Risk tolerance and appetite
HM Treasury define risk appetite as “the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time”.
It is important that the leadership of a business sets rules for risk-taking in respect of all types of risk.
At Board/Executive level risk appetite is a driver of strategic risk decisions. At this level it should also translate into a set of procedures to ensure risk receives adequate attention when making tactical decisions. At operational level risk appetite dictates operational constraints for routine activities.
There are four basic tenets of risk response, which are the “Four Ts”: Tolerate, Treat, Transfer and Terminate. An organisation’s risk appetite will determine which T or Ts apply to each risk exposure. When a risk is considered it should be Evaluated under each of these headings:
- Tolerate. A business cannot avoid some risks; they are part of what the business does, so they must be tolerated. Sometimes the ability to do anything about them may be limited, or the cost of mitigation may be disproportionate to the benefit. Tolerated risks may be necessary for strategic reasons – consider Commercial type risks highlighted below. Most Tolerated risks will be Treated in some way.
- Treat. This is the most common approach, because in some way some form of treatment can be applied to most Tolerated risks. Treating should reduce the probability of an event occurring and/or its impact should it occur.
- Transfer. This could be outsourcing a particular activity that is not core to what the business does or financial hedging of currency movements. Another example is insurance, which allows a business to contract some risks to another party. This approach is good for mitigating financial risks or risk to assets. Not all risks can be transferred and this is looked at further below.
- Terminate. This may be possible by stopping an activity because it is deemed outside of appetite.
The application of risk appetite runs through each aspect of risk and leads to clarity when arranging any forms of risk transfer. Risk transfer is not always possible.
- Retained risk is the direct loss the business retains which is not transferred out of the business e.g. through insurance. A simple example is an insurance policy excess or a risk that could be but is not insured.
- Insured risk is self-explanatory but could extend to include a captive arrangement that insures risks which cannot be insured traditionally in the insurance market. Insurable risks are fortuitous and quantifiable.
- Residual risk is the indirect loss any insurance cover does not pay, such as time spent dealing with claims and re-organising to cope with the consequences of an interruption. This is very much operational risk and can be managed, and mitigated, through good planning, such as a Business Continuity Plan (BCP).
- Commercial risk is the profit available from taking risks. There is no reward without some form of risk. Most of these risks cannot be insured. The decision making around risk in this area is strategic and will relate back to the risk management Context and strategy.
Allows for the formulation of a statement of the organisation’s attitude/appetite to risk;
- Provides boundaries for what is and is not acceptable;
- Allows for controlled risk taking; and
- Provides a basis for risks to be defined qualitatively and quantitatively.
The output from Evaluation should assist in developing risk strategy and informing the Context.
For risks that have not been terminated, transferred or otherwise removed we shall now look at how they can be treated.