Adopting and embedding risk appetite and tolerances is not only essential for financial services organizations to make informed, risk-based decisions, but also supports the long-term health and success of the institution.
As a core component of an effective enterprise risk management (ERM) framework, risk appetite is more than a metric, COSO points out in Risk Appetite – Critical to Success. It “can lead an organization to proactive, forward-looking opportunities that tie appetite and strategy together for future action.”¹
Risk Appetite vs. Tolerance — What’s the Difference?
In its ERM guidance on Understanding and Communicating Risk Appetite, COSO differentiates between the terms “risk appetite” and “risk tolerance,” which are commonly confused. While a risk appetite statement broadly defines the types and amount of risk an organization is willing to accept in pursuit of value, risk tolerances apply risk appetite to specific objectives, setting the boundaries of acceptable performance variations. Risk tolerance should ideally be measured using the same metrics that define success in meeting the associated objective.
“Risk tolerances guide operating units as they implement risk appetite within their sphere of operation. Risk tolerances communicate a degree of flexibility, while risk appetite sets a limit beyond which additional risk should not be taken.”²
Source: COSO
After risk policies are defined and understood by stakeholders, organizations must align their risk appetite and tolerance strategy for continuous business function. Successful organizations not only seek to maximize shareholder outcomes and short-term gains, but also consider long-term sustainability.
Setting Risk Appetite
- Define your organizational goals → These are your strategic objectives
- Determine how you’re going to meet those goals → These are your strategic initiatives
- Identify anything that may impact those objectives and initiatives → These are your potential risks, opportunities, and/or downstream impacts
- Decide how you will monitor potential risks → These are your key risk indicators (KRIs)
- Establish metrics for monitoring overall performance → These are your key performance indicators (KPIs) and risk appetite thresholds for each risk category
Learn more about ERM program fundamentals in our 2-part series >
Setting Risk Tolerances
- Define the boundaries of acceptable performance for significant objectives. Consider strategic, operational, reporting, and compliance objectives.
- Communicate tolerances using existing metrics for measuring performance.
- Implement consistently across operational functions and business units.
“For many organizations, monitoring risk tolerances requires a culture that is aware of risk and risk appetite. Management, by revisiting and reinforcing risk appetite, is in a position to create a culture whose organizational goals are consistent with the board’s, and to hold those responsible for implementing risk management within the risk appetite parameters.”³
Determining which risks to take and avoid is critical for sustaining growth and remaining competitive. Developing a shared framework for defining, communicating, and monitoring risk appetite and tolerances — one stemming from a risk-aware culture that starts with senior management — helps your institution align risk management practices with performance goals and take corrective actions as needed.
References:
1. Risk Appetite – Critical to Success: Using Risk Appetite to Thrive in a Changing World, © 2020 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
2 & 3. Enterprise Risk Management: Understanding and Communicating Risk Appetite, © 2012 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.