Taking on risk is an accepted component of doing business. Most businesses proactively strive to reduce risk and minimize its potential impact through risk management. It’s true that some risks are necessary and can drive positive business outcomes, however, others can lead to negative impacts such as accidents, potential legal exposure, financial uncertainty, operational errors or poor strategic decisions. While not all risks are avoidable, organizations do have control over the scale and scope of risks they take.
Risk appetite and risk tolerance are often used interchangeably, creating confusion and misunderstanding.
This post will help you understand both concepts so that you can integrate them into your framework.
The Institute of Internal Auditors (IIA) states that risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept, however, there is a marked difference between risk appetite and risk tolerance.
ISO 31000 defines risk appetite as “the amount and type of risk that an organization is prepared to pursue, retain or take.”
ISO Guide 73:2009 Risk Management defines risk appetite as the “amount and type of risk that an organization is willing to pursue or retain.”
PwC defines risk appetite as “an articulation of the tolerance levels for risk, that an enterprise is prepared to accept in the execution of its strategic and business objectives.”
Put simply risk appetite is a high-level general statement that broadly sets out the acceptable risk while pursuing business objectives before any action is taken to reduce that risk.
Risk appetite depends on many factors, such as industry, culture, competitors, the nature of the objectives being pursued (how aggressive they are) and the financial strength and capabilities of the organization (more resourceful businesses may be more inclined to accept risks and the associate costs). Furthermore, risk appetite is not static and changes over time. Best practice dictates risks should be assessed against risk criteria periodically or continuously (once or twice annually, or daily in specific risk scenarios), subject to the circumstances, available resources, skills, technologies or systems.
An enterprise-wide risk appetite statement is a powerful tool that gives your risk or compliance program direction. However, like any policy, risk appetite without associated action is nothing more than an idea.
There are not many definitions of risk tolerance, however, according to COSO’s “Strengthening Enterprise Risk Management for Strategic Advantage”, risk tolerance “reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve”.
Risk tolerance is the specific maximum risk that a company is willing to take based on the type of risk. Risk tolerance defines the limits within which the organization operates in given its overall risk appetite. Consideration must be given to various risks including legal, operational, financial, third-party, information security, compliance, credit and reputational and acceptable parameters set for each. Risk tolerance can be expressed through different metrics, reflecting the unique nature of each risk. Several metrics such as KPI limits, acceptable loss, credit ratings, probabilities, qualitative measures or balance sheet ratios can help measure, communicate and guide daily decision making.
A higher risk tolerance indicates that a business is willing to take a higher risk, whereas a low-risk tolerance indicates that it isn’t willing to accept many risks.
Several factors affect an organization’s risk tolerance, such as, a company willing to take more risks on a critical project, but it may not want to do so on a project that is not very important.
When a business operates outside its risk tolerance bounds, it can put its risk management strategy, or goals and objectives or both at risk and possibly even jeopardize the whole company.
According to the FAIR Institute, a non-profit organization that aims to advance the discipline of measuring and managing information risk – using the highway speed analogy, described in the next paragraph, helps differentiate between risk appetite and tolerance.
The department for transportation or other highways authority sets a speed limit which can be considered the risk appetite and indicates the authorities’ belief regarding an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things).
Highway users will drive at varying speeds, higher or lower than the limit rather than at exactly the speed limit. Risk tolerance is the point at which traffic enforcement actually starts ticketing violators.
Provided weather and other conditions are normal, traffic authorities rarely enforce the speed exactly at the limit. Therefore, risk appetite is akin to a line drawn in the sand that helps to set expectations, while risk tolerance analogous to the variance from that appetite that drives day-to-day decisions to operate differently in some fashion.
Risk appetite and risk tolerance combine to define a company’s risk posture. Risk posture is an organization’s overarching approach to risk management and a utility of how embedded risk management is in its culture, strategy and corporate governance. Companies with a strong risk posture are more able to take meaningful risks within the bounds of strategic and operating objectives.
A strong risk posture is driven from top-down requiring senior executive focus and board support to ensure accurate risk reporting, proactive management, and a consistent approach. This effort must be underpinned by an independent risk function, the use of a risk management platform to identify, analyze, and measure risk, and a determined, risk-based approach to decision making.
Residual risk is defined as the threat a risk poses after considering the current mitigation activities in place to address it and is an important metric for gauging overall risk appetite.
Integrated Risk Framework
The aim of risk management, especially enterprise risk management is to communicate and inform the leadership and all stakeholders within the organization the necessary information to make informed business decisions based on an executive-approved risk appetite statement. A company-wide risk appetite statement can be used to give direction to the company’s risk or compliance program.
A risk appetite framework guides decision-makers to be cognizant of the risk and acknowledge the risk exposure implied with their chosen course of action or strategy. For a risk appetite framework to be effective, an organization must implement an agreed risk measurement and risk scoring methodology, as well as a common risk taxonomy that is consistently understood and applied throughout the organization.
For example, a company may choose to appoint third-party vendors for specific services, trading off some level of third-party risk in exchange for the expertise, value, and flexibility a third party brings. In this example, the organization is consciously deciding to take a level of risk that is within its specified level of tolerance, harmonious with its strategic and organizational objectives, and, when all categories of risk are aggregated, in line with its risk appetite.
A well-articulated integrated risk framework helps businesses proactively decide how much risk to take while adhering with overall business and operating strategy. The acceptable level of trade-off is captured through an integrated risk management framework with a well-defined risk calculation and aggregation methodology, adherence to agreed risk tolerances, and a dynamic risk reporting solution. Organizations with a strong risk posture tend to integrate risk management into their strategic positioning and daily activities, embedding informed risk-taking as part of its culture.
Developing risk appetite, making it relevant on a day to day basis and enforcing it is a challenge. In order to link risk appetite to business decisions it is paramount to collect the pertinent metrics to measure the risk appetite. Being aware of residual risk and operating within a risk tolerance provides executives greater assurance that the organization remains within its risk appetite, thus ensuring a higher level of comfort that the business will achieve its strategic objectives.
Best practice risk appetite and risk tolerance definition ensure that risk tolerances are specific to an organization’s individual goals and have actionable parameters.
In Maclear’s integrated risk management solution, every risk pillar is given a risk tolerance, or a range acceptable to the organization. This range can be measured by monitoring the residual risk.
The risk management oversight committee is tasked by the board of directors to set a risk tolerance range for minimum and maximum levels of residual risk. Business process owners in turn are tasked to monitor and adjust mitigation activities, procedures, or controls to keep the residual risk within the identified risk tolerance.
Setting enterprise risk tolerances is an iterative calibration exercise; you need to collect several risk assessments for areas known to have high and low risk always comparing residual risk with acceptable levels.
Standardized risk assessment templates and intuitive dashboards enable risk managers to collect the pertinent information to implement appropriate risk appetite and risk tolerance at both an individual business process and enterprise level.
In conclusion, risk appetite is the general level of risk a business accepts while pursuing its objectives before it decides to take any action to reduce that risk. Risk tolerance, on the other hand, is the acceptable level of variation around objectives.
If your organization is interested in Maclear’s Integrated Risk Management solution, we invite you to explore the Maclear GRC Suite™ by visiting https://www.maclearglobal.com. Our comprehensive range of solutions is designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making.
To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to firstname.lastname@example.org..
Share This Blog
What should a good GRC framework and architecture include?
The pandemic has shown how businesses are complex, interconnected and constantly evolving.
How to Build a Strong FCPA Compliant Compliance Function – 8 Core Components
All businesses irrespective of size face some degree of compliance and it has never been...