This post discusses risk appetite and risk tolerance.

WHAT IS A RISK APPETITE?

Risk appetite is the amount of risk an organisation is willing to take or accept to pursue strategic objectives. Risk appetite is the level of risk an organisation is willing to accept while pursuing its goals before any action is necessary to reduce the risk. Risk appetite allows organisations to determine how much they are ready to take risks (including financial and operational impacts) to innovate in pursuit of objectives. 

Risk appetite pertains to a company’s longer-term strategy of what it needs to achieve and the resources available to achieve it, expressed quantitatively. An organisation’s risk appetite indicates the risk it accepts to attain its business objectives. Businesses will have different risk appetites depending on their size, goals, culture, and sector. Ideally, a range of appetites applies to various risks, which may change over time. Risk appetite tends to be situational.

TYPES OF RISK APPETITE

There are different aspects of risk appetite depending on the elements of a business, investors, and stakeholders’ perspectives. However, basic types of risk appetite include:

1. Maximisation, 

2. Maximax, 

3. Risk seeking, 

4. Risk neutral, 

5. Pareto risk, 

6. Risk-averse, 

7. Minimax, and 

8. Minimisation.

BENEFITS OF WELL-DEVELOPED RISK APPETITE

Risk appetite should be well-developed and clearly articulated by business organisations. A well-developed risk appetite statement and the process are beneficial to an organisation as it would:

1) Enable the company to manage better and understand its risk exposure,

2) Assist the management in making informed risk-based decisions,

3) Help the management in allocating resources and understand risk/benefit trade-offs, and

4) Improve transparency for investors, stakeholders, regulators, and credit rating agencies.  

RISK APPETITE STATEMENT

Risk appetites are unique to every organisation because they are based on specific strategies and attributes influencing organisational behaviours. A risk appetite statement should articulate business identities and incorporate values, strategy, stakeholders’ interests, and the firm’s capacity. 

1) Corporate values: The current level and distribution of risks across the entity and various risk categories. 

2) Strategy: The amount of risk the entity can support in pursuing its objectives. 

3) Stakeholders’ Interest: How much and what kind of risk can they take? 

4) Capacity: The attitudes towards growth, risk, and return.

Risk appetite and tolerance are the key components of a risk appetite statement. Although the specific content and format will vary in line with the needs of individual entities, a risk appetite statement is typically a short document containing the following: 

1) A clear statement of endorsement of the senior executive, reinforcing the importance of informed risk-taking.

2) A definition of the risk appetite statement and how it will be used.

3) A high-level statement of the entity’s risk appetite, including its overall attitude to risk-taking and acceptance.

4) A series of risk tolerance statements, typically aligned against risk categories and subcategories (where additional detail is desired). These are often presented in a tabular format and describe the relative tolerance level for that nature of risk (e.g., ranging from very low to very high tolerance) and the conditions, caveats, and limitations in exercising that risk tolerance.

DEVELOPMENT OF A RISK APPETITE

A company’s management is responsible for developing a risk appetite for the organisation. Hence, it is ultimately the management’s responsibility to create a risk appetite statement for the company. To develop a suitable risk appetite, the administration must understand its strategy, goals, risk-taking experience, risk culture, and stakeholder perspectives. Once the management understands the corporate values and risk-taking culture, the risk appetite process can begin. The board of directors must approve and affirm that the appetite aligns with the organisation’s strategy and stakeholders’ perspectives.

FACTORS INFLUENCING RISK APPETITE

Risk appetite varies subject to several factors, including: 

1) Industry

 2) Company culture

 3) Competitors

4) The nature of the objectives pursued – e.g., how aggressive they are.

5) The financial strength and capabilities of the organisation

6) Risk profile: What are the top risks of the organisation and the controls to mitigate those risks?

7) Risk capacity: How much risk can the organisation absorb? 

8) Qualitative risk assessment: What is the ranking and categorisation of the company’s risk, considering controls, risk, and reward relationships? 

