2. Foreword
Risk appetite today is a core By providing practical advice on While the Financial Reporting Council
consideration in any enterprise how to approach the development has kick-started the debate on risk
risk management approach. and implementation of a risk appetite and risk tolerance in the UK,
appetite framework we believe we it is a debate that resonates around
As well as meeting the requirements the world. As an integrated global risk
will be helping boards and senior
imposed by corporate governance consulting business, I can testify to the
management teams both to manage
standards, organisations in all sectors fact that our clients are debating risk
their organisations better and to
are increasingly being asked by key appetite. That is why we are pleased
discharge their corporate governance
stakeholders, including investors, to support the work of the Institute
responsibilities more effectively.
analysts and the public, to express of Risk Management in moving this
clearly the extent of their willingness to We are particularly pleased that a debate forward. We look forward to
take risk in order to meet their strategic large number of professional bodies are actively engaging with IRM and others
objectives. supporting this work – risk is everyone’s in promoting this thought-provoking
business and a common understanding document and turning risk appetite into
The Institute of Risk Management,
and approach helps us work together a day-by-day reality for boards and risk
now in its 25th year, has a key role to
to address this challenging area. management professionals around the
play in establishing sound practices
in this area and building consensus in Alex Hindson world.
what has, for too long, been a nebulous Chairman Larry Rieger
subject. The Institute of Risk Management CEO, Crowe Horwath
Global Risk Consulting
2
3. The Chartered Institute of Internal All successful organisations need to This document is an important
Auditors welcomes this contribution be clear about their willingness to contribution to a key area of board
from the Institute of Risk Management accept risk in pursuit of their goals. activity and helpfully addresses one of
to the debate on risk appetite and Armed with this clarity, boards and the issues highlighted in the Financial
risk tolerance. In theory, the idea of management can make meaningful Reporting Council’s Guidance on
deciding how much risk of different decisions about what actions to take at Board Effectiveness. ICSA is pleased to
types the organisation wishes to take all levels of the organisation and the support the work started here by IRM,
and accept sounds easy. In practice, it is extent to which they must deal with and looks forward to a well-informed
difficult and needs ongoing effort both the associated risks. But defining and debate and some useful conclusions.
from those responsible for governance implementing risk appetite is work in
Seamus Gillen
in agreeing what is acceptable and progress for many. CIMA therefore
Director of Policy
from all levels of management in warmly welcomes this new guidance
Institute of Chartered Secretaries and
communicating how much risk they from the Institute of Risk Management
Administrators (ICSA)
wish to take and in monitoring as a sound foundation for developing
how much they are actually taking. best practice on this critical topic.
Anything that stimulates debate on the
Gillian Lees
practical challenges of risk management
Head of Corporate Governance
is to be welcomed.
Chartered Institute of
Jackie Cain Management Accountants (CIMA)
Policy Director
Chartered Institute of Internal Auditors
This paper will be helpful to senior CIPFA is pleased to endorse this work This paper sends out a clear statement
managers in public service organisations by IRM on risk appetite and tolerance that the principle of risk appetite
who are trying to understand risk which provides welcome leadership emanating from the board is the
appetite in the context of their own on a challenging subject for both the only effective way to initiate an
strategic and operational decision public and private sectors. We look ERM implementation. Charterhouse
making. In its recently published Core forward to taking the debate further Risk Management is delighted to be
Competencies in Public Service Risk with our membership in pursuit of associated with the launch of this paper
Management, Alarm identified the our commitment to sound financial after contributing to the consultation
need to understand the organisation’s management and good governance. process. Our own experience with
risk appetite and risk tolerance, as clients confirms that this approach is
Diana Melville
part of the key function of identifying, not only critical, but that the whole
Governance Adviser
analysing, evaluating and responding to process must be undertaken with
Chartered Institute of Public Finance
risk. The ‘questions for the boardroom’, a practical rather than theoretical
and Accountancy
set out in this paper, could easily be vigour. This is an essential ingredient
translated into ‘questions for the of our delivery capability. References to
public organisation’s senior executive ‘appetite’ and ‘hunger’ only reinforce
committee’ and as such may be of value the living nature of the required
to many Alarm members and their approach.
organisations.
