Professional Documents
Culture Documents
Morgan ORourke
Editor
Karen Arbasetti
Designer
A Balancing Act
Risk appetite and tolerance definitions often can be a balancing act
as an organizations stakeholders may have varying philosophies on
how much risk should be pursued or retained. Risk appetite and capacity may be high but the company may decide based on strat-
tolerance are influenced by the nature of the organization and by egy, management objectives and stakeholder expectations to adopt
the industry that an organization operates in: a lower risk appetite.
Companies with higher risk appetite generally are more fo- Understanding Your Organizations Risk Appetite
cused on the potential for a significant increase in value and Implementation of an effective ERM program is incomplete without
earnings. As a result, these companies may be willing to ac- determining and defining an organizations risk appetite and risk tol-
cept higher risk in return. Early-stage, high-potential, high-risk, erance. In fact, according to the RIMS Risk Maturity Model, risk
growth startup companies have a high appetite for risk and are appetite management is one of seven essential attributes of an ef-
usually willing to accept greater volatility and uncertainty. fective ERM framework and an essential part of any risk-mature or-
ganization (Figure 1). Maturity is further determined by the degree
Conversely, companies with lower risk appetite generally are of understanding and accountability of five factors:
more risk averse as their focus is on stable growth and earn-
ings. They may be more averse to market fluctuations and Defining acceptable boundaries
greatly influenced by legal and regulatory requirements.
Calculating and articulating tolerance
Some definitions distinguish between appetite and tolerance in
that appetite is viewed as a statement that defines the organizational Developing risk portfolio views
philosophy for managing and taking risk and tolerance as a quantita-
tive metric in order to bound activities and consequences within the Making risk and reward trade-offs in daily management
metric. Therefore, an organizations risk appetite must be aligned
with its risk tolerances. Attacking gaps between perceived and actual risks
Risk tolerance can be measured as an acceptable/unacceptable
range of variation relative to the achievement of a specific objec- Clearly-expressed risk appetite and tolerance statements help pro-
tive or to the aggregated risk appetite. Risk tolerance provides con- tect organizations against solely pursuing single, narrow goals with-
straints around the level of risk, which may have upper boundaries out considering potential consequences as they pursue rewards for
(e.g., tolerate no more than) and lower boundaries (e.g., tolerate at an appropriate level of risk. What is appropriate and acceptable for
a minimum or not tolerate a return less than x based on the risk as- one organization may be unacceptable to another, as their attitudes
sumed). It may be measured using the same units as the related ob- toward risk necessarily may range along a continuum from risk tak-
jective. These risk tolerances may be accompanied by a risk target. ing to risk averse.
A risk target is a desired level of risk that the organization believes is Risk attitude is the organizations or individuals view/perspec-
optimal to meet its objectives. This often can be some level within the tive of the perceived qualitative and quantitative value that may
risk tolerance boundaries, possibly depicted along a risk/reward curve. be gained in comparison to the related potential loss or losses. For
Implicit in the risk tolerance and risk target concepts are reviews to
determine the suitability, adequacy and effectiveness in operating
within the boundaries at the desired target levels. Monitoring changes
Figure 1: Essential Attributes of an Effective ERM Framework
from the expected outcomes is vital for risk tolerance statements to ERM-based approach
be meaningful. Unexpected or unacceptable deviations should trigger Process management
further analysis and action, including escalation to senior manage-
ment. As with appetite, an organizations risk tolerance generally is Risk appetite management
driven by its objectives and stakeholder expectations, ranging from Root cause discipline
value protection (generally lower tolerance levels) to value creation
Uncovering risks
(generally higher tolerance levels). Tolerances are also highly depen-
dent on how well capitalized or financed the organization is. Performance management
An organization should not define risk appetite without consid- Business resiliency and sustainability
ering its risk capacity. Risk capacity is the amount of risk an or-
ganization can actually bear. An organizations board and manage- Source: RIMS Risk Maturity Model
ment may have a high risk appetite but not have enough capacity
to handle a risks potential volatility or impact. Conversely, the risk
Exploring Risk Appetite and Risk Tolerance | 4
example, many people who place their money at risk in gambling articulated, properly-communicated and enforced risk appetite.
