Having a defined Risk Appetite Statement is a crucial starting point to the Risk Management process. Risk Appetite and Risk Tolerance are terms that are often incorrectly interchanged without a solid understanding of the definition of each of these related yet different concepts.
What is Risk Appetite?
It is often said that no company or organisation, regardless of its sector, can make a profit without taking a risk. The only question is how much risk do they need to take? Taking risks without consciously managing those risks can lead to the failure of an organisation and therefore a well researched, strategically aligned and regularly revised statement from the board is required in order to successfully implement and support the Risk Management function.
The COSO ERM Framework defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value”. Therefore, Risk Appetite deals with the pursuit of risk (upside risk) – “the amount and type of risk that an organisation is willing to pursue or retain” (ISO Guide 73).
An organisation’s Risk Appetite is communicated via a Risk Appetite statement which has no fixed / defined format. The statement should include a range of quantifiable values defining the acceptable levels of risk that the board is willing to accept in pursuing the risks required to take in order to meet its objectives.
What is Risk Tolerance?
Whilst Risk Appetite deals with the level of risk that the organisation will pursue to meet their organisational objectives, Risk Tolerance defines the upper and lower levels that an organisation is able to deal with / absorb, without significantly impacting the achievement of the strategic objectives.
Risk Tolerance can be expressed at a more granular / absolute level, for example “we will not expose more than x% of our capital to losses in a certain line of business” or “we will not deal with certain types of customer“.
Tolerance levels can also be graphically represented alongside the appetite levels on what is referred to as a risk matrix or heat map. The example below shows the appetite line, above and to the right of which performance is deemed to be sub-optimal and action should be taken.
Implementing the Methodology
Risk Appetite statements are often rather broad at the organisational level and become more refined and precise as they are implemented into departments and operations across the organisation. Tolerance levels and appetite values are likely to differ from business unit to business unit, depending on the overall weighting of that business unit to the organisation. How these statements and values are defined, communicated and monitored is a management decision. It is important for the Risk Managers in each business unit to ensure that the criteria in which they are operating is up-to-date with the strategic plan communicated by the board and is updated regularly.
Author: Madeleine Black, Product Manager, BarnOwl
Sources:
1. https://coso.org/
2. http://normanmarks.wordpress.com/2011/04/14/just-what-is-risk-appetite-and-how-does-it-differ-from-risk-tolerance/
3. https://theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance/