According to ISO 31000, a risk appetite definition is “the amount and type of risk that an organization is prepared to pursue, retain or take.”
The challenge with developing a risk appetite definition is how to implement and enforce it, making it relevant to business units on a day-to-day and case by case basis.
This means it is important to link risk appetite to business decisions and then collect the appropriate metrics to measure the risk appetite.
Risk Appetite vs Risk Tolerance
According to the IIA, both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. However, there is an important difference to note when comparing risk appetite vs risk tolerance.
A risk appetite statement is a higher level statement that broadly considers the levels of risk that management deems acceptable, while risk tolerances are narrower and set the acceptable level of variation around objectives.
An example of a risk appetite statement would be when a company says it does not accept risks that could result in a significant loss of its revenue base. When the same company says it does not wish to accept risks that would cause revenue from its top 10 customers to decline by more than 10%, it is expressing a risk tolerance definition.
Awareness of residual risk and operating within a risk tolerance provides management greater assurance that the company remains within its risk appetite.
This reassurance, in turn, provides a higher degree of comfort that the company will achieve its strategic objectives.
What is Residual Risk?
When crafting a best practice risk appetite and risk tolerance definition, it’s important to keep in mind that risk tolerances should be specific to a company’s individual goals and require actionable parameters.
For example, in LogicManager’s unified root-cause risk library, every risk factor can be given a risk tolerance, or a range of acceptability to the organization.
One way to measure this range is by monitoring the residual risk.
Residual risk definition: The threat a risk poses after considering the current mitigation activities in place to address it, and can be an important metric for assessing overall risk appetite.
A risk tolerance range for minimum and maximum levels of residual risk is typically set by the committee responsible for risk management oversight and accepted by the board of directors.
This means that if a risk’s impact on the organization, multiplied by its likelihood of occurring, multiplied by the effectiveness of current mitigation activities falls outside of the level deemed acceptable, then the risk factor is out of tolerance.
Business process owners must then adjust mitigation activities, procedures, or controls in order to keep the residual risk within the defined risk tolerance.
Setting enterprise risk tolerances is a calibration exercise, meaning you need to collect a number of risk assessments for areas known to have high and low risk.
This provides an opportunity to compare residual risk to measurements of known acceptability.
Translating Risk Appetite and Risk Tolerance Statements into Reality
An organization-wide risk appetite statement can be a powerful tool that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action this is nothing more than an idea.
With standardized risk assessment templates and intuitive risk dashboards, risk managers can collect the information necessary to implement appropriate risk appetite and risk tolerance at both an enterprise level and for individual business processes.
Define Risk Tolerances at the Front-Line Process Level
Every day, front-line managers are making operational decisions about risk which are far from an organization’s risk appetite policies.
The front line is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.
To successfully implement your risk appetite across the organization, you must be able to identify and define risk tolerances at the front-line process level. Robust monitoring tools allow organizations to evaluate risk tolerances for the root causes of risk at any level.
In turn, this allows organizations to connect front-line decisions with overall risk appetite and determine which processes are out of range through intuitive, navigable dashboards and reports.
Connecting Risk Appetite to Business Performance
Risk appetites should always be aimed at improving business performance. Say your organization has a strategic imperative of customer satisfaction and your risk appetite statement outlines a low tolerance for customer dissatisfaction. You could set goals for a particular customer satisfaction survey; however, this metric doesn’t offer any actionable solution to improve customer service. With a survey you’ll always be acting on customer impressions from last month as an effect of last year’s policies
Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization. In this example, other forward-looking metrics could include call-wait time or email response time. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.
Make Underlying Risk Metrics Comparable Over Time, Across Levels, and Across Silos
Using our customer service metrics again, the number of re-opened cases might be a good root-cause metric, but it’s not comparable over time or across products as the number of total cases will always vary. Instead, measuring the percent of cases that are re-opened is a more meaningful metric because its value is independent of customer volume, and is thus comparable both over time and across silos.
Align Risk Tolerances with Strategic Goals and Business Models
Risk tolerances will naturally develop from your overall risk appetite, but they also need to be aligned with your organization’s goals. Your organization might have a very low risk tolerance definition set for customer dissatisfaction, but if you’re attracting lots of high cost customers, then this policy isn’t in line with a discount business model.
When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual risk and contribute to achieving your strategic goals.