perceive that the small (quantifiable) average financial loss com- Organizations that did define their risk appetite and risk tolerance
bined with the qualitative excitement benefit is a net gain. Within apparently did not communicate or enforce the limits across their
large, complex organizations, you may find a wide range of risk at- organizations. Moreover, they had no apparent mechanism to view
titudes among different business units. While risk appetite and tol- the impact of the individual risk taking at an enterprise-wide level
erance statements are intended to provide specific guidance, risk or as a portfolio. Some did not have the appropriate governance
attitudes reflect a broader philosophy and approach that is informed mechanisms to ensure that risk takers were complying with the or-
by the underlying culture, beliefs and collective comfort level of the ganizations defined risk appetite and tolerance. Since the financial
individuals within the organization as well as external stakeholders. crisis, a strong interest has developed among board members to
Risk attitudes also will vary among individual managers and board increase the risk management discussions at board meetings. Risk
members themselves. Research conducted by the Strategic Deci- appetite, no doubt, should play a key role in those discussions. Ide-
sion Group consistently reveals that the maximum loss variance may ally, management and board members can agree on the acceptable
be as little as .01% at a department level and as much as 17% at a boundaries for the organization.
corporate and board level, given the same level of expected reward.
On a personal level, you may have a large appetitesome might Challenges in Calculating and Articulating
even have an insatiable appetitefor the possibility of generating sev- Risk Appetite and Tolerance
eral million dollars within your personal financial portfolio, but generally Defining, determining, calculating and articulating both risk appetite and
there is a limit on what you can actually tolerate as an investment. What tolerance is challenging. There are many reasons for these challenges:
might be some of those constraints? Your income level, the need to pay
the mortgage, tuition and taxes are a few that come to mind. How these There are varying definitions for these terms. Indeed, risk ap-
constraints affect your readiness to bear the risk in order to achieve the petite and tolerance often are used interchangeably.
multi-million dollar objective play into your personal risk tolerance. This
is not so different from an organizational view. Risk appetite is described using multiple methods and differ-
ent calculations (Figure 2). Some organizations take a quali-
Defining Acceptable Boundaries tative approach to risk appetite with categories such as high,
The financial crisis of the late 2000s contained many examples moderate or low, while others take a quantitative approach,
of organizations that either knowingly or unwittingly accepted such as value at risk (with metrics like economic value at risk
large amounts of risk in the pursuit of apparent short term gains. and/or financial strength at risk) and earnings at risk (with
These organizations took risks that contributed to severe financial metrics like EPS at risk or amount of loss a company is will-
consequences. In hindsight, many of these organizations had not ing to accept).
established acceptable boundaries effectively nor defined a well-
Few detailed examples have been published that articulate
risk appetite and tolerance. Organizations that have defined
risk appetite and tolerance statements often are sensitive
Figure 2: Common Methods for Expressing Risk Appetite about sharing their methodologies with the larger community.
1. Setting a boundary on a probability and impact grid
Developing Risk Portfolio Views
2. Economic capital measures/balance sheet-based Some organizations use specific risk appetite and tolerance statements
expressions based on certain categories of risk. Other organizations approach risk
3. Changes in credit ratings (headroom before a potential statements with overall organizational statements, such as:
downgrade)
Take risks that the organization can manage in order to op-
4. Profit and loss measures (e.g., tolerable level of annual
timize returns
loss)
5. Value based measures (based on probability of ruin or Balance risk and reward against the impact and cost of man-
default) aging risks for the organization
6. Limits/targets or thresholds for key indicators (e.g., +/-
5% variation in profit or 1 - 2.5% variation in revenue) Accept potential loss of x% of [EBIT/earnings/donations] for a
50% probability of increasing [EBIT/earnings/donations] by x%
7. Qualitative statements (e.g., zero tolerance for regulatory
breaches or loss of life) Avoid risks that negatively impact brand
Source: Research into the definition and application of the concept of risk ap- While these types of statements may provide guidance, they do not
petite. Undertaken by Marsh and University of Nottingham, June 2009 consider the impact on the overall risk position for the organization.