9) Quantitative risk analysis: What types of research establish boundaries within which management can operate?

STEPS IN ADOPTING RISK APPETITE

To effectively adopt a risk appetite, an organisation should consider taking the following three steps:

1. The company’s management should develop a view of its overall risk appetite based on its board’s review and concurrence. 

2. The view of the firm’s risk appetite should be documented and communicated across the organisation. 

3. The management should monitor the risk appetite over time to ensure that the risk appetite statement is expressed as business and operational conditions warrant.

RISK TOLERANCE

Risk tolerance reflects the permitted variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve. Risk tolerance sets the acceptable minimum and maximum variation levels for a company, business unit, individual initiative, or specific risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organisation’s risk management strategy and is approved by leadership. 

Risk tolerance is the acceptable level of variation an entity is willing to accept regarding pursuing its objectives. Risk tolerance develops good boundaries as risk tolerances are always associated with risk appetite and objectives. High-risk tolerance means an organisation is ready to take a high risk, while low-risk tolerance implies the company needs more time to accept many risks. Risk tolerance also relates to market risks, such as market ups and downs, volatility and investors’ tolerance level.

To understand a business risk tolerance level, consider these questions:

1) How much risk can the company handle?

2) How much risk is the company willing to handle?

RISK APPETITE vs RISK TOLERANCE

Let us briefly differentiate between ‘Risk Appetite’ and ‘Risk Tolerance’ for clarity. Risk appetite and risk tolerance are related. Risk tolerance refers to risk appetite but differs in one fundamental way. This is because ‘risk tolerance’ represents the application of ‘risk appetite’ to specific objectives. Risk tolerances guide the operating units in implementing risk appetite within their sphere of operation. Risk tolerances communicate a degree of flexibility, while risk appetite sets a limit beyond which additional risk should not be taken.

ORGANISATIONAL CULTURE AND ITS IMPLICATIONS

There are several definitions of culture. For this discussion, let us view culture as the system of core values and behaviours in an organisation that influence the firm’s risk-taking and business decisions. Our definition of culture has two key elements and implications:

1. Culture exists at different levels within an organisation, e.g., at a group or team level, management team level, or Board level; and 

2. All aspects of culture are internal, invisible, and hidden. The culture of a group arises from the repeated behaviour of its members. Their underlying attitudes shape the behaviour of the group and its constituent individuals. The prevailing culture of the group influences both behaviour and attitude.

A-B-C MODEL OF CULTURE

Based on our definition of culture and its implications, the A-B-C Model of culture developed by Hillson (2013) is relevant. Every attitude has three components that are represented in what is called the ABC model of attitudes. ‘A’ stands for affective, ‘B’ for behavioural, and ‘C’ for cognitive. Although every attitude has these three components, any attitude can be based on one element more than another. 

In other words, each component can also answer the question: where does an attitude come from? There are affectively-based attitudes, behaviourally-based attitudes, and cognitively-based attitudes. Attitude is an individual or group’s chosen position concerning a given situation, influenced by perception. Behaviour comprises external observable actions, including decisions, processes, and communications. Culture is the values, beliefs, knowledge and understanding shared by a group with a common purpose.

UNDERSTANDING RISK CULTURE

To effectively manage a firm’s (e.g., XYZ Insurance Company) risk culture, it is necessary to understand the concept of ‘Risk Attitude’, ‘Risk Behaviour’ and ‘Risk Culture’. To ensure clarity, let us discuss ‘Risk Attitude’, ‘Risk Behaviour’ and ‘Risk Culture’.

RISK ATTITUDE

Risk Attitude is a chosen state of mind concerning uncertainties that could positively or negatively affect objectives. Risk attitude is the position adopted by an individual or group towards risk, influenced by risk perception. Risk Attitudes are generally implemented subconsciously and without mindful validation. However, like any other attitude, risk attitudes are a choice for an individual or group. Risk behaviour comprises external observable risk-related actions, including risk-based decision-making, handling, and communications. Risk culture is the value, belief, knowledge and understanding of risk shared by a group with a common purpose.

