of full disclosure, I am an honorary Fellow of IRM and contributed comments on drafts of the guidance – see page 39 of the guide for a complete list of contributors. The author, Richard Anderson, is a good friend, and the guidance was co-sponsored by the Chartered Institute of Internal Auditors).
I believe this is a very important topic because:
- Regulators and lawmakers are pressing companies to set up risk appetite statements, establishing the level of risk that top management and the board feel is acceptable.
- Companies are struggling with how to define their risk appetite. This is not surprising because….
- There are no commonly accepted definitions of risk appetite, risk tolerance, or the differences between them. I personally find the definitions in COSO less than useful, especially that of risk tolerance. ISO decided not to use the terms in the global risk management standard 31000:2009 (although they are defined in ISO Publication 73). Instead, 31000:2009 suggests managers should evaluate risks based on “risk criteria”.
While I am not 100% in agreement with the guidance, I believe it is valuable for all risk, audit, and governance professionals to read and consider.
In this post I want to share highlights from the guide, and my own criteria for effective risk appetite/tolerance statements. Highlights first, with comments:
- Perhaps we should start by what is meant by the terms risk appetite and tolerance. This from the Executive Summary: “We believe that while risk appetite is about the pursuit of risk, risk tolerance is about what you can allow the organisation to deal with.”
Comment: personally, I like the definitions in ISO Publication 73, where risk appetite refers to the risk you desire in pursuit of profit, and risk tolerance reflects your ability to take risk. However, I also appreciate the ISO 31000:2009 argument that your ability to tolerate risk should only be one of the potential criteria used in determining whether to accept a level of risk. For example, how much potential reward is there for that level of risk?
- “All successful organisations need to be clear about their willingness to accept risk in pursuit of their goals”. (CIMA)
Comment: while profits cannot be achieved without taking risks, I should point out that the ISO standard talks about risk as the effect of uncertainty on objectives. Risk management is about managing uncertainties, not only those that may have a negative impact but those that can allow you to achieve or even surpass your objectives.
- “The UK Corporate Governance Code states that ‘the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.’”
Comment: While this guidance is understandably UK-centric, the pressures from regulators and others to have companies develop risk appetite statements is global.
- “The risk appetite statement is generally considered the hardest part of any Enterprise Risk Management implementation. However, without clearly defined, measurable tolerances the whole risk cycle and any risk framework is arguably at a halt”.
- “It is often said that no company can make a profit without taking a risk. The same is true for all organisations: no organisation, whether in the private, public or third sector can achieve its objectives without taking risk. The only question is how much risk do they need to take? And yet taking risks without consciously managing those risks can lead to the downfall of organisations”.
- “Risk appetite needs to be measurable”.
Comment: this is an area that I focused on in my comments. What is the point of saying the risk appetite is X when the company cannot determine whether the actual level of risk is more or less than X?
- “Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time”.
Comment: this is a critical and frequently misunderstood point. It is not possible to combine multiple risk areas or categories and establish a single level of risk appetite or tolerance. How can you combine your tolerance for safety issues and currency exposures? Each area has to have a separately defined level.
- “Risk appetite should be developed in the context of an organisation’s risk management capability, which is a function of risk capacity and risk management maturity”.
Comment: I think the point is that you have to be realistic and only set out to accept risks at levels you can manage.
- “Risk appetite must take into account differing views at a strategic, tactical and operational level. In other words, while the UK Corporate Governance Code envisages a strategic view of risk appetite, in fact risk appetite needs to be addressed throughout the organisation for it to make any practical sense”.
Comment: this talks again to the point that there is no single number for risk appetite. Each area of risk needs to be addressed separately.
My view is that (a) the discussion is important and (b) I am yet to see risk appetite/tolerance/criteria effectively managed. My criteria for effectively setting and managing risk criteria are based on the following:
- Boards and executive management need to be able to establish the maximum level of downside risk they desire the organization to take.