They also do not address the question as to whether the organization
is taking enough risk to sustain itself.
5 | RIMS Executive Report
Figure 3: The Efficient Frontier Figure 4: Applying the Efficient Frontier for Risk Taking
Optimal portfolios
should lie on this
A portfolio above this curve (known as
curve is impossible High Risk/High Return the efficient
frontier) Efficient Frontier
N
Zone of possible
risk portfolios
Portfolios below the curve are A
Current
not efficient, because for the portfolio
Low Risk/Low Return
same risk one could achieve
Allocated Equity
greater returns.
Capital rebalancing target
Risk (volatility)
Consider how a portfolio risk appetite and tolerance view may be Consider how a manufacturing firm might apply this concept to a
expressed using an efficient frontier lens (Figure 3). Efficient fron- an operating unit undertaking a new strategic project valued at $100
tier approaches have been used extensively in financial institutions million in investment. At the outset, management defines the impact
to calculate the optimal risk/reward balance (or ratio) for securities and likelihood levels to be considered as noted in the table below:
and investments, based on the Modern Portfolio Theory developed
by Harry Markowitz in the 1950s. Different combinations of invest- Impact Level Likelihood
ments produce different levels of return based on the level of risk as-
sumed. The efficient frontier represents the best of these investment 50% or $50M Very High 90%
combinationsthose that produce the maximum expected return
for a given level of risk. Such an approach lends itself to situations 25% or $25M High 30%
where risks and rewards are financial in nature.
A number of nonfinancial organizations are beginning to use ef- 12.5% or $12.5M Medium 10%
ficient frontier models to allocate capital in a way that enables the
highest return for an acceptable level of risk across the organization 6.25% or $6.25M Low 3%
(Figure 4). In this illustration, an organization may be willing to as-
sume a greater level of risk and volatility in order to obtain a higher Below $6.25M Very Low Below 3%
expected return (optimal portfolio) than currently realized from divi-
sions A and B (current portfolio). As such, it reallocates targeted
capital to division N along the efficient frontier to rebalance the en- So using these parameters, how can risk appetite and tolerance
tire portfolio more efficiently. Obviously, there are many assumptions statements be translated into daily management?
that underlie this model, but it is based fundamentally on the organi- Management determines at what point a project can be shut
zation increasing its overall risk appetite to achieve a greater return. down. As the project is valued at $100 million in investment, a loss
This type of approach can help answer the question as to whether of 50% of the project value is considered a very high impact. In
management should be taking on more or less risk. other cases, the percentage may vary based on type of industry,
strategic position on the market, etc. If the likelihood of the $50
Making Risk and Reward Trade-Offs in Daily Management million impact is determined to be below 3%, it may be acceptable
Risk appetite and tolerance statements are meaningless if they are but not if the likelihood reaches 10%.
not translated and communicated into daily management decisions. Assume the company defines its key risk indicators (KRIs) un-
Senior executives may go to the trouble of developing risk appe- der various areas that can cause an impact to the project or to
tite and tolerance statements that are approved at the board level. the companys operations overall. In this example, the areas are:
These statements may even be cascaded or distributed to operating Strategic, Finance, Legal, Operations, Compliance and Quality.
managers. Each area has defined levels of risk that are designed to match the
How these statements are used for guiding daily risk and reward financial impact level on the impact scale above.
trade-offs makes all the difference, however. Impact scales can For example, a strategic risk may be to lose access to a small
be determined per project, aggregated per operational or business regional market. Even though this is viewed as a strategic risk, the
unit and then confirmed at the corporate level. In this way, the company quantifies the risk financially to have an $80 million im-
risks arising from projects are in compliance with the companys pact on revenues. Therefore, the risk is considered to have a very
overall risk appetite. high impact as it exceeds the $50 million threshold defined above.
Exploring Risk Appetite and Risk Tolerance | 6
The company may financially quantify different types of risks under In this way, managers can report on the organizations actual as-
the various areas, but may exclude certain risks from the limits set, sessed risk as compared to the organizations defined risk appetite
such as employee safety risks. and tolerances, whether at a corporate, operational or project level.
