What is “risk appetite”? While there are many definitions, the University of California provides a very straightforward explanation:
“Risk appetite is the total amount of risk, in broad terms that an organization is willing to accept in the pursuit of value.”
If there is not clear understanding from all levels of an organization as to how much risk the organization is willing to take in pursuit of value, attempting to incorporate risk management practices into strategic planning will be difficult. In addition, daily business decision making may be frustrating or time-consuming to reach consensus. Stakeholders within the organization need to agree on the type and amount of assumed risk. Risk appetite is an overarching philosophy that can be distilled into a written statement to serve as the foundation for the development of risk management goals and plans.
An organization’s “risk tolerance” works in tandem with risk appetite, adding a number of quantitative and qualitative metrics as boundaries. For quantitative measures, financial performance indicators are a good tool (not losing X% in operating capital for example). And qualitative measures such as reputation, employee safety, and regulatory requirements are also good tools. While qualitative measures are not evaluated by numbers, they offer another aspect to determining tolerance. Setting quantitative measures will require some discussion to establish agreed parameters. For an inclusive measure of tolerance, metrics should include a blend of both qualitative and quantitative measures.
Why is understanding risk appetite and tolerance important when all you want to do is manage that which can potentially affect you from reaching your goals? The 2012 RIMS Executive Report, Exploring Risk Appetite and Risk Tolerance, authors provided a number of benefits for an organization having a defined and measurable risk appetite and tolerance:
1. It encourages an organization to take measured risks in order to generate value and avoid intolerable losses.
2. Aligns stakeholders on the amount and type of risk the organization is willing to take.
3. Creates awareness about and actions to prevent, excessive levels of risk that could lead to adverse consequences.
From my experience, the process of developing a risk appetite and tolerance statement is almost as important as the statement itself because it brings together different stakeholders within the organization who each look at risk through a different lens. This exercise can make future work on strategic goals or tactical decisions easier since the participants were able to contribute to the development and foundation of the risk management program.
What does a risk appetite/risk tolerance statement look like? Here are a couple of statements provided in the 2016 RIMS Executive Report: The Steps to Successful Risk Taking.
Appetite: “Our organization operates in a highly competitive market. To compete we must adopt a higher risk appetite related to product development and partnerships.”
Tolerance: “We will not accept a risk in a new business line that will reduce our operating earnings by more than X% over the next ten years.”
Appetite: “We will not enter markets that create a substantial risk to the brand. Cost of entry, legal considerations, and risk of loss with an ROI premium will be assessed prior to market entry. We will ensure the distribution network as a whole remains profitable.”
Tolerance: “New subsidiaries achieve break even within X years and the distributor network is profitable (net profit before tax).”
Risk appetite and risk tolerance are concepts that are the foundation of a good risk management program. Of course, every organization, its operations, and team are different, so these examples are meant to help you start thinking about how your firm approaches risk. Do you have a sense of your firm’s appetite and tolerance? Is it memorialized it in writing?
Until next time, stay safe and be kind to one another.