Risk appetite basics – six frequently asked questions, answered
Although there is a broad understanding about what “risk appetite” is and how it may be used by a business, there are significant discrepancies between the definitions used by standard-setting bodies like COSO and ISO.
Click here to read the full guide: What is risk appetite and how do you implement it?
According to COSO (Committee of Sponsoring Organisations):
- Risk appetite is the amount of risk you are prepared to take to meet your aspirations
- Risk tolerance is the amount of risk you are willing to take to meet your aspirations
But this is opposite to how the ISO (International Organisation of Standardisation) defines the two concepts in its 2009 guide (Guide 73):
- Risk tolerance is the amount of risk you are prepared to take to meet your aspirations
- Risk appetite is the amount of risk you are willing to take to meet your aspirations
These differences raise a debate about how we, as a risk community, can produce more effective and practical risk appetite and tolerance statements.
1. How useful are risk appetite and tolerance anyway?
The jury is still out. And opinions vary.
Some will say appetite and tolerance are “pivotal for strategy design and business success”. Others will see them as a “compliance instrument”. And some will say they are “utter nonsense or a waste of time”.
It is worth noting that for some sectors – particularly financial services – risk appetite will be defined by regulators. In other words, risk-taking parameters will be set by lenders, banks, or other external bodies.
And when this is the case, adhering to appetite and tolerance becomes a compliance issue.
Using qualitative measures will add human biases to the equation. Risk management must be based on facts and data to add value to decision-making.
For other sectors, risk-taking parameters will be set by the board and/or executive management.
In my opinion, when done ‘right’, risk appetite and risk tolerance are tools that can effectively guide decision-making on several levels – operational, tactical, and strategic.
So, what is ‘right’?
Well, let’s take a look at the typical considerations when creating risk appetite and tolerance statements: the use of ‘low, ‘medium’ and ‘high’ definitions within our appetite statements.
I will use ISO’s vocabulary throughout to argue my point. And I will use the term ‘risk tolerance’ and implicitly assume risk appetite is used in parallel.
2. Should I define tolerance in terms of low, medium and high?
The risk tolerance of any organisation will differ between categories and types of risks:
- You may have a very high tolerance for liquidity risks as you are well financed. This allows you to pursue bold endeavours.
- You may have a very low tolerance for health and safety risks because you take good care of your employees.
- You may have a high tolerance for reputational risk as you are a commodity, with an inconsequential brand name.
- You may have a very low tolerance for environmental risks because you wish to be a good and responsible citizen wherever you operate.
Some will regard the tolerance statements I described above as ‘useless’ – because they place risk parameters in terms of very low, or high.
Likely questions will be:
What do you mean by “very high”?
How low is “low”?
In simple terms, qualitative measures are useless and only serve to add a false sense of security.
Using qualitative measures will add human biases to the equation. Risk management must be based on facts and data to add value to decision-making.
3. If low, medium and high are ‘useless’ then what should I place in my tolerance statements?
Let’s add an extra layer of detail to what I described earlier or, in other words, let’s look at how we replace ‘high’, ‘medium’, and ‘low’ with more useful measures.
The potential impact of all risks, opportunities, and uncertainties must be measured in performance metrics – used by the company.
To be blunt: if you cannot measure the impact of a particular risk in terms of your company’s performance, then consider this: the risk in question does not affect company performance.
In other words, the risk is inconsequential.
For each risk, opportunity, and uncertainty, you must define the outcome range as a statistical distribution.
More specifically, for risks and opportunities, you must define their likelihood.
If you cannot measure the impact of a particular risk in terms of your company’s performance metrics, then consider this: the risk in question does not affect company performance.
To calculate the combined exposure, you need to use Monte Carlo simulation. A formula-based calculation is not a plausible approach.
Using Monte Carlo will enable you to monitor and report on outcome ranges and risk exposures.
Based on this approach, you can begin to rework your corporate-level risk tolerance statements with more precise considerations. For example:
- The company may accept liquidity risk when the 5% worst-case negative liquidity exposure does not exceed $100m USD.
- Employee safety must be secured to the extent that there is less than a 1% likelihood of any permanent injury; 5% disability and less than 10% likelihood of hospitalisation.
- The company does not monitor nor measure brand and/or reputation.
- Management must ascertain environmental damages are contained within company premises. The likelihood of external environmental damage must be below 5% and the related clean-up costs must not exceed 10% of USD in any given year.
4. What about upside risks?
Effective risk management deals with upside as well as downside risks. As such, the company may operate with positive risk tolerances.
For example:
- To ensure and focus on sustainable development, the company will not actively pursue growth beyond 20%. In effect, this means if/when more than 20% growth is achieved it is driven by outside factors and is potentially rare.
- The company will not pursue profitability exceeding 20% return on sales as this is expected to negatively impact brand perception. Higher profitability may occur based on external events/circumstances.
Such statements – along with monitoring of current exposure – will provide management with guidance on new decisions.
From time to time, risk tolerances will hamper the pursuit of some specific initiative. However, I have also worked with companies where the actual/current exposure was significantly below what was deemed acceptable by the board.
I often use traffic as an analogy to further explain my view on risk tolerance statements. In a way, they resemble speed limits and are designed to ensure a reasonable level of traffic safety.
As racing icon Mario Andretti once said, “If everything is under control, you are moving too slowly”.
In this situation, management was ‘driving too slow’ and thereby not developing the company to the extent they could have done. That deprives shareholders of value creation.
Risk tolerance – and hence risk appetite – can be a highly valuable management guidance tool.
5. So, should I use statistics in project-level tolerance statements too?
In a similar vein, for individual decisions, initiatives and projects, risk tolerance statements may look something like this:
- Project management must ensure a minimum of 40% likelihood of meeting the defined target and must ensure a 95% certainty of providing a positive net present value.
- Project management must ensure a minimum 75% certainty that the project will be completed within the target date.
All these statements are easily modeled and simulated using Monte Carlo simulation.
The so-called Tornado diagrams provide priorities as to which issues will most affect the outcome, should a plan fall outside of a project risk tolerance.
On decision/project and on an operational level, a defined risk tolerance and risk appetite will guide managers to make better decisions.
6. Do I create one or several tolerance statements?
Those who believe risk tolerance statements are ‘useless’ argue that you cannot create one single statement to guide decision-making.
This is true.
Risk tolerance is, and must be, linked to your performance indicators/metrics. This may mean you end up creating a risk tolerance statement for each metric.
Some initiatives will be limited by, for example, safety tolerance and others will be limited by financial risks.
Furthermore, there will be several levels:
- Tolerance based on executive/strategic level or subject to approval by the board of directors
- Tolerance used for individual decisions and/or projects.
Whether you’re looking at tolerance at a corporate or strategic level or at an operational and project level – risk tolerance statements are valuable.
Risk tolerance is deliberately deciding how fast you are or will allow yourself to go.
In summary
- ISO and COSO – agree on terminology: it is confusing when two powerful organisations contradict each other on terminology.
- The concepts of risk tolerance and risk appetite are useful guides for decision-making from company strategy to individual decisions. Put simply, two ‘boundaries’ and three levels of management of risks are defined.
- When based on facts and data, risk appetite and risk tolerance are powerful tools for intelligent risk-taking.
Do you have more questions about risk appetite? We've created this handy risk appetite guide using insight from meetings and collaboration between members of Risk Leadership Network. Of course, members of our network get additional peer-contributed case studies, tools and templates from risk leaders around the world. Our corporate network is growing – with more leaders discovering the benefits of peer-led collaboration for risk management better practice. Please do get in touch with us to discuss joining. |