The company-specific KRIs are designed by a team of individu- Management then can execute plans that incorporate activities to
als from selected areas. The process is finalized by obtaining the reduce unfavorable variations and accelerate favorable variations.
board and senior managements approval of the developed risk
levels and identified specific risks. Projects on an individual level Considering Potential Unintended Consequences
and aggregated on a company level can then be monitored for de- You may have read statements like, the business has zero ap-
viations against the expressed risk appetite and tolerances. petite (or tolerance) for fraudulent activity or the business has
Risks that can affect the companys strategic plan or influence zero tolerance for outages beyond x time in duration. Translated
the strategic position would be considered through the organiza- into daily management, these statements potentially may result in
tions ERM process, by consolidating and using a simulation meth- a manager firing an employee for dishonesty, whether the dishon-
od to determine the risk exposure for the entire company. esty resulted in a $1 or a $1 million loss, or in establishing a fully
redundant operations center with capacity to handle all business
Attacking Gaps Between Perceived and Actual Risks transactions.
Sometimes organizations are overwhelmed with the prospect of Typically, the potential costs associated with complying with
dealing with the multitude of risks that can be identified, some of these statements are not considered when they are developed.
which are perceived and some real. What needs to be taken The employee whose dishonesty resulted in the $1 loss may rep-
into consideration to differentiate between perceived risks and ac- resent a $100,000 training investment, or be the engineer with
tual risks? First, a formal mechanism needs to be established. The the latest technological know-how to advance the organizations
next step is to attack the gaps between the risks that matter to the core business. Building a fully redundant operations center may
organizations objectives and those that do not. be impracticable or the costs may be grossly disproportionate to
To determine whether an identified risk actually matters to the the disruptive time frame.
organization, ask whether the risk is both relevant and important to That is not to say that zero tolerance statements are unwarranted
achieving the organizations objectives. That is, can the risk either or unmanageable. It is, however, important to understand the po-
improve or worsen the organizations position? If the answer is no, tential implications when adopting or modifying such statements.
the risk may be a perceived rather than an actual risk and may be
put aside for later consideration as circumstances change. This is Stakeholders and Risk Appetite
not to say that perceived risks are not real risks. Indeed, they may Although decisions about risk appetite and risk tolerance levels gener-
warrant attention one day, so they should not be forgotten. ally fall to an organizations executive management team and board to
shape, ISO Guide 73:2009 notes that stakeholders also have a will-
Four questions then can be asked in relation to the organizations ingness to bear risk. The internal and external context within which
risk appetite for the remaining risks: organizations operate can hold a tremendous sway on an organiza-
tions approach to its risk appetite and tolerance statements (Figure
1. Is this risk within an acceptable range based on the organi- 5, page 8).
zations risk appetite and tolerance levels? In addition to the strategies and objectives driven by the orga-
nizations board and management risk attitudes, its other internal
2. If yes, is there a way to exploit this risk in order to create or and external stakeholders hold varying attitudes about the level or
capture more value for the organization? amount of risk an organization should assume. The varying risk
attitudes of these organizations and individuals when compared
3. If not, what is the most the organization would reasonably with the organizations own risk attitude can become problematic
expend in resources, investments and controls to bring the if the organization is not clear in its own statements, transparently
risk into acceptable boundaries? In order to keep conse- signaling to its varied stakeholders what can be expected as the
quences within a tolerable and justifiable level, the organi- organization pursues its objectives.
zation needs to consider the cost (financial or otherwise) of Understanding the varying risk attitudes of the organizations ex-
constraining the risk within acceptable parameters should ternal and internal stakeholders may influence how the organiza-
the uncertain outcome become a reality. Control costs that tion balances its risk appetite statements with the expectations of
are out of balance with the organizations overall risk at- these stakeholders.
titude generally are neither efficient nor optimal.
