No doubt you’ve heard the terms Risk Appetite and Risk Tolerance in discussions about Enterprise Risk Management (ERM) implementation. But do you know the subtle difference between the two? I’ve heard Boards of Directors say ‘risk tolerance’ when they really mean ‘risk appetite’. Let’s clear up some of the confusion.
Risk appetite is a statement regarding the degree of risk which an organization is willing to take or accept in pursuit of its objectives. The risk appetite sets the boundary for risk taking and the tone for taking risk.
Here is an example of the formulation of a risk appetite statement (select the appropriate word):
Given [stability, volatility, uncertainty] in the business environment, [stability, amount of change, anticipated change] in internal operations of the organization, [satisfactory, adequate, unsatisfactory] earnings of the organization over past three years, anticipated [satisfactory, challenging] near term future earnings of the organization, and [surplus, adequate, minimal] capital position, the risk appetite of the organization is [low/modest, moderate, high/assertive].
You must also define what is meant by the levels low/modest; moderate; high/assertive. So that everyone is working within the same parameters.
Risk tolerance is the level of risk that a company is willing to accept in various risk areas. Generally the tolerance can be measured in terms of quantitative and qualitative dimensions. There can be a stated tolerance for the organization as a whole and tolerances by areas within the organization.
Here is an example of a risk tolerance statement:
The Board directs that there be a cost/benefit analysis for the approach to individual and collective risks and directs that residual risk levels that remain not represent a tolerance in excess of 1% of total annual expenses, not jeopardize the health and safety of staff and customers, and not unduly impair the reputation of the company, and that in the event that risk responses are absent or fail, the occurrence of the risk will not cause instability to the company’s daily operations.
Both risk appetite and risk tolerance should be clearly defined and stated in the organization’s Enterprise Risk Management framework. After all the framework relies on these two things to outline what is acceptable and informs strategic and operational decisions.