- Boards and executive management need to be able to assess whether the organization is accepting downside risk as desired.
- Risk criteria used to evaluate and determine how to respond to risk include but are not limited to risk appetite and tolerance. For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept (a) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain, (b) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $500 gain, or (c) a 20% likelihood of a $50 loss with an 80% likelihood of a $5 gain?
- Different risk criteria are needed for different risk areas. Some need to be managed individually (such as the risk of loss of life) and shouldn’t be aggregated with other risk areas. My guidance is to set risk criteria for each group of risks that can be managed as a group.
- Those responsible for making decisions – and decisions are where risks are ‘taken’ – need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
- While the guidance talks about the reality that risk appetite/tolerance change with time, I think the fact that the level of risk that might be considered acceptable can change quickly makes it very hard to define and fix that level. For example, it is understood that in good economic times, a successful and growing company will be more willing to accept downside risk that when times are tough and credit is tight. But, economic outlooks and cash flow projections can change quickly. Any risk appetite/tolerance/criteria must be flexible enough that they can be changed as needed without, say, waiting for the next quarterly board meeting.
- You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.
I would love to hear your comments. What do you think of the guidance, and do you agree with my criteria?
If you came to this post from LinkedIn, I would appreciate your commenting here (as well as in the group, if you want) so that we can have a wider discussion.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Thanks for the reference to our document. I think your test is rather simplistic and not very relevant. I think the IRM paper illustrates that risk appetite is rather more complicated than simply a balance of probabilities. We can all play statistical games, but they are not going to help very much without some specific industry knowledge, and a lot of understanding about risk management capability…
Richard, I believe the test demonstrates that risk appetite is very complicated and hard to get right. It demonstrates that focusing only on the downside irrespective or the upside will not get managers to the right decision.
Your paper has made a valuable contribution to the topic, and I am very glad to see it. Has it solved the problem? Do you think so?
Excellent article.
Despite the original IRM claim that, “We do not regard this guidance
as the last word on the subject” (The headline on page 5 of the IRM paper), it is apparent that the IRM is not quite ready for dialogue on the topic …
Mark, I assume that you are referring to my post above. Dialogue implies two way discussion. I don’t have to sit back and not argue back. I personally, both as an individual, and in my role as Deputy Chairman of the IRM, am very willing to hear feedback and to engage in dialogue. Don’t expect me to agree with everything that I hear!
Just to underline the point: neither the IRM nor I (as the principal author) think that the last word has been spoken on the subject. However, I think that Norman is being deliberately disingenuous, or possibly provocative in setting a maths test, when the document is trying to move awy form just being a maths test. no-one can answer his question in the abstract.
In the spirit of “discussion” and “dialogue” let me also say that the reason I personally wanted to move away from the “tolerance is about bad stuff” and “appetite is about good stuff” is because I think you can try to take too much risk: witness the GFC. Therefore, jsut as we are moving risk to be both positive and negative, so is tolerance ans appetite. See the little graphs on p14 of the main document to see what I mean (www.theirm.org/publications/risk_appetite.html and click through to the full guidance paper)
Bring on the feedback, let their be dialogue, but don’t expect me (or other members of the group that developed this) to agree with everything that is thrown at us…
Cheers
Richard
Norman, you make several valid points with your comments that I plan to keep in mind with future projects.
Richard, I suspect that you know I am not being “deliberately disingenuous”. I am genuinely concerned that while your paper (and I genuinely believe this) has made a valuable contribution (my comments notwithstanding) it is still not getting us to a solution that works in practice.
It’s not about math. It’s about making risk-intelligent decisions – a phrase correctly used in the paper.
How can you decide whether to accept a risk without considering the potential for reward? Your paper recognizes this.
How can you guide people to make that decision wisely? This I don’t see.
If I was CEO and knew that every manager was making decisions based only on what the risk appetite statement said about risk levels, I would be very worried that we were missing out on opportunities.
