How do organizations set effective risk tolerance or appetite limits? Most companies track dozens if not hundreds of risks, and prioritizing which risks should have a formalized, stated limit can be a gut-wrenching challenge.    

DEVELOPING A RISK-APPETITE FRAMEWORK

The first step toward establishing a company's risk appetite is to develop an overall framework for senior-management review and approval, setting a “tone from the top.” Clarifying roles of the board of directors and key risk managers in the process is critical, asking questions such as:

• Will the board and risk committee be the primary decision-makers for setting all or some risk-tolerance levels, or will those limits be established within the organization by the business-unit heads or line managers who are responsible for the risk?
• How will risk and risk appetite be reviewed and evaluated in light of the company's goals and strategy? Will risk review be part of the formal business-planning process, or as a separate process of its own?
• Will there be multiple levels of approvals or workflows associated with the process?
• What information will be relayed to the board or risk committee, and with what frequency? 

Risk appetite is company-specific and contingent on each organization's goals, culture, financial position and operating environment. Companies may set a risk appetite or tolerance level for such diverse risk areas as capital or liquidity levels, earnings volatility, reputational rankings or operational targets. 

Since there is no one best set of risk limits, companies must at least establish solid procedures for weighing all relevant factors and making informed decisions with participation by all interested stakeholders. The more thought that goes into designing an overall risk-tolerance or appetite framework—determining measurement and reporting processes up front—the easier it will be to start establishing individual limits on a risk-by-risk basis.

To this end, the next step is to build the framework out with comprehensive metrics and data necessary to monitor areas for closer attention. Without a robust, centralized database tracking all of the company's risks, the company cannot identify its major vulnerabilities and will never get enough information to determine what losses it can or cannot handle.

Risk appetite must also be considered in light of the control environment of the company. A company's willingness to take risks, such as enter a new line of business or develop a new product, frequently depends on its ability to mitigate loss through effective controls, policies and procedures.

Most companies undertaking an ERM program will thus kick off their risk-appetite efforts by creating a core risk and control register or library that will centralize and streamline descriptions of the company's risks and enable the risks to be scored or ranked against each other through a risk-assessment process. Risks are typically assessed or evaluated with some form of financial-based scoring methodology, but quantitative measures like degree of reputational risk can also be used.

Only when the individual risk and control factors important to the company are centrally organized and cataloged can a full evaluation be undertaken of what degree of risk a company practically can—or is willing to—assume.

COMMUNICATING RISK APPETITE THROUGHOUT THE ORGANIZATION

What is the use of having a speed limit if no one sees the sign? Communicating risk appetite is as important as setting it. Most companies start their communication plan by crafting a broad, formal risk-appetite statement for each major category of risk, then honing it down to meet the needs of specific business areas or functional departments.

First-time risk-appetite statements are frequently set in a scale or range of broad narrative, such as “high, medium, low” or “averse/avoid, cautious, moderately open, encouraging or actively pursuing.” 

For example:  

“Whilst pursuing innovation in our products, Company X will not compromise its reputation for excellence in customer service and treating customers fairly, nor its commitment to legal and regulatory compliance. Consequently, we tolerate very low risk in the area of employee education and training, ensuring that underwriting and claim staff are given regular training on important legal, compliance and regulatory developments as well as extensive training on customer service-related policies and procedures.”

Appetite can also be established with a specifically stated percentage or dollar amount, as noted in these examples:  

• On this line of business, our net unreinsured loss should not exceed $1 million. 
• As a leader in our specialty lines of business, we strive to maintain an S&P rating of A or better for all of our operating entities.
• Our goal is to have capital in excess of X percent of required risk-based capital. 

As companies become more sophisticated and grow in their ERM practices, risk-appetite statements generally become more explicit and measurable, more focused, and may be better targeted to specific business practices or financial goals.  

Documenting and communicating risk appetite, however, needs to be tailored to all relevant stakeholders and their expectations. Risk appetite must take into account differing views at a strategic, tactical and operational level. Internally, statements may need to be tailored specifically to groups such as the board of directors, senior management and employees.

Ultimately, the goal of developing a formal risk-tolerance or appetite framework is to help manage the direction of the company toward its ever-evolving goals and objectives, steering management through risk obstacles and opportunities. By developing a solid foundation of risk-identification procedures, collecting and centralizing risk and control data, communicating statements of risk tolerances, and consistently monitoring risks to stated limits, decisions can be better aligned to push performance and profitability.