Risk Appetite, Risk Tolerance, and Residual Risk
What is Risk Appetite?
Risk appetite is defined as, “the amount and type of risk that an organization is prepared to pursue, retain or take,” according to ISO 31000. The challenge with risk appetite is how to implement and enforce it, making it relevant to business units on a day-to-day basis. This means linking risk appetite to business decisions and collecting the appropriate metrics to measure it.
Risk Appetite vs. Risk Tolerance
According to the IIA, both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. A risk appetite statement is a higher level statement that considers broadly the levels of risks that management deems acceptable, while risk tolerances are narrower and set the acceptable level of variation around objectives. A risk appetite statement example would be a company that says it does not accept risks that could result in a significant loss of its revenue base. When the same company says that it does not wish to accept risks that would cause revenue from its top 10 customers to decline by more than 10%, it is expressing risk tolerance. Awareness of residual risk and operating within risk tolerances provides management greater assurance that the company remains within its risk appetite. This reassurance, in turn, provides a higher degree of comfort that the company will achieve its strategic objectives.
What is Residual Risk?
When crafting a best practice risk tolerance definition, it’s important to keep in mind that tolerances should be specific to an individual company’s goals and require actionable parameters. In LogicManager’s unified root–cause risk library, every risk factor can be given a tolerance, or a range of acceptability to the organization. One way to measure this range is by monitoring residual risk.
Residual risk can be defined as the threat a risk poses after considering the current mitigation activities in place to address it, and can be an important metric for assessing overall risk appetite. A tolerance range for minimum and maximum levels of residual risk is typically set by the committee responsible for risk management oversight and accepted by the board of directors. This means that if a risk’s impact on the organization, times its likelihood of occurring, times the effectiveness of current mitigation activities falls outside of the level deemed acceptable, then the risk factor is out of tolerance. Business process owners must then adjust mitigation activities, procedures, or controls in order to keep the residual risk within the defined risk
Setting enterprise risk tolerances is a calibration exercise, meaning you need to collect a number of risk assessments for areas known to have high and low risk. This provides an opportunity to compare residual risk to measurements of known acceptability.
Translating Risk Appetite and Tolerance Statements into Reality
An organization–wide risk appetite statement can be a powerful tool that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action is nothing more than an idea. With standardized risk assessment templates and intuitive risk dashboards, risk managers can collect the information necessary to implement appropriate tolerances at both an enterprise level and for individual business processes.
LogicManager enables you to apply your risk appetite statement to actionable guides for your organization.
Every day front–line managers are making operational decisions about risk, far from an organization’s risk appetite policies. The front line is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.
To successfully implement your risk appetite, LogicManager enables organizations to identify and define risk tolerances at the front-line process level. LogicManager’s robust monitoring tools allow organizations to evaluate tolerances for the root causes of risk at any level. This allows organizations to connect front-line decisions with overall risk appetite and determine which processes are out of range through intuitive, navigable dashboards and reports.
Connect risk appetite to business performance.
Say your organization has a strategic imperative of customer satisfaction and your risk appetite statement outlines a low tolerance for customer dissatisfaction. You could set goals for a particular customer satisfaction survey; however, this metric doesn’t offer any actionable solution to improve customer service. With a survey you’ll always be acting on customer impressions from last month as an effect of last year’s policies
Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization. In this example, other forward-looking metrics could include call-wait time or email response time. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.
Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.
Using our customer service metrics again, the number of re-opened cases might be a good root-cause metric, but it’s not comparable over time or across products as the number of total cases will always vary. Instead, measuring the percent of cases that are re-opened is a more meaningful metric because its value is independent of customer volume, and is thus comparable both over-time and across silos.
Align your risk tolerances with your strategic goals and business models.
Risk tolerances will naturally develop from your overall risk appetite, but they also need to be aligned with your organization’s goals. Your organization might have a very low risk tolerance definition set for customer dissatisfaction, but if you’re attracting lots of high cost customers, then this policy isn’t in line with a discount business model.
When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual risk and contribute to achieving your strategic goals.
Download Our Free eBook
This eBook will give you a step-by-step guide to make the most of your risk appetite statements.