How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as clarify is “risk appetite’. What does it mean, and how does it differ from risk tolerance?
Let’s look first at the COSO ERM Framework. It defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” In their Strengthening Enterprise Risk Management for Strategic Advantage, COSO says:
“An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broadbased description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”
“So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”
Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.
In other words, these are risk criteria: criteria for assessing whether the risk level is OK or not. Before progressing to see how ISO 31000 tackles the topic, I want to stop and see what one of the major auditing/consulting organizations has to say.
Ernst & Young has an interesting perspective, which they explain in Risk Appetite: the strategic balancing act. In the referenced PDF version, they include definitions of multiple terms:
- Risk capacity: the amount and type of risk an organization is able to support in pursuit of its business objectives.
- Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.
- Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.
- Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific business goal.
- Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action.
There are similarities to the COSO ERM definitions, with both using appetite for the organization’s overall acceptable level of risk, and toleranceto describe risk at a lower, more granular level. Personally, I find the EY examples and usage a little better than the COSO one – the idea of a variance from objectives is not appealing and I am not confident it is very practical.
Coming back to the idea of risk criteria. One common practice is for risk managers (and consultants, vendors, etc) to talk about risk as being high, medium, low, etc; another is to quantify it in some way, often in monetary terms. (Just think of a typical heat map.) But, just because a risk is considered “high” doesn’t necessarily mean that it is too high. Similarly, just because a risk is “low” doesn’t mean that the risk level is desirable.
Think about somebody in one of the Libyan cities being shelled this week. They are considering whether to stay or leave the city, and then whether to go to family in Tripoli or try to get across the border into Egypt. All of the options, including doing nothing, are high risk – but they need to take one.
Maybe that is an extreme example. COSO talks about balancing risk and reward, and the notion that you need to take risks – even high ones – in order to obtain rewards. An example of this could be a decision to enter a new market. The risks may be high, but the rewards justify taking them.
Exploring that example a little more, there may be several options for entering the market: slowly dipping the toe in, going full blast, or partnering with a company that already has a major presence. If you just look at the level of risk without considering the rewards that can be obtained from each option, you may make a poor decision.
Where am I going? To assess whether a risk level is acceptable or not, it is not enough to say it is high, medium, $5 million, etc. You have to say whether it is acceptable given the potential rewards by reference to your risk criteria. This is where, for me, appetite and tolerance play – and risk target, as explained by EY.
So, to ISO. Here are a few definitions from ISO Guide 73, Risk Management – Vocabulary.
- Risk attitude: organization’s approach to assess and eventually pursue, retain, take or turn away from risk
- Level of risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood
- Risk criteria: terms of reference against which the significance of a risk is evaluated
- Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
- Risk appetite: amount and type of risk that an organization is willing to pursue or retain
- Risk tolerance: organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives
It is worth noting that the ISO 31000:2009 standard doesn’t use all these terms. Rather than getting into a detailed discussion around risk appetite and tolerance, the standard says you should establish risk criteria and then evaluate risks against those criteria to determine which risks need treatment.
Frankly, I would prefer more detailed guidance on this, as the decision on how much risk to take is the key to effective risk management. But, we will have to wait for more practical guidance from ISO and its national organizations.
Here’s my view. I like and use the ISO definitions (from Publication 73) I listed above. Companies have to take risk to make a profit, or deliver value to their stakeholders. They level of risk they pursue is their appetite for risk. But they may be able to tolerate, or absorb, a different level of risk without significant pain and impact on achieving their strategic objectives. This istheir tolerance.
A colleague with IIA Canada, Eric Lavoie, shared with me a model he has used with one of his financial services clients. In it, risk appetite is represented by a range. When risk levels fall outside that range (either above or below), performance is sub-optimal. When risk levels exceed the organization’s risk tolerance, it becomes more critical to take action.
So, what is your opinion? What do these terms mean in your language?