Posted on October 27, 2012 by

Risk Appetite and Risk Tolerance

Risk Appetite and Risk Tolerance have been topics of much debate and discussion recently, particularly since the credit crunch and subsequent changes in regulation and legislation, including the update of the UK Corporate Governance Code in 2010 which brought more focus to risk appetite. Additionally, professional bodies have been providing guidance on the definition and application of the concepts of Risk Appetite and Risk Tolerance… however there is still some differing views on definition and on the relationship between Appetite and Tolerance.

In this post, we will provide a clear understanding of what we mean by Risk Appetite and Risk Tolerance, the relationship between these two important concepts and how we embed these concepts into the Risk-Based Performance Management methodology. But first we will review some recent best practice guidance and thought leadership papers to provide background  understanding of the differences in definition and approach. 

Firstly, let us look at how the COSO organisation thinks about Risk Appetite and Risk Tolerance. In a recent Thought-leadership paper, Thought Leadership in Understanding and Communicating Risk Appetite they provided the following;

Risk Appetite is the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value. Each organisation pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

Risk Tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.

  • Risk tolerance relates to risk appetite but differs in one fundamental way: risk tolerance represents the application of risk appetite to specific objectives. Risk tolerance is defined as: The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.
  • In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives.
  • While risk appetite is broad, risk tolerance is tactical and operational.

Next lets us consider the ISO 31000, Risk Management Principles and guidelines. We reference this standard as it is a widely quoted and used standard but it is interesting to note that it does not actually use the terms Risk Appetite or Risk Tolerance! Instead it uses risk attitude and risk criteria using the following definitions.

  • Risk Attitude – organisation’s approach to assess and eventually pursue, retain, take or turn away from risk.
  • Risk Criteria – terms of reference against which the significance of a risk is evaluated
    NOTE 1 Risk criteria are based on organisational objectives, and external and internal context.
    NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.

As a precursor to ISO 31000, let us consider the British Standard on Risk Management, BS31100. BS31100 does include the terms Risk Appetite and Risk Tolerance … but interestingly, it also includes Risk Criteria… hence the confusion around the terminology.

  • Risk Appetite – the amount and type of risk that an organisation is prepared to seek, accept or tolerate.
  • Risk Tolerance – the organisation’s readiness to bear the risk after treatments in order to achieve its objectives.
  • Risk Criteria –   terms of reference against which the significance of a risk is evaluated
    NOTE 1 Risk criteria are based on the context, and are regularly reviewed to ensure continued relevance.
    NOTE 2 Risk criteria can be derived from standards, laws, and policies.

Lets us move onto two recently released guidance papers, one from the Institute of Operational Risk (IOR) and the other from the Institute of Risk Management (IRM).

Firstly let us focus on the IOR Operational Risk Sounds Practice Guidance on Risk Appetite which states the following;

In simple terms, expressing ORA (Operational Risk Appetite) is a question of defining what is acceptable to an organisation and what is not. This could be achieved by deciding, for each risk type, what is acceptable, what is not acceptable, and the parameters of the area between those two i.e what is tolerable.   

The paper goes on to state that it is common practice to use RAG (Red, Amber and Green) status when monitoring performance against ORA.

The IRM guidance paper, Risk Appetite and Tolerance offers the following;

While Risk Appetite is about the pursuit of Risk, Risk Tolerance is about what you can allow the organisation to deal with. 

The paper goes on to provide the following definitions;

  • Risk Appetite – The amount of risk that an organisation is willing to seek or accept in the pursuit of its long term objectives
  • Risk Tolerance – The boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long term objectives.

So having read a selection of definitions and statements from a small selection of standards and guidance documents, it becomes clear there is considerable confusion and differing views on what is Risk Appetite and Risk Tolerance, their relationship and how they can be applied.

Hopefully we can bring some clarification to the topic and also clarify how we think about Risk Appetite and Risk Tolerance within the Risk-Based Performance Management methodology.

Starting off with the definition of Risk Appetite and Risk Tolerance, our thinking is most closely aligned to the COSO approach in that;

  • Risk Appetite – the amount and type of risk that an organisation is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders
  • Risk Tolerance – is the acceptable level of variation of risk taking in the pursue of a specific objective

What does this really mean? It means that as we define it, Risk Appetite is about the amount of risk that an organisation is willing to accept, and must take to successfully achieve its objectives whereas Risk Tolerance is about the variations in risk taking as we pursue objectives.

What does this really mean? It means that we use Risk Appetite to set the boundaries of acceptable risk-taking within the organisation and we use risk tolerance in the definition of Key Risk Indicator thresholds which are defined per risk and used to monitor variations in risk taking and the risk taking environment over time.

For example: A Water  Company may be seeking to deliver on an objective of “Delivering clean and safe drinking water”. A risk related to this objective might be “Failure of filtering equipment resulting in a contamination”. Recognising that there is no such thing as no risk, the Water  Company may state it has a Low Appetite for risks related to the objective “Delivering clean and safe drinking water”. The levels of Risk Appetite related to Water Quality maybe defined using a Water Quality Index so Low might be between 0 –10 on the index whereas extreme might be between 80 – 100. To express Risk Tolerance we might define a Key Risk Indicator (KRIs) such as Water Quality Sampling Results vs. Baseline. In this example we might set a Baseline for the KRI of 10 (this number is not the same as the Water Quality Index where 10 is the upper limit of Low Appetite), with Thresholds  of 5% and 10%, where the KRI will be GREEN if the results are within 5% of the Baseline, i.e +/- .5 and it will be Amber if the results are between .5 and .99 and Red if the results are 1 or greater. When defining these Thresholds, we consider the Risk Appetite for the risk that the KRI belongs to and use the Upper Threshold to express Risk Tolerance (we use the Upper Threshold as this indicates where the KRI is either inside or outside of Tolerance). In this example the water company is prepared to accept  a 10% variation from the acceptable level of risk taking (meaning residual risk-taking). 

We believe that by expressing Risk Appetite for Objectives and using it to set the boundaries for Risk-taking we provide the Board and Senior Management with the tools to clearly define the amount of risk that is acceptable and must be taken to deliver the Objectives while Risk Tolerance, expressed at the KRI level provides a mechanism to translate Risk Appetite from the Strategic level to the Operational level. This use of Risk Tolerance also enable the organisation to effectively cascade Risk Appetite through the organisation and embed it is the day-to-day management activities, processes and decision-making.