In our previous posts in this series, we introduced Enterprise Risk Management (ERM) as a “portfolio view” of risk and discussed various aspects of implementing ERM: roles, culture, a framework and preparing your organization. Now, we’ll begin looking at the “big picture” viewpoint of risk, starting with identifying and prioritizing risks. In the ERM process, management (1) determines acceptable levels of risk, (2) identifies and measures risks throughout the entire organization and aggregates the results, and (3) determines if the aggregated results exceed the acceptable levels. Risk Appetite and Risk Tolerance are the expressions of the “acceptable levels” of risk.
The terminology for Enterprise Risk Management (ERM) has been evolving as the practice of ERM matures and spreads. The label of “Risk Tolerance,” in particular, has been applied to different concepts along the way; however, common usage for various terms such as Risk Capacity, Risk Appetite and Risk Tolerance is, fortunately, converging on a standard.
Risk Capacity, Appetite and Tolerance Concepts
Risk Capacity is the amount of risk an organization can bear, while Risk Appetite is the amount of risk that an organization is willing to bear. For example, a manufacturer may be able to bear the risk of a 50% drop in revenue and stay in operation. However, the board of directors may have decided that, as a matter of practicality, a variance of 15% is the manageable amount of risk and, thus, sets the Risk Appetite at that amount.
As mentioned above, “Risk Tolerance” has been applied to different concepts in the past. For example, an influential 2009 UK white paper applied it as a range of acceptable variance from the Risk Appetite, while a 2011 UK white paper uses “Risk Tolerance” to mean the concept of Risk Capacity as we defined it above.
Now, however, “Risk Tolerance” is, in most quarters, regarded as the acceptable amount of risk for a given entity or activity such as a business unit, department, product, project, initiative, etc. To use our example above, the manufacturer may have set Risk Tolerances for such identified items as sales of its Ethernet cable product, price overages in the Purchasing Department and minimum market share gains during a marketing initiative.
Taking the Risk-Versus-Reward View
In a discussion of risk in terms of all the things that can go wrong, it is easy to lose track of the idea that risk is balanced by reward. Traditional risk management tends to focus on only minimizing risk. That narrow focus may lead to missing an opportunity. For example, the potential reward of introducing a new product may be well worth the risks.
ERM, on the other hand, facilitates the balancing of risk and reward in decision-making. ERM views all risks of the organization and their interrelationships, and aligns them with the goals of the organization.
The stakeholders of an organization will influence an organization’s balancing of risk and reward.
An organization will typically have a variety of stakeholders, each with different interests in the organization and its performance. The list of potential stakeholders is extensive. Internal stakeholders can include institutional investors, individual investors, the board of directors, officers, executives, employees, internal auditors, customers, suppliers and vendors. External stakeholders can include business partners, unions, independent auditors, lenders, rating agencies, regulators and government agencies, industry associations and the public.
Each type of stakeholder will have its own view of what level of Risk Appetite will align with the organization’s goals.
Quantifying Risk Appetite
On the way to setting a Risk Appetite, the organization has to decide what measure is appropriate. The measure that is chosen will depend upon what stakeholder interests are most dominant. Shareholders will see Risk Appetite in terms of volatility of profitability, earnings or stock price. By contrast, lender concerns may require a heavily-leveraged company to express Risk Appetite in terms of its ability to service debt.
Stakeholders will also, of course, influence the level of Risk Appetite as well as the way it is measured. A well-diversified institutional investor is more inclined to having the organization take greater risk for greater reward. Meanwhile, the employees and the suppliers may be more interested in a stable financial performance and will be more at ease with less risk.
Quantifying Risk Tolerance
Risk Tolerance can be expressed in a variety of measures depending upon what objectives are at stake. If the objective of the sales force is revenue achievement, then a top line revenue measurement is appropriate. If the organization is concerned with a manufacturing plant’s management of cost, then Gross Margin is the fitting indicator. For a strategic initiative of opening a new manufacturing facility, the return on the investment will gauge the success of that decision.
How does an organization use Risk Appetite and Risk Tolerance?
Both types of measurements facilitate decision-making. Informed decision-making is the goal of ERM. Risk Tolerances keep managers of the organization apprised as to whether or not they are achieving objectives. Risk Appetite informs the risk-versus-reward decisions of Executive Management and the Board of Directors. Risk Appetite can also be used to allay concerns of stakeholders. The calculation of a Risk Appetite that is suitable to the stakeholder demonstrates a level of technical expertise and inspires confidence in the organization’s approach to managing its operations.
In our next post in this series, we'll cover the ERM approach to identifying risks. Click here to read all posts in our ERM series, to date.