Neil Mockett
Dr Lynn T Drennan CTO
Chief Executive Charterhouse Risk Management
Alarm, the public risk management
association
3
4. Introduction
This guidance paper has been prepared The full version of this document is Members of the
under the overall direction of a available for free download from the
working group of the Institute of Risk website of the IRM and from partner Working Group
Management. The group has held a series organisations. Printed versions of the Richard Anderson, deputy
of meetings supplemented by much executive summary are also available. chairman of IRM and managing
virtual debate to explore ideas and agree director of Crowe Horwath Global
The original intent of this paper was in
the direction of the paper. We have had Risk Consulting
the first instance to provide guidance to
healthy discussions, and given the nature
directors, risk professionals and others Bill Aujla, CRO at Etisalat
of the topic, there have been areas
tasked with advising boards on compliance
that have proved contentious. We have Gemma Clatworthy, senior risk
with the part of the UK Corporate
presented the outline of the thinking in consultant at Nationwide Building
Governance Code that states that “the
various meetings and we circulated an Society
board is responsible for determining
early draft of this paper to in excess of
the nature and extent of the significant Roger Garrini, audit manager at
fifty individuals. We have also exposed it
risks it is willing to take in achieving its Selex Galileo
for a much wider consultation from which
strategic objectives” (Financial Reporting
we received many responses (see list of
Council, 2010). However, feedback from Paul Hopkin, director of IRM
people and organisations responding in
the consultation process has shown that and technical director of AIRMIC
Appendix B).
there is considerable interest in this topic
Steven Shackleford, senior
From this development process, we are in the public sector as well as the private
academic in audit and risk
confident that we are dealing with a sector and beyond the UK. While some
management at Birmingham City
topic that is relevant to many people in specifics might differ, the underlying
University
many organisations of different types principles hold true for all sectors and all
in all sectors and that there is sufficient geographical locations. John Summers, chief advisor – risk
consensus on issues and approaches at Rio Tinto
We have found that the approach
emerging to be able to publish this
contained in here has far reaching Carolyn Williams, head of thought
guidance. We know that future editions
resonance with anyone who is interested leadership at IRM
of this guidance may well be subject to
in the subject of risk appetite and
major revisions. That will be a sign of
tolerance. This is not a subject with an
good and healthy progress. It is in that
untarnished history: most UK banks would
context that we present this paper to
have been expected to define their risk
assist in boards’ deliberations on the
appetite, but not a single bank would
subject of risk appetite and tolerance. The
have said that it wished to court (and
paper consists of an executive summary,
in some instances succumb to) oblivion
which is designed to provide an overview
in the form of the financial crisis. We
on the subject for general use, particularly
are now poised to move beyond that
by board members, and a more detailed
thinking. Whether it is a matter of
document which is primarily designed
setting, monitoring or overseeing risk
to assist those whose task it is to advise
appetite, this is a subject that has proved
boards on these matters.
to be somewhat elusive - it means many
different things to many different people.
For example, some see it as a series of
limits, some see it as empowerment,
some see it as something that has to be
expressed in terms of net risk and others
gross. For this reason the subject deserves
serious attention. One of the purposes
of this document is to begin to provide
a common vocabulary for people who
wish to discuss this subject both within
their organisations, and also in comparing
organisations.
4
5. In writing this paper, we are conscious It is our view that risk appetite, correctly At a personal level, I would like to
that we may appear to have come at this defined, approached and implemented thank the numerous people who have
originally from a UK, quoted company- should be a fundamental business contributed to this paper, ranging from
centric perspective and that this is counter concept that could make a substantial the working group, through various
to IRM’s broad sectoral appeal and difference to how businesses and IRM meetings which debated early
international ethos. In fact, while this organisations are run. We fully expect versions of the thinking to Carolyn
guidance was originally written with the that the initial scepticism about risk Williams, head of thought leadership at
UK Corporate Governance Code in mind, appetite will be gradually replaced as IRM, and of course, all of those people,
comments and revisions arising from boards and executive directors gain clients, fellow risk professionals, internal
the consultation process mean that it is greater insight into its usefulness. We auditors, and many, many others, who
applicable to all sectors in all geographies. also anticipate that analysts will soon be have discussed this subject with all of the
We continue to welcome feedback from asking chief executives, chairmen and members of the Working Group. I am,
readers in this regard. finance directors about risk appetite. of course, particularly pleased that other
After all, this subject is at the heart of the professional bodies of considerable repute
Our objective in writing this document has
organisation: risk-taking, whether private, agree sufficiently with our approach to
been to give:
public or third sector, whether large or put their names also to this document.
1. A theoretical underpinning to the small is what managing an organisation
Richard Anderson
subject of risk appetite; but is about. The approach of the new UK
2. More importantly, to provide some Corporate Governance Code represents Deputy Chairman
guidance for those who need to deal an opportunity to place risk management, The Institute of Risk Management
with the subject, either for their and in particular risk appetite, right at September 2011
corporate governance statements, or, the centre of the debate on effective
alternatively, simply because they think corporate governance and the role of the
the discussion would inform the way board in running organisations.
their organisation is run. We would like to know whether or not
This guidance is not definitive: we do not the approach in this paper has been
think that we have written the last word helpful to you as you work through the
on the subject. Thinking on the subject ramifications of risk appetite and risk
of risk appetite and risk tolerance will tolerance in your own organisation.
continue to develop and, if, as we hope, Please take the time to tell us so that we
this booklet is superseded before too can both keep abreast of developments
many reporting seasons come and go, and make sure that we are sharing best
then we will know that the concept is practice. At IRM we are passionate about
beginning to take root. leading the profession, and this is one way
that we can do so.
About IRM About the Author
The Institute of Risk Management (IRM) is Richard Anderson, the principal author of this
the world’s leading enterprise risk management booklet, is Deputy Chairman of IRM. Richard is also
education Institute. We are independent, well- Managing Director of Crowe Horwath Global Risk
respected advocates of the risk profession, owned by Consulting in the UK. A Chartered Accountant, and
practising risk professionals. We provide qualifications, formerly a partner at a big-4 practice, Richard has
short courses and events at a range of levels also run his own GRC practice for seven of the last
from introductory to board level and support risk ten years. Richard has been professionally involved
professionals by providing the skills and tools needed with risk management since the mid-nineties and has
to deal with the demands of a constantly changing, broad industry sector experience. He wrote a report
sophisticated and challenging business environment. for the OECD on Corporate Risk Management in the
We operate internationally with members and banking sector in the UK, the USA and France. He is
students in over 90 countries, drawn from a variety of a regular speaker at conferences and contributes to
risk-related disciplines and a wide range of industries many journals on risk management and governance
in the private, third and public sectors. issues.
