Many boards fail to understand the difference between their company’s risk appetite and risk tolerance
Boards must clearly articulate their company’s risk appetite in order for risk managers to do their jobs, according to one of Australia’s risk management veterans.
RIMS Australasia board member and former Scentre Group chief risk officer Eamonn Cunningham (pictured) said: “If you don’t have that overarching view from the board to the business as to what should be the company’s appetite for risk, then I don’t see how a company can operate in an efficient way.
“Any self-respecting risk manager who is following the ASX [corporate governance] principles needs to have a risk appetite. But, fundamentally, the board needs to tell the CEO, and ultimately the group, what is the risk appetite for the organisation. It’s developed by the company and executive management, but ultimately it’s the board that approves it.”
A common barrier to this ‘tone from the top’ is a lack of understanding between a company’s risk appetite and risk tolerance, Cunningham said.
“Simplistically, risk appetite is a measure of the amount of risk you’re prepared to take on as a business. Whereas tolerance is a very related point, but it’s the amount you’re willing to lose. Therefore, tolerance tends to be more quantitative rather than qualitative in terms of a concept.
“A lot of companies implicitly understand tolerance, even if they don’t necessarily call it as such. It really is about, once I roll out my operations and I accept risk, what is the maximum amount I’m prepared to lose in a catastrophe situation?
BPAY group risk manager Francesca Dickson agreed that it’s important to have an in-depth understanding of a company’s risk appetite. But she said often the stated risk appetite and the actual risk appetite are not the same within an organisation.
“You have to have actual conversations about it,” she added.