Case Studies
4. What monitoring mechanisms can be used to trigger ac- This report provides four examples of organizations that have de-
tion if there are deviations from expected outcomes or in fined or are working toward their risk appetite and tolerance state-
advance of crossing risk tolerance targets? ments. These are presented so that risk practitioners can consider
the approaches and techniques that provide the most help within Case 1: Defining Acceptable Boundaries
their own organizations. There are three common threads present in Health Care
in each of these examples: One non-profit health care organization considers its risk position
in terms of boundaries. The combination of risk tolerance and risk
Understand risk appetites and tolerance. Risk appetite and appetite represents the organizations risk position and dem-
tolerance statements are created by management and ap- onstrates the degree of established commitment the organization
proved by the organizations boards of directors. The orga- has towards achieving its goal or expected outcomes (Figure 6,
nizations know their key risks in relation to the pursuit of page 9).
their discrete business objectives. All define risk appetite and For this organization, risk tolerance is understood as the degree
tolerance on the basis of a risk-return trade-off decision for the organization is comfortably willing to absorb as potential losses
key risks. Each realistically understands and estimates the in the pursuit of its goals, objectives and expected outcomes. Con-
potential change in enterprise value based on the possible versely, risk appetite is the degree the organization is willing to
downside losses and upside gains based on varying degrees securely invest to exceed such measures. As such, it is important
of risk taking. for the organization to pre-establish boundaries and set limits. Risk
tolerance and appetite limits are set and act as triggers. This allows
Seek a balance between risk and reward. All the organi- the organization room to react and reset a course of action when
zations seek an appropriate balance between risks being outcomes fall too far below or ahead of expectations. By monitoring
taken for the desired outcomes. The organizations strive to results against the limits, the organization can determine when it
articulate the amount of risk the organization is willing to begins to trend too quickly towards maximum tolerances (before
take, based on each ones unique risk attitude and for a reaching a black swan killer) or maximum appetites (when the
sufficient return. In at least one of the organizations, the pursuit of the golden goose no longer makes sense given the
formalized review of risk appetite has led it to conclude that investment required). These boundaries are preferably set in the
it has the capacity to assume even more risk as a competi- aggregate but have been set against individual objectives, as well.
tive advantage.
Communicate and enforce the application of risk appetite Case 2: Public Risk Appetite Statements Disclosed by
and tolerance. Risk appetite and tolerance levels are com- a Financial Organization
municated and enforced through various means: policy, Consider the risk appetite statements disclosed by a major U.K.-
authority/spending authorization levels, value statements, based financial organization in its annual report. For this organiza-
incentive compensation at different levels of the organiza- tion, risk appetite is defined using a combination of qualitative and
tion and monitoring reviews. quantitative statements.
Risk Position
Tolerance Appetite
Risk appetite is the amount and type of risk that [the organiza- The statements express the organizations risk-taking approach for
tion] regards as appropriate for it to accept in order to execute its its internal and external stakeholders. The statements paint a port-
strategy. The board regularly reviews and sets this in the form of 10 folio view of the organizations willingness to bear and pursue risk
risk appetite statements, which it sets in the context of [the orga- for an expected return. It represents a collection not only of the risk
nizations] strategy and the requirements of various stakeholders, types related to the business portfolio (qualitative statements) but
including the regulatory framework in which we operate. of its overall enterprise financial appetite (quantitative statements).
The risk appetite statements provide the benchmark against which What is not clearlooking only at the statements themselvesis
the companys risk profile is reported, monitored and managed by how these risks relate to each other within the organizations overall
the board, audit and risk, finance, and risk assurance committees. risk portfolio. The public statements of the company do not indicate
Risk appetite also forms the basis for the calibration and setting of whether this particular organization uses an efficient frontier model
the delegated authorities and financial limits for all aspects of market, to consider the interrelatedness of its risk/return decisions in a port-
credit, liquidity and operational risk. The 10 risk appetite statements folio view. However, it may be safe to assume that at least some por-
address both quantitative and qualitative aspects of risk taking. tions of its risk portfolio are considered in this way.