5
6. Contents
Introduction 4 Balanced risk 26 Table of Figures
About IRM 5 Risk management clockspeed 26
Figure 1 - Performance over time 14
About the Author 5 Control issues 27
Figure 2 - Possible outcomes 14
Executive Summary 7 Measurement 27
Figure 3 - Risk Universe 14
Principles and approach 7 Strategic 29
Figure 4 - Risk Tolerance 14
Risk appetite and performance 8 Tactical and operational 29
Figure 5 - Risk Appetite 14
Putting it into practice 9 Data 29
Figure 6 - Risk Appetite in Context 16
Five tests for risk appetite Constructing a risk appetite -
Figure 7 - Risk Culture Diagnostic 22
frameworks 9 questions for the boardroom 29
Figure 8 - Risk Appetite - Main Issues 23
Questions for the boardroom 10
IV Implementing a risk appetite 30 Figure 9 - Shareholder Value Model (1) 28
I Background 11 Sketch 31 Figure 10 - Shareholder Value Model (2) 28
The UK Corporate Stakeholder engagement 31 Figure 11 - Shareholder Value Model (3) 28
Governance Code 11 Develop 32 Figure 12 - Stages of Development
Risk appetite and risk tolerance 14 Approve 32 of Risk Appetite 30
A word of caution 15 Implement 32 Figure 13 - Governing a Risk Appetite 33
Key terms and phrases 15 Report 32
Background - questions for Review 32
the boardroom 15
Implementing a risk appetite -
II Designing a risk appetite 16 questions for the boardroom 32
Risk capacity 17 V Governing a risk appetite 33
Risk management maturity 19 Governing risk appetite -
Multiple risk appetites 21 questions for the boardroom 34
Risk culture 21
VI The journey is not over 35
Key terms and phrases 21
The journey is not yet over - final
Designing a risk appetite - questions for the boardroom 35
questions for the boardroom 22
Bibliography 36
III Constructing a risk appetite 23
Appendix A: Determining the risks
Levels of risk appetite 23 the board is willing to take 37
Strategic 23 Responsibilities for risk taking 37
Risk taxonomies 24 Process for managing risk taking 38
Tactical 25 Appendix B: List of respondents
Project or operational 25 to consultation 39
Propensity to take risk 25
Propensity to exercise control 25
6
7. Executive Summary
Principles and approach “It is often said that no
company can make a
The following key principles have underpinned our work on risk appetite: profit without taking a
risk. The same is true
1. Risk appetite can be complex. Excessive risk management maturity. Risk
simplicity, while superficially attractive, management remains an emerging for all organisations: no
leads to dangerous waters: far better discipline and some organisations, organisation, whether in the
to acknowledge the complexity and irrespective of size or complexity, do private, public or third sector
deal with it, rather than ignoring it. it much better than others. This is in can achieve its objectives
2. Risk appetite needs to be measurable. part due to their risk management
culture (a subset of the overall without taking risk. The
Otherwise there is a risk that any
statements become empty and culture), partly due to their systems only question is how much
vacuous. We are not promoting any and processes, and partly due to the risk do they need to take?
individual measurement approach nature of their business. However, And yet taking risks without
but fundamentally it is important until an organisation has a clear view
of both its risk capacity and its risk
consciously managing those
that directors should understand
how their performance drivers are management maturity it cannot be risks can lead to the downfall
impacted by risk. Shareholder value clear as to what approach would work of organisations. This is the
may be an appropriate starting or how it should be implemented. challenge that has been
point for some private organisations, 5. Risk appetite must take into account highlighted by the latest
stakeholder value or ‘Economic differing views at a strategic, tactical
Value Added’ may be appropriate for and operational level. In other words,
UK Corporate Governance
others. We also anticipate more use while the UK Corporate Governance Code issued by the Financial
of key risk indicators and key control Code envisages a strategic view of Reporting Council in 2010.”
indicators which should be readily risk appetite, in fact risk appetite
available inside or from outside the needs to be addressed throughout
organisation. Relevant and accurate the organisation for it to make any
data is vital for this process and we practical sense.
urge directors to ensure that there 6. Risk appetite must be integrated with
is the same level of data governance the control culture of the organisation.
over these indicators as there would be Our framework explores this by
over routine accounting data. looking at both the propensity to take
3. Risk appetite is not a single, fixed risk and the propensity to exercise
concept. There will be a range of control. The framework promotes
appetites for different risks which need the idea that the strategic level is
to align and these appetites may well proportionately more about risk taking
vary over time: the temporal aspect of than exercising control, while at the
risk appetite is a key attribute to this operational level the proportions
whole development. are broadly reversed. Clearly the
4. Risk appetite should be developed relative proportions will depend on
in the context of an organisation’s the organisation itself, the nature of
risk management capability, which the risks it faces and the regulatory
is a function of risk capacity and environment within which it operates.
