By Denise Tessier
Will you get pulled over if you are driving at 68 miles per hour (mph)? It depends. Are you in a school zone, where the speed limit is 20 mph, posted with a flashing yellow sign? Are you in a densely populated area where you are not supposed to go over 40 mph? Or are you on a highway, where the posted speed limit is 65 mph, but you know that your state police patrol is fairly lenient, and won’t pursue cars passing under 75 mph?
reputational compliance
In and of itself, the fact that you are going 68 mph isn’t necessarily bad when considering the risk of a potential legal violation. Rather, the amount of risk in getting pulled over during your travels is entirely dependent on the external guidelines and tolerances for speeding set by local authorities under a set of particular circumstances, or in a specific environment. It is a measurement of risk set against the community’s tolerance for the risk of speeding – the maximum speed the community is willing to accept on that particular road.
A closely linked question then is how willing are you to continue to drive 68 mph when passing through different speed zones? Your risk appetite could be considered your willingness and desire to continue to move at 68 mph, knowing that you are in a zone where the posted limit is lower. Risk appetite is about the pursuit of risk. It may be greater, less than, or equal to risk tolerance depending on the circumstance. However, both risk appetite and risk tolerance are intricately linked to performance over time.
For companies, setting either a tolerance or appetite for risk—setting how they will progress against a “speed limit”—is a critical component of an effective enterprise risk management (ERM) program. Since there is no way that companies can eliminate all risks of doing business, clarifying the amount and type of risk that an organization is willing to pursue or maintain, by line of business or functional area, helps companies evaluate where its resources should best be allocated to minimize its most significant risks. It also helps companies make strategic decisions, such as how to reach capital allocation targets and/or develop investment plans. On the flip-side, life in the slow lane is not always best either. Not having a high enough tolerance for risk can mean failure to pursue lucrative opportunities, leading to stagnation.
How do organizations set effective risk tolerance or appetite limits? Most companies track dozens, if not hundreds of risks, and prioritizing which risks should have a formalized, stated limit can be a gut-wrenching challenge. Often, a “small bites” approach is best.
One helpful tool in formulating an approach is the whitepaper issued in January 2012 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Understanding and Communicating Risk Appetite” by Dr. Larry Rittenberg and Frank Martens. To determine risk appetite, this paper suggests that management, with board review and agreement, should focus on three steps:
- Developing a risk appetite framework
- Communicating the appetite throughout the organization
- Monitoring and updating risks to tolerances
Developing a Risk Appetite Framework
The first step towards establishing a company’s risk appetite is to develop an overall framework for senior management review and approval, setting a “tone from the top.” Clarifying roles of the board of directors and key risk managers in the process is critical, asking questions such as:
- Will the board and risk committee be the primary decision-makers for setting all or some risk tolerance levels, or are limits going to be established within the organization, by business unit heads or line managers responsible for the risk?
- How will risk and risk appetite be reviewed and evaluated in light of the company’s goals and strategy? Will risk review be part of the formal business planning process, or as a separate process of its own?
- Will there be multiple levels of approvals or workflows associated with the process?
- What information will be relayed to the board or risk committee, and with what frequency?
Risk appetite is company-specific, and contingent on each organization’s goals, culture, financial position and operating environment. Companies may set a risk appetite or tolerance level for such diverse risk areas such as capital or liquidity levels, earnings volatility, reputational rankings or operational targets.
Since there is no one best set of risk limits, companies must at least establish solid procedures for weighing all relevant factors, and making informed decision with participation by all interested stakeholders. The more thought that goes into designing an overall risk tolerance or appetite framework, determining measurement and reporting processes up-front, the easier it will be to start establishing individual limits on a risk-by-risk basis.
To this end, the next step is to build the framework out with comprehensive metrics and data necessary to monitor areas for closer attention. Without a robust, centralized database tracking all of the company’s risks, the company cannot identify what its major vulnerabilities are, and will never get enough information to determine what they can or cannot handle as loss.
Risk appetite must also be considered in light of the control environment of the company. A company’s willingness to take risks, such as enter a new line of business or develop a new product, frequently depends on its ability to mitigate loss through effective controls, policies and procedures.
Most companies undertaking an ERM program will thus kick off their risk appetite efforts by creating a core risk and control registers or libraries which will centralize and streamline descriptions of the company’s risks, and enable the risks to be scored or ranked against each other through a risk assessment process. Risks are typically assessed or evaluated with some form of financial-based scoring methodology, but quantitative measures like degree of reputational risk, can also be used.
Only when the individual risk and control factors important to the company are centrally organized and cataloged, can a full evaluation be undertaken of what degree of risk a company practically can–or is willing to–assume.
This article was written by Denise Tessier and originally published on propertycasualty360
