New guidance on risk appetite and tolerance. I like some parts, disagree with others
The institute of Risk Management has just published their ‘guidance paper’ on this very important topic. It is available from their web site, in both executive summary and full versions. (By way of full disclosure, I am an honorary Fellow of IRM and contributed comments on drafts of the guidance – see page 39 of the guide for a complete list of contributors. The author, Richard Anderson, is a good friend, and the guidance was co-sponsored by the Chartered Institute of Internal Auditors).
I believe this is a very important topic because:
- Regulators and lawmakers are pressing companies to set up risk appetite statements, establishing the level of risk that top management and the board feel is acceptable.
- Companies are struggling with how to define their risk appetite. This is not surprising because….
- There are no commonly accepted definitions of risk appetite, risk tolerance, or the differences between them. I personally find the definitions in COSO less than useful, especially that of risk tolerance. ISO decided not to use the terms in the global risk management standard 31000:2009 (although they are defined in ISO Publication 73). Instead, 31000:2009 suggests managers should evaluate risks based on “risk criteria”.
While I am not 100% in agreement with the guidance, I believe it is valuable for all risk, audit, and governance professionals to read and consider.
In this post I want to share highlights from the guide, and my own criteria for effective risk appetite/tolerance statements. Highlights first, with comments:
- Perhaps we should start by what is meant by the terms risk appetite and tolerance. This from the Executive Summary: “We believe that while risk appetite is about the pursuit of risk, risk tolerance is about what you can allow the organisation to deal with.”
Comment: personally, I like the definitions in ISO Publication 73, where risk appetite refers to the risk you desire in pursuit of profit, and risk tolerance reflects your ability to take risk. However, I also appreciate the ISO 31000:2009 argument that your ability to tolerate risk should only be one of the potential criteria used in determining whether to accept a level of risk. For example, how much potential reward is there for that level of risk?
- “All successful organisations need to be clear about their willingness to accept risk in pursuit of their goals”. (CIMA)
Comment: while profits cannot be achieved without taking risks, I should point out that the ISO standard talks about risk as the effect of uncertainty on objectives. Risk management is about managing uncertainties, not only those that may have a negative impact but those that can allow you to achieve or even surpass your objectives.
- “The UK Corporate Governance Code states that ‘the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.’”
Comment: While this guidance is understandably UK-centric, the pressures from regulators and others to have companies develop risk appetite statements is global.
- “The risk appetite statement is generally considered the hardest part of any Enterprise Risk Management implementation. However, without clearly defined, measurable tolerances the whole risk cycle and any risk framework is arguably at a halt”.
- “It is often said that no company can make a profit without taking a risk. The same is true for all organisations: no organisation, whether in the private, public or third sector can achieve its objectives without taking risk. The only question is how much risk do they need to take? And yet taking risks without consciously managing those risks can lead to the downfall of organisations”.
- “Risk appetite needs to be measurable”.
Comment: this is an area that I focused on in my comments. What is the point of saying the risk appetite is X when the company cannot determine whether the actual level of risk is more or less than X?
- “Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time”.
Comment: this is a critical and frequently misunderstood point. It is not possible to combine multiple risk areas or categories and establish a single level of risk appetite or tolerance. How can you combine your tolerance for safety issues and currency exposures? Each area has to have a separately defined level.
- “Risk appetite should be developed in the context of an organisation’s risk management capability, which is a function of risk capacity and risk management maturity”.
Comment: I think the point is that you have to be realistic and only set out to accept risks at levels you can manage.
- “Risk appetite must take into account differing views at a strategic, tactical and operational level. In other words, while the UK Corporate Governance Code envisages a strategic view of risk appetite, in fact risk appetite needs to be addressed throughout the organisation for it to make any practical sense”.
Comment: this talks again to the point that there is no single number for risk appetite. Each area of risk needs to be addressed separately.
My view is that (a) the discussion is important and (b) I am yet to see risk appetite/tolerance/criteria effectively managed. My criteria for effectively setting and managing risk criteria are based on the following:
- Boards and executive management need to be able to establish the maximum level of downside risk they desire the organization to take.
- Boards and executive management need to be able to assess whether the organization is accepting downside risk as desired.
- Risk criteria used to evaluate and determine how to respond to risk include but are not limited to risk appetite and tolerance. For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept (a) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain, (b) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $500 gain, or (c) a 20% likelihood of a $50 loss with an 80% likelihood of a $5 gain?
- Different risk criteria are needed for different risk areas. Some need to be managed individually (such as the risk of loss of life) and shouldn’t be aggregated with other risk areas. My guidance is to set risk criteria for each group of risks that can be managed as a group.
- Those responsible for making decisions – and decisions are where risks are ‘taken’ – need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
- While the guidance talks about the reality that risk appetite/tolerance change with time, I think the fact that the level of risk that might be considered acceptable can change quickly makes it very hard to define and fix that level. For example, it is understood that in good economic times, a successful and growing company will be more willing to accept downside risk that when times are tough and credit is tight. But, economic outlooks and cash flow projections can change quickly. Any risk appetite/tolerance/criteria must be flexible enough that they can be changed as needed without, say, waiting for the next quarterly board meeting.
- You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.
I would love to hear your comments. What do you think of the guidance, and do you agree with my criteria?
If you came to this post from LinkedIn, I would appreciate your commenting here (as well as in the group, if you want) so that we can have a wider discussion.