7
8. Risk and control The innovation is in looking at the
interaction of risk and control as
implementation of strategy. In the
detailed paper we have included a
We think that this dual focus on taking part of determining risk appetite. few suggestions as to how boards
risk and exercising control is both Proportionately more time is likely to might like to consider these dual
innovative and critical to a proper be spent on risk taking at a strategic responsibilities. Above all, we are
understanding of risk appetite and level than at an operational level, very much focused on the need to
risk tolerance. The innovation is not in where the focus is more likely to take risk as much as the traditional
looking at risk and control – all boards be on the exercise of control. One pre-occupation of many risk
do that. word of caution though, we are not management programmes, which
equating strategy with board level and is the avoidance of harm.
operations with lower levels of the
organisation. A board will properly
want to know that its operations are
under control as much as it wants
to oversee the development and
Risk appetite and The illustrations on these pages show
the relationship between risk appetite,
Risk tolerance can be expressed in terms
of absolutes, for example “we will not
Performance tolerance and performance. Diagram
1 shows the expected direction of
expose more than x% of our capital to
losses in a certain line of business” or
Our view is that both risk appetite and performance over the coming period. “we will not deal with certain types of
risk tolerance are inextricably linked to Diagram 2 illustrates the range of customer “.
performance over time. We believe that performance depending on whether
Risk appetite, by contrast is about
while risk appetite is about the pursuit of risks (or opportunities) materialise. The
what the organisation does want to do
risk, risk tolerance is about what you can remaining diagrams demonstrate the
and how it goes about it. It therefore
allow the organisation to deal with. difference between:
becomes the board’s responsibility to
Organisations have to take some risks • all the risks that the organisation define this all-important part of the
and they have to avoid others. The big might face (the “risk universe”- risk management system and to ensure
question that all organisations have diagram 3) that the exercise of risk management
to ask themselves is: just what does • those that, if push comes to shove, throughout the organisation is consistent
successful performance look like? This they might just be able to put up with with that appetite, which needs to remain
question might be easier to answer for (the “risk tolerance” - diagram 4) and within the outer boundaries of the risk
a listed company than for a government tolerance. Different boards, in different
• those risks that they actively wish to
department, but can usefully be asked by circumstances, will take different views on
engage with (the “risk appetite” -
boards in all sectors. the relative importance of appetite and
diagram 5).
tolerance.
We believe that the appetite will be
smaller than the tolerance in the vast
majority of cases, and that in turn will
be smaller than the risk universe, which
in any case will include “unknown
unknowns”.
Where you might
get to if some
“good” things happen
Performance
Performance
Performance
Current direction
of travel for performance
Risk
Universe
t0 Time t1 t0 Time t1
t0 Time t1
Where you might
Where you might get to if some
get to if some “bad” things happen
“bad” things happen
Diagram 1 Diagram 2 Diagram 3
Performance
Performance
Risk Risk
Tolerance Appetite
t0 Time t1 t0 Time t1
Where you might Where you might
get to if some get to if some
“bad” things happen “bad” things happen
Diagram 4 Diagram 5
8
9. Putting it into Consultation - in our paper we have
set out an illustrative process for the
Flexibility - all of this needs to be
carried out with the basic precept in
practice development of an approach to risk
appetite. This includes appropriate
mind that risk appetite can and will
change over time (as, for example, the
We have sought to develop an approach consultation with those external and economy shifts from boom to bust, or
to risk appetite that: internal stakeholders, with whom the as cash reserves fall). In other words,
board believes it appropriate to consult breaches of risk appetite may well
• is theoretically sound (but the theory on this matter. It also includes a review reflect a need to reconsider the risk
can quickly disappear into the process by the board, or an appropriate appetite part way through a reporting
background) committee of the board, and finally it cycle as well as a more regular review
• is practical and pragmatic: we do not includes a review process at the end of the on an annual cycle. Rapid changes in
want to create a bureaucracy, rather cycle so that appropriate lessons can be circumstances, for example as were
we are looking to help find solutions learned. witnessed during the financial crisis in
that can work for organisations of all 2008-9, might also indicate a need for
shapes and sizes Risk Committees - in his 2009 Review
an organisation to re-appraise its risk
of Corporate Governance in UK Banks
• will make a difference. appetite. In a fast changing economic
and Other Financial Industry Entities,
climate, it is especially important
Boardroom debate - we suspect that in Sir David Walker recommended that
for firms to have not only a clearly
the early days particularly, a successful financial services organisations should
defined strategy, but also a clearly
approach to reviewing risk appetite make use of board risk committees. The
articulated risk appetite framework
and risk tolerance in the boardroom Economic Affairs Committee of the House
so that they are able to react quickly
will necessarily lead to some tensions. of Lords recently suggested that large
to the challenges and opportunities
In other words we think that it should organisations in other sectors should also
presented during such times.