Likelihood Likelihood
Figure 9: Possible University System Risk Appetite and Risk Tolerance Statements
Performance Potential Risk Potential Risk Potential Risk Potential Metrics
Criteria Appetite Statement Target Tolerance Statement or
Key Risk Indicators
The university system is Derived number based on No more than x% of the Debt service-to-opera-
willing to assume x% of its appetite statement total debt service can ap- tions percentage
Debt Service system-wide operational ply to any one initiative (or Allocation of debt
revenues for debt service. campus or project). service
The university system ac- Calculated number based On a university-wide basis, Employee turnover by
cepts an investment of $x on appetite statement employee turnover is to be location or operating unit
per headcount in recruit- less than x% in any given Deviations from es-
ing and training for new 90-day period.
Employee Turnover tablished system-wide
employees. tolerance limit
Aggregated comparative
to potential risk target
The university system is will- Expected cost of borrow- Credit rating may not drop Variations from rating
ing to assume credit interest ing number more than one grade from agency expectations
rates of x% for borrowing its current level.
Cost of Borrowing Deviations from cost of
[a certain dollar amount or borrowing assumptions
percentage of assets] to
fund new initiatives. Deviations in amounts
11 | RIMS Executive Report
Conclusion Leverage positive aspects for taking risk: Risk can lead to both
There are certain key elements to keep in mind when establishing positive and negative results. Therefore, risk appetite should not
your organizations risk appetite and tolerance: be looked at simply through a negative lens. Taking too little risk
may have undesirable consequences. There should be a positive
Understand the concepts: Clearly articulating risk appetite and tol- orientation to the discussion where questions such as what risks
erance are key for a well-developed and effective enterprise risk can provide us with the most value? should be asked.
management strategy. Board and top management understanding
of the risk appetite and tolerance concepts, as well as how critical Evolve risk position over time: Defining and articulating risk appe-
their statements are for achieving strategic objectives, are founda- tite and tolerance will provide little value unless the position is up-
tional. Without overcoming this initial challenge, proceeding further dated, regularly monitored and has a control system to flag when
in attempting to articulate risk appetite and tolerance is destined someone is operating outside of the defined risk tolerance. Risk
for failure. appetite and risk tolerance must adapt to an organizations ever-
changing risk environment. It is important to continue to refine
Balance risk and reward: Beyond gaining support for a well-devel- tolerance and appetite statements over time to stay in sync with
oped understanding of risk appetite, the challenge in articulating an organizations evolution. The companys strategy and its risk
an effective risk appetite is in balancing the risk/reward trade-off appetite and risk tolerance work hand in hand and influence each
to provide a sustainable, long-term result. It can be undesirable other. They should be designed and changed together.
and costly to attempt to eliminate all risk in an organization or to
conversely not set upper limits. If the risk appetite is too low or is Communicate risk appetite and tolerance: Finally, organizations that
never challenged operationally, the potential for reward will likely have developed risk appetite statements may not have communi-
be low (unless it is a niche market or monopoly). If risk appe- cated this well to stakeholders. Without proper communication of
tite is too high or not understood by the board, management and risk appetite levels, organizations cannot expect that employees
employees, it can have extremely negative consequences on the are consistently making decisions that are aligned to an organiza-
company and possibly the industry. There are many examples of tions risk appetite. The challenge is compounded by the fact that
this from the recent financial crisis. Financial organizations that set the organization may wish to keep some of the risk appetite mea-
their tolerances and appetites pre-2008 found a few soft spots in sures confidential from public view.
their evaluation of how much appetite and capacity they truly had
and how much they needed to modify their risk appetite based on Well-defined and well-thought-out risk appetite and tolerance practices:
unanticipated risks or due to model risk.
Encourage organizations to take measured risks in order to
Use for more than financial measures: Financial results are generally generate value and avoid intolerable losses.
the most common components in risk appetite and tolerance. They
are easiest to quantify and most areas eventually boil down to a fi- Align stakeholders (e.g., the board, senior management,
nancial result. Financial metrics are an important component of risk shareholders) on the amount and type of risk the organiza-
appetite, but risk appetite needs to be expressed beyond just finan- tion is willing to take.
cial performance metrics. Whether the stated appetites and tolerance
further the organizations strategic objectives is more critical than just Create awareness about, and actions to prevent, excessive
financial metrics. levels of risk that could lead to adverse consequences.
Copyright 2012 Risk and Insurance Management Society, Inc. All rights reserved.