Defining an organization’s risk appetite and risk tolerance is one of the most significant challenges a risk manager faces.
I’ll explain why in a moment but it’s important to understand these parameters as this helps managers at all levels understand where they are operating in relation to the organization’s risk /comfort level.
Understanding these limits guides them when they are deciding which initiatives to pursue or kill. Or how much mitigation a risk requires. Maybe it’s what helps them decide it’s time to start pulling out of a market or country.
It helps them get a sense of how ‘hot’ the organization is running.
Without knowing you risk appetite and risk tolerance, you can’t make risk-based decisions.
So why is this difficult?
Here are four challenges I’ve come across
Definitions, always definitions
First, the terms can be confusing and can sometimes get muddled.
- Risk appetite is the amount of risk an organization is comfortable with on a day-to-day basis or the amount of upside risk that it wants to pursue.
- Risk tolerance is the amount of risk an organization can bear for a short period of time. For organizations with a lower risk appetite, the gap between appetite and tolerance is likely to be relatively narrow. Organizations with a higher risk appetite maybe willing to tolerate very high levels of risk for short periods of time.
It’s the risk appetite and risk tolerance of the organization, not the individual
Second, it’s a very subjective discussion which makes it hard to manage. I’ve said before that risk is subjective – the same situation affects every entity differently. However, the problem here is that the individuals involved in the discussion start to explain their risk own tolerance or appetite, not that of the organization. With a couple of noisy managers at the table, you’ll end up with a corporate tolerance and appetite that is actually theirs, not the organization as a whole.
“Let’s not write that down”
Third, this is one of those discussions that often makes people uncomfortable because they think that accepting risk is accepting that people will get hurt or that the organization will make a loss. It feels like they equate accepting risk with preparing for failure. In turn, this makes them reluctant to write their definitions for risk appetite and risk tolerance down.
“We have no tolerance for risk”
The final but worst outcome is some declaration that the organization doesn’t tolerate risk. Obviously, we cannot live or operate risk-free yet people will still to make this kind of assertion. Unfortunately, it’s not only impossible to live up to but it has two significant knock-on efects:
- Managers are terrified to take any risk which means that opportunities are missed.
- Risks are not reported which means that these can’t be addressed.
In my opinion, taking a zero-risk approach actually increased your risks.
Determining your risk tolerance and risk appetite is still a hard discussion to have, even if you don’t face these challenges. It means facing up to what can go wrong and them working out how much of that you can handle. You’re also trying to establish values and limits for elements that can be abstract.
However, this isn’t really any different from assessing risks and we can use similar techniques to support the risk appetite and tolerance discussion.
I’m going to share a model I’m building to help with these discussions shortly.