make a difference to the decisions that consider creating such committees. We
are made, otherwise it will diminish into think that the creation and monitoring
a mere tick-box activity – and nobody of approaches to risk appetite and
needs any more of those in the board risk tolerance should be high on the
room. It is essential that the approach agenda of these committees. In the
that we are setting out in the detailed detailed document, we have included
guidance can and should be tailored a brief section on the role of the board
to the needs and maturity of the or risk committee: we are suggesting
organisation: it is not a one-size-fits-all that governance needs to be exercised
approach. over the framework at four key points:
approval, measurement, monitoring and
learning.
Five tests for risk appetite frameworks
In summary, there are five tests that 3. Are both managers and executives
“The risk appetite statement is Directors should apply in reviewing their clear that risk appetite is not constant?
generally considered the hardest part organisation’s risk appetite statement: It changes as the environment and
of any Enterprise Risk Management business conditions change. Anything
1. Do the managers making decisions
implementation. However, without approved by the board must have
understand the degree to which they
clearly defined, measurable tolerances some flexibility built in.
(individually) are permitted to expose
the whole risk cycle and any risk the organisation to the consequences 4. Are risk decisions made with full
framework is arguably at a halt.” of an event or situation? Any risk consideration of reward? The risk
appetite statement needs to be appetite framework needs to help
Jill Douglas, Head of Risk,
practical, guiding managers to make managers and executives take an
Charterhouse Risk Management
risk-intelligent decisions. appropriate level of risk for the
business, given the potential for
1. Do the executives understand their
reward.
aggregated and interlinked level of
risk so they can determine whether it is We believe that by following the guidance
acceptable or not? set out in detail in our document, directors
will be able to be confident that they can
2. Do the board and executive leadership
pass all of those five tests.
understand the aggregated and
interlinked level of risk for the
organisation as a whole?
9
10. Questions for the boardroom
Below we set out some questions that we think boards may want to consider, as part
of an iterative process over time, as they develop their approaches to risk appetite and
which will enable them to remain at the forefront of the discussion. One clear outcome
from our consultation exercise was that, despite the expected variation in views on the
technical aspects of risk appetite, there was a common acceptance of these questions as
a useful starting point for board discussion.
Background Constructing a risk appetite Governing a risk appetite
1. What are the significant risks the 12. Does the organisation understand 20. Is the board satisfied with the
board is willing to take? What are the clearly why and how it engages with arrangements for data governance
significant risks the board is not willing risks? pertaining to risk management data
to take? 13. Is the organisation addressing all and information?
2. What are the strategic objectives of relevant risks or only those that can 21. Has the board played an active
the organisation? Are they clear? What be captured in risk management part in the approval, measurement,
is explicit and what is implicit in those processes? monitoring and learning from the risk
objectives? 14. Does the organisation have a appetite process?
3. Is the board clear about the nature framework for responding to risks? 22. Does the board have, or does it need,
and extent of the significant risks it is a risk committee to, inter alia, oversee
willing to take in achieving its strategic Implementing a risk appetite the development and monitoring of
objectives? the risk appetite framework?
