Risk appetite. Risk tolerance. You’ll be familiar with the terms, but how do they differ? Are they in fact interchangeable, since both can influence business decision-making? The Government Finance Function* provides a simple definition that offers clarification:
Risk Appetite: the level of risk with which an organization aims to operate.
Risk Tolerance: the level of risk with which an organization is willing to operate.
Subtleties and semantics aside, the challenge is for organizations to be able to distinguish between which risks are worth taking, in that they are likely to result in value-creating opportunities, and those risks that pose more of a threat and may destroy value. Failures can often be the result of excessive risk-taking or on the flip side, being too risk-averse.
“By determining an appropriate appetite for risk and implementing a framework to ensure that this appetite is maintained, organizations can ensure that decision-makers do not expose them to either too much, or too little risk,” advises the Institute of Risk (IOR).
In its ‘Operational Risk Appetite and Tolerance’ white paper, the IOR focuses on operational risk as part of an organization’s wider appetite for risk. Clear to assert that there’s no one-size-fits-all approach, it does emphasize the importance of Board and senior management engagement: operational risks such as fraud, health & safety, or conduct-related risks must be managed for good governance and compliance. And strategic decision-making often relies on exposure to operational risks, so there must be confidence in an organization’s ability to take and manage them.
Even though the design and implementation of operational risk management and tolerance framework can be challenging, the payback can be significant.
Benefits of implementing a framework for operational risk appetite:
- By defining the nature and level of operational risks deemed acceptable and unacceptable, the Board can set appropriate boundaries for business activities and behaviors and thus exercise effective corporate governance.
- Can help promote a risk-aware culture: a framework provides a platform from which senior managers’ attitudes towards risk can be shared.
- Creates a framework for operational risk decision-making, helping to identify which risks should be embraced and conversely, which should be avoided or mitigated.
- Pushing risk higher up the agenda helps with the allocation of or prioritization of risk management resources.
- Highlights priority issues – namely, control weaknesses or operational risk exposures beyond risk appetite and tolerance.
- Helps ensure that operational risk management costs do not exceed the benefits.
- Better alignment of strategic goals and operational activities
- A greater understanding of the interplay between operational risks and business goals such as new business development.
With tips for determining risk appetite, practical examples, an outline of the elements of an operational risk management framework, and implementation guidance, the white paper is an invaluable reference.
*Government Finance Function Risk Appetite Guidance Note, October 2020