The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a Risk Appetite and Tolerance Statement. This step is meant to sets boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.
An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by COSO (one of the risk management standards measured in the RIMS Risk Maturity Model umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.
Once your organization has documented your risk appetite (and received the Board’s approval), the question becomes how do you measure if your organization is adhering to it? The answer is to implement risk tolerances.
While risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does with to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.
Why Set Tolerance Levels?
Operating within risk tolerances provides management with greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.
The second step of RMORSA, Risk Identification and Prioritization, outlines a risk assessment process for your organization that provides quantitative language for risk based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.
The process of articulating a Risk Appetite Statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.
Align with Strategic Goals
When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.