2 minute read
RISK APPETITE AND TOLERANCE STATEMENTS: IDENTIFYING
HAVE YOU BEEN SKYDIVING? I HAVE NOT. TO QUOTE CLINT EASTWOOD, “JUMPING OUT OF A PERFECTLY GOOD AIRPLANE IS NOT A NATURAL ACT.” YET IN 2021, THE US PARACHUTE ASSOCIATION REPORTED 3.57 MILLION JUMPS.
Both the ways we measure risk and the amount of risk we will assume can vary widely. We are each unique humans, with awareness and tolerance built into our DNA. Chemicals like dopamine impact our perception of risk— as do age, gender, stress, etc.
Advertisement
RISK APPETITE & TOLERANCE FOR ORGANIZATIONS
In 1995, Nick Leeson, a currency trader with Barings Bank, made failed bets on Nikkei futures totaling $1.3 billion, exceeding his employer’s capital and reserves. The 233-year-old bank was forced into bankruptcy.
Leeson had a risk appetite and risk tolerance beyond what Barings Bank could accept. This story shows how important it is to develop risk appetite and risk tolerance statements to document the risks an organization is and is not willing to accept.
Risk appetite statements guide strategic plans, operational processes, and business continuity plans. For example, TD Bank’s statement reads as follows:
TD takes risks required to build its business, but only if those risks:
• Fit business strategy, can be understood, and managed.
• Do not expose the enterprise to significant single-loss events.
• Do not risk harming the TD brand.
Risk tolerance statements refine and “operationalize” appetite statements. They are measurable, realistic, monitorable boundaries within which a business must operate. For example:
• At all times, [organization] will maintain a rating of [xx] from [agency]
• Annual employee turnover will not exceed [xx%]
• Operational losses will not exceed [xx%] of [transaction type]
Risks can have a range of acceptable levels. For example, information security risk. The easiest way to avoid information security risk is to disconnect your computer from the internet. But that would mean no (external) email, no cloud computing, and no working from home. Requiring zero risk can prevent us from accomplishing our objectives.
Some risk is fine, but too much risk is not. Like navigating a road, the acceptable place to drive is in the middle.
WHAT TO DO WITH RISK APPETITE/TOLERANCE STATEMENTS?
Use them. Decision makers should understand the statements and consider whether their choices leave the organization within or outside established appetite/ tolerance parameters.
Report on them. Executives and risk committees should require regular updates on appetite/tolerance statement status. Discussions might include:
• Is the organization within its risk tolerance for 15 of its 16 metrics?
If so, what about the final metric?
• If uncomfortable accepting this level of risk, the metric identifies an area that needs attention/risk reduction. Don’t let them get stale. Just as organizations change over time, so does risk appetite. Periodically evaluate statements for suitability, relevance, clarity, and need for context, adjusting them as necessary. Consider pairing this evaluation with strategic plan development—where we want our organization to go or not go are interrelated considerations.
Conclusion
Risk appetite and tolerance statements help align employee tolerances to organization-wide tolerances, for more consistent risk response across the board.
ED MCCAULLEY is a Principal Consultant at F.H. Black & Company Incorporated. Specializing in risk management, he collaborates with our clients to mitigate organizational risks by redesigning business processes and selecting, implementing, and supporting enabling technologies. For more than 25 years, Ed has been a driving force for insightful risk management, financial management, accounting, and internal auditing for organizations of all sizes. Ed is an attorney, holds a Certified Public Accountant (CPA) designation, a Juris Doctorate (JD), a Master of Business Administration (MBA), a Bachelor of Business Administration Degree (BBA) in Accounting, and is the author of Back to Basics: Balance Sheet Reconciliations which was featured in the Internal Auditor Magazine.
