Risk appetite and risk tolerance
More important still, is our over-riding sense that any approach has to be (i) theoretically sound (but that can quickly disappear into the background); (ii) practical and pragmatic: we do not want to create a bureaucracy, rather we are looking to help find solutions that can work for organisations of all shapes and sizes; and (iii) something that will make a difference: we suspect that in the early days particularly, a successful approach to reviewing Risk Appetite and Risk Tolerance in the board room will necessarily lead to some tensions. In other words we think that it should make a difference to the decisions that are made, otherwise it does diminish into a mere tick-box activity – and nobody needs any more of those in the board room. Consequently, the approach that we are setting out in the detailed guidance can and should be tailored to the needs and maturity of the organisation: it is definitively not a one-size-fits-all approach.
There were four overriding principles in developing our approach:
- Excessive simplicity, while superficially attractive, could lead to dangerous waters: far better to acknowledge the complexity and deal with it, rather than ignoring it.
- Risk appetite needs to be a measurable concept. We are promoting an approach of shareholder value at a strategic level, but other approaches could equally be valid. Underlying the shareholder value, we anticipate more use of key risk indicators and key control indicators based on data available inside or from outside the organisation.
- There will be a range of appetites for different risks and these will vary over time: the temporal aspect of risk appetite is a key attribute to this whole development.
- As discussed below, risk management maturity.
In essence what we are recommending is that an organisation’s approach to risk appetite and risk tolerance should:
- Be developed in the context of their risk management maturity. This might sound odd to some people, but risk management remains an emerging discipline and some organisations, irrespective of size or complexity, do it much better than others. This is in part due to their risk management culture (a subset of the overall culture), partly due their systems and processes, and partly due to the nature of their business. However, until an organisation has a clear view of its risk management maturity it cannot be clear as to what approach would work or how it should be implemented.
- Take into account differing views at a strategic, tactical and operational level. In other words, while the Code envisages a strategic view of risk appetite, in fact risk appetite needs to be addressed throughout the organisation for it to make any practical sense.
- Not be done in isolation of understanding the control culture of the organisation. This model explores this by looking at both the “propensity to take risk” and the “propensity to exercise control”. The model promotes the idea that the strategic level is proportionately more about risk taking than exercising control, while at the operational level the proportions are broadly reversed. Clearly the relative proportions will depend on the organisation itself, the nature of the risks it faces and the regulatory environment within which it operates.
- The approach envisaged by this risk appetite model suggests that it is important for
organisations to identify measures of risk appetite. Otherwise there is a risk that any
statements become empty and vacuous.
We think that this dual focus on taking risk and exercising control is innovative but critical to a proper understanding of risk appetite and risk tolerance. Proportionately more time is likely to be spent on risk taking at a strategic level than at an operational level, where the focus is more likely to be on the exercise of control. One word of caution though, we are not equating strategy with board level and operations with lower levels of the organisation. A board will properly want to know that its operations are under control as much as it wants to oversee the development and implementation of strategy. In the detailed paper we have included a few suggestions as to how boards might like to consider these dual responsibilities. Above all, we are very much focused on the need to take risk as much as the traditional heartland of many risk management programmes, which is the avoidance of harm.
In our paper we have set out an illustrative process for the development of an approach to risk appetite. This includes appropriate consultation with external and internal stakeholders, with whom the board believes it appropriate to consult on this matter. It also includes a review process by the board, or an appropriate committee of the board, and finally, it includes a review process at the end of the cycle so that appropriate lessons can be learned.
We have also included a brief section on the role of the board or risk committee: we are suggesting that the board should retain governance over the model at four key points:
- Approval: as discussed in the development of the risk appetite statement;
- Measurement: there needs to be regular and consistent measurement against the model and demonstration that the model is used in real life;
- Monitoring: the board will need to deal with breaches of the appetite, or tensions that arise from its implementation. If there are no breaches and no tensions then the likelihood is that it has not been properly developed.
- Learn: as discussed in the development section, the board needs to ensure that the organisation learns from the implementation of the risk appetite model so that it becomes more embedded into the organisation.
