Implementing effective risk appetite and tolerance levels

Implementing effective risk appetite and tolerance levels

Risk appetite and tolerance levels forms part of the architecture of every organisation’s Enterprise Risk Management (ERM) systems and processes. For an ERM foundation to stand the test of scrutiny, to be robust and add value to the business, it must have and include the effective risk appetite and tolerance levels either as part of the organisation’s overarching ERM strategy, ERM framework or separately as a standalone framework on risk appetite and tolerance. A best practice approach to implement risk appetite and tolerance level is to have a standalone framework of these elements. This approach is acceptable to all stakeholders at large as it avoids confusion and ambiguities. Deciding how much risk to accept or tolerate is the key to effective risk management.

Definitions of Risk appetite and tolerance

According to the Institute of Internal Auditors (IIA), “risk appetite” and “risk tolerance” both set boundaries for the degree of risk an organisation is prepared to accept. There are, however, a few important differences between the two terms.

ISO 31000 defines risk appetite as the amount and type of risk an organisation is prepared to pursue, retain or take. It is also essentially defined as how an organisation views risk and reward; what amount, or type of risk is or is not worth taking or what management deems acceptable in an organisation’s daily activities. Before an organisation can manage risk, the risk appetite must be determined as it relates to a company’s longer-term strategy of what it wants to achieve and the allocation of resources to achieve those goals. When developing a risk appetite framework that is tailored to the organisation, the internal and external context of the organisation must be taken into consideration. This context, which can range from company culture to competitors to financial capabilities+ can change over time, which makes the establishment of risk appetite an ongoing process. When an organisation has a high-risk appetite, it has determined that taking risks with higher uncertainty is worth the potentially higher benefit. A low-risk appetite organisation finds the best option is to be averse to risk to avoid potential consequences.

Risk tolerance, on the other hand, the level of risk an organisation is willing to take on in terms of individual risks, thus defining boundaries within specific areas of risk for the entity. Risk tolerance is important because each risk is unique in nature. In comparison to risk appetite, risk tolerance is more precise. It sets the acceptable level of variation from performance goals intended to achieve strategic objectives. Put another way, risk tolerance is the aggregate degree of variance from the risk appetite that the organisation is willing to tolerate as it drives day-to-day strategic decisions.

Implementing effective risk appetite and tolerance levels

Risk appetite and tolerance levels will ensure systematic language, policies, processes, systems and tools, used to establish, communicate and monitor risk appetite and tolerance levels of the organisation. In developing these, the organisation must consider ensuring that all the below elements are included for it to be effective and add value to the organisation:

• Determine the risk bearing capacity

According to The Committee of Sponsoring Organisations (COSO), risk capacity is the maximum amount of risk an entity can absorb in the pursuit of strategy and business objectives. Risk bearing capacity can also be defined as the total risk an organisation needs to take to accomplish its long-term and short-term goals. The organisation’s risk bearing capacity is determined by a combination of factors, including company finances, risk experience, and overall risk tolerance. It should be noted that risk bearing capacity is different from risk tolerance. Risk tolerance is the level of risk the organisation is willing to take to achieve specific goals, while risk bearing capacity the risk the organisation need to take to meet objectives. Finding the right balance between risk bearing capacity and risk tolerance is critical as it will assist with meeting organisational and financial goals without subjecting the company to unnecessary threats.

• Determine risk categories

Risk categories are the classification of risks according to various activities by an organisation or business. The risk categorisation process involves grouping risks of one nature separate from another to provide an easy way of determining where the most significant risks lie. The risk categories are classified according to the various activities of the organisation, for example strategic, operational, financial, technology, environmental, external/market reputation, legal and regulatory, people and culture, etc.

• Determine risk appetite levels and statements

For each of the risk categories, a risk appetite statement must be developed which sets out the inherent constraints that must be considered when deciding how much risk to assume, and which risks the organisation is committed to take in order to achieve its strategic objectives. A risk appetite statement explains the organisation’s risk decisions and also helps an organisation better manage and understand its risk exposure and enables executives to make more informed decisions based on a more complete risk profile. An organisation-wide risk appetite statement gives direction to the organisation’s risk culture, including its compliance program as it expresses the corporate attitude toward risk in qualitative or quantitative metrics (or both).

• Formulate and formalise risk consequences

At least annually, the organisation will set limits to determine the levels of risk it is able to tolerate in pursuit of its objectives/value drivers. The organisation will consider its risk appetite along with its tolerance limits. The reason being the higher the appetite in a specific area, the higher the tolerance limits/impact and vice versa.

• Identify key risks indicators

Key risk indicators need to be determined and linked to the risks they relate to. Key risk indicators (KRIs) are measures that provide insight into potential events. They can simply be described as an early warning signal. A risk indicator acts as a proxy for risk exposure. A change in the value of a risk indicator signals a change in probability and or impact. In this regard, risk indicators may relate to the causes or effects of operational risk events.

• Determine tolerance levels for each key risk’s indicators

The risk tolerance levels/limits set the boundaries for assessing risks and provides the organisation with indicators that related risks may be increasing. The tolerance limits for each key risk indicator sets the acceptable minimum and maximum variation levels for a specific risk or risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organisation’s risk management strategy and is then approved by leadership. High risk tolerance means that an organisation is willing to take a great deal of risk, while low risk tolerance means the company isn’t. An organisation that operates outside its risk tolerance limits can jeopardise the achievement of its objectives and even the whole enterprise itself.

• Develop a dashboard for tracking of key risks indicators regularly

A dashboard is a graphical presentation of the organisation's key risk measures (often against their respective tolerance levels); typically used in reports to senior management. The parameters for determining the risk appetite and risk tolerance levels must be based on the consequence types and shown in a consolidated format in the dashboard.

• Determine impact of key risks indicators on residual risk rating and escalation

Key risk indicators are used to determine/influence the risk rating (i.e. to influence either the probability of the risk occurring, or its impact should it occur). Key risk indicators give a historical and current view/status of the risk but do not provide a future view. Therefore other considerations should be applied to determine the residual risk rating.

Conclusion

To measure the effectiveness of your organisation’s risk appetite and tolerance level one must gauge if it aligns with the organisation strategic objectives, risk profile and risk management capabilities. Risk appetite and tolerance levels are a fundamental part of the ERM program and an essential tool for any organisation that strives to pursue its business strategy, while managing all its significant risks to an acceptable level. For the board, executives, management and all employees, the risk appetite and tolerance levels address the key question of, “How much risk are we allowed and willing to accept in pursuit of our organisational business objectives.”

Boitumelo Choche

Senior Manager: Governance, Risk & Compliance, Johannesburg