IMPORTANCE OF RISK CULTURE

Developing and maintaining a solid and positive risk culture is beneficial. Risk culture is essential within an organisation because it promotes the following:

1) Compliance reporting or regulations, including Solvency II and International Financial Reporting Standards (IFRS), 

2) Organisational performance, and 

3) Risk management effectiveness.

TYPES OF RISK ATTITUDE

Several types of risk attitudes include:

1. Risk aversion, 

2. Risk-seeking and 

3. Risk-neutral.

RISK CULTURE FRAMEWORK

The risk culture framework comprises four core aspects: 

1. Risk competence, 

2. Organisation, 

3. Motivation, and 

4. Relationship.

STEPS TO IMPLEMENTING A RISK CULTURE

Step 1: Evaluate the current culture

Step 2: Plan a cultural change

Step 3: Gain top management support

Step 4: Set expectations

Step 5: Prioritise risk management

Step 6: Provide training and development

Step 7: Develop communication

MANAGEMENT OF RISK CULTURE

To effectively manage risk culture within an organisation, four important questions should be addressed to improve its risk capabilities:

1. Does the organisation have appropriate structures and processes to define the desired culture?

2. Are those structures and processes adequate to create the desired culture?

3. Do structures and processes drive effective behaviours in practice? 

4. How is inappropriate behaviour dealt with?

STEPS FOR MANAGING RISK CULTURE

Management of risk culture consists of three significant steps: 

1. Risk culture identification, 

2. Risk culture assessment, and 

3. Risk culture control and improvement.

HOW TO STRENGTHEN A FIRM’S RISK CULTURE

A business can strengthen its risk culture, amongst others, by:

1) Setting up appropriate risk committees.

2) Strengthening the role of the company’s Chief Risk Officer (CRO).

3) Adjusting senior management incentive plans to have a more significant element of risk focus.

4) Establish an effective governance structure with clear responsibilities and timely challenges.

5) Engaging in active learning from mistakes. and

6) Create incentives that reward thinking without the risk management objectives of the whole organisation.

IMPACTS OF RISK CULTURE ON A FIRM’S RISK MANAGEMENT

Framework Risk culture can impact a firm’s risk management in the following ways:

1. Risk culture affects risk appetite, including strategic and tactical decisions on how much risk to take in various situations and settings.

2. Risk culture influences attitudes towards risk, shaping how individuals and groups view risk in situations perceived as risky and essential. 

3. Risk culture informs the setting of objectives and strategies as key decision-makers seek to determine the optimal course in an uncertain environment and context.

4. Risk culture determines the ability to “take the right risks safely” because it influences risk policies, procedures, and practices.

5. Risk culture can prevent the appearance of condoning wrong behaviour, which can arise when leaders send inconsistent messages on the level of acceptable risk.

IMPLEMENTATION AND ENHANCEMENT OF A FIRM’S RISK CULTURE

Four key elements are essential in implementing and enhancing organisational risk culture. These components are 

1. Strategy, 

2. Assessment, 

3. Control, and 

4. Monitoring.

IMPLICATIONS OF A WEAK RISK CULTURE

A firm with a weak risk culture is characterised with:

1) Unclear responsibility for risk management,

2) Lack of board oversight and direction,  

3) Low awareness of risks amongst employees, 

4) Deficiencies in risk monitoring, reporting and controls, and 

5) Under-resourced and under-qualified risk management function.

TRAITS OF A STRONG RISK CULTURE

An organisation with a strong risk culture is likely to exhibit four key characteristics:

1. Tone at the top,

2. Communication,

3. Responsiveness, and

4. Commitment.

See the full video on Risk Appetite and Risk Tolerance: https://youtu.be/arETHll_F34