Risk Appetite and Risk Tolerance

Presentation By James J. Tinarwo

The Risk Tolerance Statement

The FSA, clarifies exactly what a tolerance statement should cover: Tolerance describes the types and degree of operational risk that a firm is prepared to incur (based on factors such as the adequacy of its resources and the nature of its operating environment). Tolerance may be described in terms of the maximum budgeted (that is expected) costs of an operational risk that a firm is prepared to bear, or by reference to risk indicators such as the cost or number of systems failures, available spare capacity and the number of failed trades.

The Risk Tolerance Statement

Tolerance can be quantitative and describe levels of risk impact or number of events, or qualitative by addressing factors that are likely to lead to increased levels of risk (number of unresolved complaints, number of errors, etc). A risk tolerance statement will generally also distinguish between risks for which the firm has no appetite (such as internal theft and fraud or breach of law or regulation) and those that may be accepted within reason (staff error, some degree of inevitable system downtime, etc). Acceptance is likely to reduce rapidly, however, when accepted risks are repeated too often.

The Risk Tolerance Statement

Risk tolerance or appetite reflects the degree of uncertainty that a firm or an individual is prepared to accept in order to achieve financial objectives. In investment decisions, where a responsible investor will consider the extent of loss that he or she is prepared to accept to obtain a higher rate of return. Financial Services Authority (FSA) regulation states that an insurance firm must include in its risk policy documentation details of the operational risks that the firm is prepared to accept and those that it is not prepared to accept, including where relevant some consideration of its appetite or tolerance for specific operational risks.

The Risk Tolerance Statement

The risk tolerance statement must be integrated

into the operational risk process

It serves as a signpost provided by the board of

directors to the rest of the organization that indicates the type of organization that the firm aspires to be. It should therefore direct the response that all levels of the firm should produce when confronted by a risk (whether actual or potential) that may exceed risk tolerance levels. As a result, the tolerance statement will be closely entwined with all aspects of the operational risk management process.

Definitions: Risk Appetite

ISO 31000 / Guide 73 BS31100

Amount and type of risk that an organisation is willing to pursue or retain

Amount and type of risk that an organisation is prepared to seek, accept or tolerate

Definitions: Risk Tolerance

BS31100 organisations readiness to bear the risk after risk treatments in order to achieve its objectives. IRM A series of limits which, depending on the organisation, may either be: In the nature of absolute lines drawn in the sand, beyond which the organisation does not wish to proceed; or More in the nature of tripwires, that alert the organisation to an impending breach of tolerable risks.

Definitions
Problems:
Risk is treated in an unduly negative way.
Strategic Risk management should be about

maximum tolerance for risk taking as well as risk avoidance.

Definitions: Summary

Risk Appetite and Risk Tolerance- IRM:

While risk appetite is about the pursuit of risk, risk tolerance is about what you can allow the organisation to deal with.

The difference can be illustrated in the diagrams on the bottom of this page.

Definitions: Summary

Figure 1 shows performance from the current time (t0) to sometime in the future (t1).

The line AB shows the current expected direction of travel in terms of performance.

Performance Over Time

Performance

Current direction of travel for performance

B A

t0

Time

t1

Performance Over Time

Figure 2 shows that in practice this is subject to

risks which, should they materialise, could result in performance along the line AC, or To opportunities (positive risks) which could result in performance along the line AD. The potential risk universe or the total risk exposure is shown by the difference between C and D. (see Figure 3)

Possible Outcomes
Where you might get to if some good things happen

Performance
A

t0

Time

t1

Where you might get to if some bad things happen

Risk Universe

Risk Universe: The full range of risks which

could impact, either positively or negatively, on the ability of the organisation to achieve its long term objectives.

Risk Universe
D

Risk Universe

Performance
A
t0

Time

t1

Risk Tolerance

Risk Tolerance; The boundaries of risk taking

outside of which the organisation is not prepared to venture in the pursuit of its long term objectives.

Risk Tolerance
D

Risk Tolerence

Performance

Y A

t0

Time

t1

Risk Appetite

Risk Appetite: The amount of risk that an

organisation is willing to seek or accept in the pursuit of its long term objectives.

Risk Appetite
D

Risk Appetite

Performance
A

t0

Time

t1

Risk Appetite and Risk Tolerance

What is clear is that following line AC is not desirable. Less clear is that it might also be undesirable to follow

line AD because pursuing it might throw up substantial additional risks. Consequently, there are some risk outcomes for which there is no tolerance, and moreover no tolerance for taking those risks. Since there can be potentially positive as well as negative risks, that suggests that there is a range shown by the triangle AXY, outside of which the organisation will not tolerate exposure. This is the risk tolerance.
Its about identifying what COSO calls the sweet spot Its about identifying what COSO calls the sweet spot

Definitions
Optimal Risk-Taking
Insufficient Risk-Taking Optimal Risk-Taking

Excessive Risk-Taking

Expected Enterprise Value

Sweet Spot

Risk Level

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework, 2004.

Risk Appetite and Risk Tolerance

On the other hand, our appetite for risk is likely to be shown by a narrower band of performance outcomes shown by the triangle AMN. Risk appetite has at least two components: Risk and control and that to consider either in isolation could result in sub-optimal decisions.

Risk Tolerance and Risk Appetite

Risk tolerance is expressed in terms of

absolutes: for example we will not expose more than x% of our capital to losses in a certain line of business, or we will not deal with a certain type of customer.
Risk tolerance statements are lines in the sand

beyond which the organisation will not move without prior board approval.

Risk Tolerance and Risk Appetite

Risk appetite is about what the organisation does

want to do and how it goes about it.

It therefore the boards responsibility to define this

all important part of the risk management system and to ensure that the exercise of risk management and all that entails is consistent with that appetite, which needs to remain within the outer boundaries of the risk tolerance.

Integrating the Risk Tolerance Statement into the Operational Risk Process
The risk tolerance statement serves as a signpost

provided by the board of directors to the rest of the organization that indicates the type of organization that the firm aspires to be.
It therefore should direct the response that all levels

of the organisation should produce when confronted by a risk (whether actual or potential) that may exceed risk tolerance levels.
The tolerance statement will be closely entwined with

all aspects of the operational risk management process.