All of this needs to be carried out with the basic precept in mind that risk appetite can and will change over time as, for example, the economy shifts from boom to bust, or as cash reserves fall. In other words, breaches of risk appetite may well reflect a need to reconsider the risk appetite part way through a reporting cycle as well as a more regular review on an annual cycle. Rapid changes in circumstances, for example as were witnessed during the financial crisis in 2008-9, would certainly indicate a need for an organisation to re-appraise its risk appetite.
It is our belief that the development of risk appetite as a useful construct in the governance and management of organisations will evolve over time. However there are a number of issues that we think are worth keeping in mind. In particular, risk appetite:
- Is as much about “enabling” risk taking as “constraining” adverse risks;
- Is a management tool as well as a governance requirement;
- Requires active “stakeholder” engagement;
- Needs to be built into “business as usual” processes;
- Should be approved by the board (or non-executive board risk committee)
- Has to be actively monitored by management
- Has to be reviewed regularly by the board; and
- Needs measurement tools and techniques.
But equally there are some substantial benefits. Risk appetite can help in:
- Safeguarding the organisation;
- Creating a framework for better decision making;
- Identifying issues at an early stage (allowing more wriggle room to deal with risks);
- Provide a framework for reducing surprises;
- Developing a model for structured thinking;
- Facilitating better achievement of long term objectives while respecting stakeholder views; and
- Bringing sense to the risk process.
Within IRM it is our intention to work with companies, boards, risk professionals, regulators and others to develop the thinking around risk appetite. For us the immediate next steps include:
- Developing a consensus as to what risk appetite means: this booklet is just a first step in the discussion;
- Working with interested parties to develop appropriate mechanisms for measurement, including understanding:
- The data sources that will be needed;
- The impact on operational frameworks; and
- The new data architecture and data governance models that will be required;
- The communications campaign that will include addressing the needs of boards and individual
Finally, we set out below the questions that we think that boards will want to answer as they develop
their approaches to risk appetite:
- Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives?
- What are the strategic objectives? Are they clear? What is explicit and what is implicit in those objectives?
- What are the significant risks the board is willing to take? What are the significant risks the board is not willing to take?
- What steps has the board taken to ensure oversight over the management of the risks?
- Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation?
- How mature is risk management in the organisation? Is the view consistent at differing levels of the organisation? Is the answer to these questions based on evidence or speculation?
- What specific factors should the risk appetite take into account in terms of the business context? Risk processes? Risk systems? Risk management maturity?
- At which levels would it be appropriate for the board to consider risk appetite?
- What are the main features of the organisations risk culture in terms of tone at the top?Governance? Competency? Decision making?
- How much does the organisation spend on risk management each year? How much does it need to spend? What are the business, regulatory or other factors that will influence the relative importance of the organisation’s propensity to take risk and its propensity to exercise control at strategic, tactical and operational levels?
- Does the organisation employ helpful risk taxonomies that facilitate the identification and responsibility for managing risk as well as providing insight on how to manage risks?
- Does the organisation understand clearly why and how it engages with risks?
- Is the organisation addressing all relevant risks or only those that can be captured in risk management processes?
- Does the organisation have a framework for responding to risks?
- What approach has the organisation taken to measuring and quantifying risks?
- Has the organisation followed a robust approach to developing a risk appetite?
- Who are the key external stakeholders and have sufficient soundings been taken of their views? Are those views dealt with appropriately in the final documentation?
- Is the risk appetite tailored and proportionate to the organisation?
- Did the risk appetite undergo appropriate approval processes, including at the board (or risk oversight committee)?
- What is the evidence that the organisation has implemented the risk appetite effectively?
- Has the board played an active part in the approval, measurement, monitoring and learning from the risk appetite process?
- To what extent did the board identify tensions arising from the implementation of the risk appetite?
- How much resource has it taken to develop and implement risk appetite? Was this level of resource appropriate? Does it need to be amended going forward?
- What needs to change for next time round?
- Does the organisation have sufficient and appropriate resources and systems?
- What difference did the process make and how would we like it to have an impact next time round?