How do organizations set effective risk tolerance or appetite limits? Most companies track dozens, if not hundreds of risks, and prioritizing which risks should have a formalized, stated limit can be a gut-wrenching challenge. Often, a “small bites” approach is best.

One helpful tool in formulating an approach is the whitepaper issued in January 2012 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Understanding and Communicating Risk Appetite” by Dr. Larry Rittenberg and Frank Martens. To determine risk appetite, this paper suggests that management, with board review and agreement, should focus on three steps:

1. Developing a risk appetite framework
2. Communicating the appetite throughout the organization
3. Monitoring and updating risks to tolerances

Developing a Risk Appetite Framework

The first step towards establishing a company's risk appetite is to develop an overall framework for senior management review and approval, setting a “tone from the top.” Clarifying roles of the board of directors and key risk managers in the process is critical, asking questions such as:

• Will the board and risk committee be the primary decision-makers for setting all or some risk tolerance levels, or are limits going to be established within the organization, by business unit heads or line managers responsible for the risk?
• How will risk and risk appetite be reviewed and evaluated in light of the company's goals and strategy? Will risk review be part of the formal business planning process, or as a separate process of its own?
• Will there be multiple levels of approvals or workflows associated with the process?
• What information will be relayed to the board or risk committee, and with what frequency?

Risk appetite is company-specific, and contingent on each organization's goals, culture, financial position and operating environment. Companies may set a risk appetite or tolerance level for such diverse risk areas such as capital or liquidity levels, earnings volatility, reputational rankings or operational targets.

Since there is no one best set of risk limits, companies must at least establish solid procedures for weighing all relevant factors, and making informed decision with participation by all interested stakeholders. The more thought that goes into designing an overall risk tolerance or appetite framework, determining measurement and reporting processes up-front, the easier it will be to start establishing individual limits on a risk-by-risk basis.

To this end, the next step is to build the framework out with comprehensive metrics and data necessary to monitor areas for closer attention. Without a robust, centralized database tracking all of the company's risks, the company cannot identify what its major vulnerabilities are, and will never get enough information to determine what they can or cannot handle as loss.

Risk appetite must also be considered in light of the control environment of the company. A company's willingness to take risks, such as enter a new line of business or develop a new product, frequently depends on its ability to mitigate loss through effective controls, policies and procedures.

Most companies undertaking an ERM program will thus kick off their risk appetite efforts by creating a core risk and control registers or libraries which will centralize and streamline descriptions of the company's risks, and enable the risks to be scored or ranked against each other through a risk assessment process. Risks are typically assessed or evaluated with some form of financial-based scoring methodology, but quantitative measures like degree of reputational risk, can also be used.

Only when the individual risk and control factors important to the company are centrally organized and cataloged, can a full evaluation be undertaken of what degree of risk a company practically can–or is willing to–assume.

Communicating Risk Appetite throughout the Organization

What is the use of having a speed limit if no one sees the sign? Communicating risk appetite is as important as setting it. Most companies start their communication plan by crafting a broad formal risk appetite statement for each major category of risk, then honing it down to meet the needs of specific business areas or functional departments. The proper level will vary based on company goals and the specific risk involved. In any event, however, the language used for the statement should be simple enough to foster a base understanding of the risk concept, but detailed enough to help direct behavior in line with the appetite. Risk appetite or tolerance statements also often reflect the company's culture, which might be seen or phrased on a spectrum from cautious, measured, or steady, to leading, bold or innovative.

• First-time risk appetite statements are frequently set in a scale or range of broad narrative, such as “high, medium, low” or “averse/avoid, cautious, moderately open, encouraging or actively pursuing.” For example:

Whilst pursing innovation in our products, CompanyX will not compromise its reputation for excellence in customer service and treating customers fairly, nor its commitment to legal and regulatory compliance. Consequently, we tolerate very low risk in the area of employee education and training, ensuring that underwriting and claim staff are given regular training on important legal, compliance and regulatory developments, as well as extensive training on customer service-related policies and procedures.

Appetite can also be established with a specific percentage or dollar amount, as noted in the following examples:

• On this line of business, our net unreinsured loss should not exceed $1M.
• As a leader in our specialty lines of business, we strive to maintain an S&P rating of A or better for all of our operating entities.
• Our goal is to have capital in excess of ABC% of required risk-based capital.

As companies become more sophisticated and grow in their ERM practices, risk appetite statements generally become more explicit and measurable, more focused, and may be better targeted to specific business practices or financial goals. Here, quantitative measurements in the risk appetite or tolerance statement should help define how individual risks should be managed on a daily basis, transmitting enough information to provide some strategic or operational directive to staff responsible for measuring, managing or controlling risk.

Documenting and communicating risk appetite, however, needs to be tailored to all relevant stakeholders and their expectations. Risk appetite must take into account differing views at a strategic, tactical and operational level. Internally, statements may need to be tailored specifically to groups such as the board of directors, senior management and employees. Externally, rating agencies, regulators, policyholders, and creditors may have different needs and uses for information. Understanding and tracking how risk tolerance and appetite is interpreted throughout the business, both top-down and ground-up, is important.

A report going to senior managers, for example, may need to be a high-level overview of the entire organization—a “30,000-foot view” that not only cuts across business units and breaks down silos of information, but also rolls up and aggregates tolerance data from across departments. On the flip-side, other managers may want to be able to get more detail on a particular issue, and drill-down to see what is behind an aggregated view periodically, to confirm what their business units are doing, track whether risks are exceeding tolerances for a particular issue or analyze the interrelationships between multiple risks. Dashboards and reports showing risk appetite should therefore be flexible, designed carefully, and based on a broad spectrum of data collected from different parts of an organization that can be sliced and diced in different ways.

Monitoring and Updating Risks Appetite

Once a risk appetite or tolerance statement is defined and initially communicated, it must be reviewed and refreshed on a regular basis. Company goals and strategies change. People change. Controls change, and their effectiveness may decline or improve. How the company responds to risk, therefore, is in constant flux.

Keeping abreast of change is, however, a major challenge for most companies. The process can be improved on the front end by creating a common hierarchy, taxonomy and language for the risk and control library. This enables risks and controls from different functional areas to be compared against each other, and aggregated, so that a change to risk or a breach of risk tolerance in one area will lead the reviewer naturally to changes in the risk as it impacts other departments.

Procedures should also be developed for monitoring risk assessment levels, and flagging or highlighting circumstances where risk tolerances are exceeded. Monitoring risk and tracking to risk tolerance can be done manually or through specialized information management report systems. Today, many ERM systems permit the comparison of routinely generated risk-relative data to an established target, to completely automate identification of breaches, and notify all interested stakeholders.

Ultimately, the goal of developing a formal risk tolerance or appetite framework is to help manage the direction of the company towards its ever-evolving goals and objectives, steering management through risk obstacles and opportunities. By developing a solid foundation of risk identification procedures, collecting and centralizing risk and control data, communicating statements of risk tolerances, and consistently monitoring risks to stated limits, decisions can be better aligned to push performance and profitability.

Denise Tessier is senior regulatory consultant for Insurance Compliance Solutions, Enterprise Risk Management and the Consulting Practice at Wolters Kluwer Financial Services. She may be reached at [email protected].