Can you help us understand where in the IRM paper guidance is provided on how risks relating to entering a new market should be evaluated considering both the potential for adverse impact and the potential for reward?
I had worked in a MNC insurer for over 11 years and I find that the insurer had managed the Risk Appetite and Tolerance quite well. I did not see any comments from ex-insurer or insurer. Insurer business is to underwrite risks, the higher the potential payment of a claim the higher is the premium hence if there is sufficient premium insurer would accept the risk. (note insurer use the word risk as business not a in ISO 31000 definition). The re-insurance, treaty arrangement,etc which is a complex matter is the risk treatment behind the scene.
The occupancy of the client is matched against a Risk Index, for example a manufacturer of explosive is a very high risk business hence the index would be say 1 whilst Office building fire/explosion is much lower risk business hence the index would be 9. The Board must clearly state which Risk Index the company would underwrite, this in my opinion is the Risk Appetite, say Risk Index specified by the Board is 5, there must be no business underwritten which has a Risk Index of 4. Now within the bandwidth of 5 to 10 an overall of the company’s index can be computed based on the average risk index, this is the final Risk Appetite, maybe say 6.8
Risk tolerance within the underwritten risk (5 to 10) (say fire policy), there must be a number of good features like sprinkler protection,etc, if without a number of such good features, the risk would NOT be underwritten because of the Residual risk is not within the company’s Risk Tolerance OR the company would take a small share of the business (say 5% instead of 100%)
In my opinion, it is a rather systematic way of starting with Risk Appetite at Board moving towards Risk Tolerance at Operational level. I also find the term Risk Attitude specified in ISO 31000 to have the same implication. As for other industries, it could be done in similar ways.
Interesting dicussion – what intrigues me is that as this term is vetted in professional circles, what does it mean to other business leaders who are impacted by Risk Management but not Risk Management professionals?
I’m intrigued by your disposal of the suggestion that you can have an appetite for different types of risk. Why can’t you have an appetite for currency and an appetite for workplace safety that sets limits on the assessed significance of risks of that type? Even if the group wants different appetites for different companies within the group, that could be accommodated. Could you fill out your thinking here please?
Gavin Ayling
I agree you need different criteria for each type of risk. Unfortunately, most want to come up with a single or perhaps a handful of limits.
From a public sector perspective, I’ve defined risk appetite to apply to the organization as a whole. It sets parameters for corporate behaviour or culture in achieving specific objectives. A risk appetite is not necessarily defined by a risk appetite statement but may be defined by an organization through its policies, code of conduct, program terms and conditions etc. Once a risk appetite is defined, it is not stagnant. The risk appetite evolves with the environment in which an organization operates.I believe it is a crucial step for effective ERM practices as it provides many benefits that enhances the organization’s performance including:
Setting boundaries for activities and behaviours.
Communicating senior management’s attitude towards risk to promote a risk aware culture.
Ensuring an appropriate balance between risk taking and risk aversion.
Improving the distribution of resources to higher organizational priorities.
Aligning strategic goals and opearational activities.
As for risk tolerance, it deals with specific risks and influences decisions about resource allocation to manage those specific risks. It is the driver for selecting a specific risk response while considering the organization’S overall risk appetite.
Organisations develop Risk Matrix which act to guide risk on desirable impact and likelihood which normally range from significant to major. What does a matrix contain, tolerance levels or threshold and how do we link it risk appetite statement
Organisations develop Risk Matrix which act to guide in terms of risk rating on desirable impact and likelihood which normally range from significant to major. What does a matrix contain, tolerance levels or threshold and how do we link it to the risk appetite statement .
I work in a pension Fund and in our Investment Policy Statement we have targets such as CPI + 5, and funding levels of 102% depending on the investment portifolio (pensioner, market and conservative) what do this represent?
Over the years I have realised that most organisations measure and mitigates downside risks only. Not a single company I have seen with a comprehensive risk register containing upside risks, simple because when we discuss objectives and threats we mean negative threats