Effectively measuring risk appetite and determining risk tolerance allows companies to analyse their objectives and take advantage of opportunites

Types of capacity

‘Risk appetite’ is a term widely used but arguably less well understood. The Institute of Risk Management (IRM) has attempted to shed some light on the subject with its new guide on risk appetite and tolerance.

Why should organisations measure their risk appetite? “As well as meeting the requirements imposed by corporate governance standards, organisations in all sectors are increasingly being asked by key stakeholders, including investors, analysts and the public, to express clearly the extent of their willingness to take risk in order to meet their strategic objectives,” says IRM.

In practice, knowing your risk appetite can clarify responsibilities and decision-making. It is a key part of risk management in that it builds scope for taking advantage of opportunities as well as safeguards. For example, managers will know the degree to which they can expose the organisation to the consequences of an event or situation. Executives will understand their aggregated and interlinked level of risk so they can determine whether it is acceptable or not.

Risk tolerance can be expressed in terms of absolutes - for example, categorical statements that the organisation will not expose more than a certain percentage of its capital to losses in a certain line of business or will not deal with certain types of customers. Risk appetite, says IRM, is about what the organisation does want to do and how it goes about it, which is why it is the board’s responsibility to define it and ensure that risk management and all that entails is consistent with that appetite.

1 Use key risk indicators and key control indicators, both internal and external

This will help directors understand how performance drivers are impacted by risk.

Your measurement approach to the ramifications of risk appetite is likely to vary depending whether you are looking at the strategic, tactical or operational level. At the strategic level, it could involve using models based on shareholder value or economic value added. It is important to choose a model that is appropriate for the nature of your business. At the tactical and operational levels, consider developing a series of risk metrics and control metrics to measure risks and controls. Ensuring the relevance and accuracy of this data is essential.

2 Appreciate that risk appetite is not a single fixed concept

Your organisation will have different appetites for different risks. For example, there might be one risk appetite for selling a particular product, and a different appetite for taking risk while selling another product, or risk appetites might vary in different regulatory regimes. These need to align and will probably vary over time.

3 Develop your risk appetite in the context of your organisation’s risk management capability

This will reflect both its risk capacity and the level of maturity of its risk management and risk culture. There is little advantage in having a substantial risk appetite unless you can manage it. Similarly, if the attitude to risk management is one of indifference, or a sense that risk management is little more than a bureaucratic paper chase, then the likelihood of developing an effective risk appetite is remote.

4 Integrate risk appetite into your organisation’s control culture

This will involve looking at the propensity to take risks – generally a feature of strategic decision-making – and the propensity to exercise control – often an operational consideration. How these balance out within your business will depend on your organisation itself, the types of risks that it faces and the regulatory environment within which it operates.

5 Understand your business model

You need to be able to assess how much risk your organisation currently takes and how much more it might want to take in the future. Sketch a risk appetite framework that reflects your organisation’s core strategy, its principal risks and risk management approaches, and its risk management capability both in terms of capacity and maturity. Clearly articulate the consequences of adopting this. Engage with relevant stakeholders to ensure that your risk taking and control activities are broadly aligned with others, or that you identify potential divergences early.

Your board and any risk oversight committee should then review and hopefully approve the risk appetite proposal. Implementation will take some time because of the complexities involved and the possible need to adapt the framework.

6 Report against your risk appetite statements

This should be done both internally in the normal way and externally to relevant stakeholders such as shareholders. Your board or risk oversight committee should review what has worked well, what has failed and what needs to be done differently. This will provide the opportunity to fine-tune your risk appetite statement.