Determining your tolerance and your appetite for risk are essential steps in managing risk. This is following up to my last post which introduced the ERM framework, its objectives, and components.
Before getting into risk tolerance, it is important to gain an understanding of risk appetite. I think the best way to explain tolerance is to link it to strategy. Strategy helps to determine the acceptable balance between growth, risk and return. This becomes what I call the relationship between strategy and risk appetite.
In reality, strategy guides the allocation of resources based on risk to achieve acceptable returns on investment and maintain growth. The linkage between strategy and risk appetite also helps to align people, processes, and the organization’s infrastructure. It becomes a balance in how the entity functions and operates.
Risk tolerance represents the acceptable level of variation relative to achievement of objectives. Objectives evolve from the strategic process and provide the basis for measurement of progress towards achieving these objectives. Measurement is critical and the level of risk tolerance needs to be aligned with objectives to determine that actual results will fall within the acceptable levels of tolerance. The ability to operate within risk tolerance gives management the assurance that the organization will operate within its level of risk appetite.
What’s risk appetite? I like to point out that there are two components associated with risk appetite. The first component is the likelihood that an event will occur. The second component is if the event occurs, what will be its impact? Starting with likelihood, it is essential to determine whether the likelihood is low, medium, or high. After assessing likelihood, the next step is to determine the degree of impact. Again this can be measured as low, medium, or high. By combining the assessment of the two components it is possible to evaluate whether a potential event falls within risk appetite or exceeds the organizations appetite for risk.
The next step in managing risk is to define an event. In this regard, an event represents an internal or external incident or occurrence that could affect the implementation of strategy or impede the achievement of objectives. Management needs to recognize that uncertainties exist. A determination needs to be made as to when an event could occur as well as the potential outcome from it.
When evaluating the range of potential events, management will need to deal with a range of events from the obvious to the obscure. In addition, it is essential to estimate the potential effects of the event and classify them as either significant or insignificant together with both its qualitative and quantitative range of impact. The final step is to assess the likelihood of occurrence. These evaluations and assessments need to be imbedded into the culture of how the organization operates and manages its business. It has to be a day to day process in contrast to periodically engaging in a risk assessment exercise and calling it risk management.
The next blog post on risk management will discuss some of the internal and external factors impacting risk, evaluation of cost versus benefits, strategic alignment, the variety of event categories, and alignment of strategy.