Here, Norman Marks, retired CRO and CCO and thought leader in internal audit, risk management and governance, recalls his earlier descriptions of risk appetite and tolerance and why both are essential for a successful enterprise, and shares some choice quotes from risk professionals on their take on risk appetite.
Norman's first discussion on risk appetite (2011)
How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as clarify is “risk appetite’. What does it mean, and how does it differ from risk tolerance?
Let’s look first at the COSO ERM Framework. It defined risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” In their Strengthening Enterprise Risk Management for Strategic Advantage, COSO said:
“An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broadbased description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”
“So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”
Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.
In other words, these are risk criteria: criteria for assessing whether the risk level is OK or not.
Before progressing to see how ISO 31000 tackled the topic, I want to stop and see what one of the major auditing/consulting organizations had to say.
Ernst & Young had an interesting perspective, which they explain in Risk Appetite: the strategic balancing act. In the referenced PDF version, they included definitions of multiple terms:
- Risk capacity: the amount and type of risk an organization is able to support in pursuit of its business objectives
- Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives
- Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk
- Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific business goal
- Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action
Coming back to the idea of risk criteria. One common practice is for risk managers (and consultants, vendors, etc) to talk about risk as being high, medium, low, etc; another is to quantify it in some way, often in monetary terms. (Just think of a typical heat map.) But, just because a risk is considered “high” doesn’t necessarily mean that it is too high. Similarly, just because a risk is “low” doesn’t mean that the risk level is desirable.
COSO talks about balancing risk and reward, and the notion that you need to take risks – even high ones – in order to obtain rewards. An example of this could be a decision to enter a new market. The risks may be high, but the rewards justify taking them.
It is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.
Exploring that example a little more, there may be several options for entering the market: slowly dipping the toe in, going full blast, or partnering with a company that already has a major presence. If you just look at the level of risk without considering the rewards that can be obtained from each option, you may make a poor decision.
Where am I going? To assess whether a risk level is acceptable or not, it is not enough to say it is high, medium, $5 million, etc. You have to say whether it is acceptable given the potential rewards by reference to your risk criteria. This is where, for me, appetite and tolerance play – and risk target, as explained by EY.
So, to ISO. Here are a few definitions from ISO Guide 73, Risk Management – Vocabulary.
- Risk attitude: organization’s approach to assess and eventually pursue, retain, take or turn away from risk
- Level of risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood
- Risk criteria: terms of reference against which the significance of a risk is evaluated
- Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
- Risk appetite: amount and type of risk that an organization is willing to pursue or retain
- Risk tolerance: organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives
Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-optimal. When risk levels exceed the organization’s risk tolerance, it becomes more critical to take action.
Norman's latest remarks on risk appetite (2018)
These days, I talk about the need for people to make intelligent and informed decisions, because that is where risk is taken. Top management and the board need a reasonable level of assurance that important decisions are both intelligent and informed.
With this, I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk. The key is to make informed and intelligent decisions that take the right level of the right risk, where it is justified on business and other grounds. Decision-makers need guidance so that they know that what they are doing (taking risk) is consistent with the desires of top management and the board. You may call that risk appetite (I prefer not to) or risk criteria, but often it is covered by policies such as investment guidelines, hedging policies, delegations of authority, and stop-loss limits.
The concept of risk appetite is flawed and its value in practice is limited, but it cannot be ignored.
Recently, I asked a group of highly respected (at least by me) risk practitioners and thought leaders a question about risk appetite and a highly spirited debate ensued!
Now some might expect there would be a general sense of agreement that the concept and practice of establishing and using a risk appetite statement is sound – that it has value. After all, it is promoted by COSO and almost every regulator and governance code.
In fact, there was general agreement (with a few dissenting) that the concept of risk appetite is flawed and its value in practice is limited, but it cannot be ignored: the regulators and others (rightly or wrongly) insist on it – at least for financial services organizations.
Here are a few (anonymous) quotes:
"Despite being a request from some (US) regulators, it does not make sense to “calculate an organization’s “appetite”. "
"The whole point is that directors and the CEO need a meeting of the minds as to the boundaries within which to operate over time. My experience is the board-management risk appetite dialogue is the important thing. The statement itself can be very simple so long as it reflects the dialogue. I agree that financial institutions have been dragged into doing risk appetite statements. But progress is being made in making them useful. "
"Whether anyone here likes it or not, the concept of risk appetite is firmly established in the arsenal of the International banking regulatory community. So we can simply poo-poo it, or we can try to make some sense of it. In the context of the Bank of England, the PRA and FMID regulators, they are particularly interested in systemic risk and the extent to which any individual player could exacerbate systemic risk for the economy as a whole. That is why they want to understand each institution’s risk appetite. So while we may dislike the phrase “risk appetite”, just as we may dislike the phrase “risk management”, it is incumbent on risk leaders to help both regulators and firms to make some sense out of this Risk Management thing that we are all grappling with, and which, despite the assertion to the contrary of some in this group, continues to evolve. "
This article was originally published as two articles on Norman's blog: Norman Marks on Governance, Risk Management and Audit >>
You can connect with Norman on his Twitter: @normanmarks