15. Who are the key external stakeholders
4. Does the board need to establish and have sufficient soundings been
clearer governance over the risk taken of their views? Are those views The journey is not over - final
appetite and tolerance of the dealt with appropriately in the final thoughts
organisation? documentation? 23. What needs to change for next time
5. What steps has the board taken to 16. Has the organisation followed a round?
ensure oversight over the management robust approach to developing its risk 24. Does the organisation have sufficient
of the risks? appetite? and appropriate resources and
17. Did the risk appetite undergo systems?
Designing a risk appetite appropriate approval processes, 25. What difference did the process make
6. Has the board and management including at the board (or risk and how would we like it to have an
team reviewed the capabilities of the oversight committee)? impact next time round?
organisation to manage the risks that 18. Is the risk appetite tailored and
it faces? proportionate to the organisation?
7. What are the main features of the 19. What is the evidence that the
organisation’s risk culture in terms organisation has implemented the risk
of tone at the top? Governance? appetite effectively?
Competency? Decision making?
8. Does an understanding of risk
permeate the organisation and its
culture? Hungry for risk?
9. Is management incentivised for good The word “appetite” brings connotations of food, hunger and satisfying one’s
risk management? needs. We think that this metaphor is not always helpful in understanding the
10. How much does the organisation phrase “risk appetite”. When those two words appear together we think it is
spend on risk management each year? more appropriate to think in terms of ‘fight or flight’ responses to perceived risks.
How much does it need to spend? Most animals, including human beings, have a ‘fight or flight’ response to risk. In
11. How mature is risk management in the humans this can be over-ruled by our cognitive processes. Our interpretation of
organisation? Is the view consistent at risk appetite is that it represents a corporate version of exactly the same instincts
differing levels of the organisation? Is and cognitive processes. However, since these instincts are not ”hardwired“ in our
the answer to these questions based corporate “nervous and sensory” systems we use risk management as a surrogate.
on evidence or speculation?
10
11. I Background
“What is this all about?”
101 In recent years we have
witnessed some major risk 102
The rest of this section
explores the nature of the The UK Corporate
events ranging from the
global financial crisis to the more recent
words in the Code, and looks
at the existing guidance which
Governance Code
might help to understand the words. In its recent update to
sovereign debt crisis and a large number
of natural and meteorological events with
103 the UK Corporate Governance
• Sections II and III of this document look
major consequential damage and knock- Code, the FRC has expanded
at a proposed new framework of risk
on effects. But the financial crisis of 2008 the section of the Code on Accountability
appetite and risk tolerance
had many consequences, and raised many as set out in the box below:
questions, not least of which was the • Sections IV and V look at the
question as to why boards failed to see it practicalities of implementing and .
coming. At the request of the Prime overseeing risk appetite and risk Section C: Accountability
Minister of the day, Sir David Walker tolerance
The board should present a balanced
carried out a review of the corporate • Section VI addresses some of the issues
and understandable assessment
governance of Banks and Other Financial that might require further thought,
of the company’s position and
Institutions (“BOFI’s”) and this was and
prospects. The board is responsible for
followed swiftly by a review of the • Appendix A presents a summary of determining the nature and extent of
broader corporate governance landscape how, in practical terms, a board might the significant risks it is willing to take
in the UK by the Financial Reporting go about determining the risks it is in achieving its strategic objectives.
Council (the “FRC”). The FRC made the willing to take. The board should maintain sound risk
all-important link between this question
Throughout the paper we have indicated management and internal control
and the subject of risk appetite and risk
questions that could usefully be explored systems.
tolerance by inserting reference to these
in the boardroom to ensure that the
two topics in their draft changes to The board should establish formal
subjects of risk appetite and tolerance are
Section C of the UK Corporate Governance and transparent arrangements for
being appropriately addressed.
Code (the “Code”) (Financial Reporting considering how they should apply
Council, 2010). While those very words the corporate reporting and risk
failed to survive the cut, the concept did management and internal control
survive. Under the newly expanded principles...
Section C, a board is explicitly tasked with
being responsible for “determining the
nature and extent of the significant risks it
[the board] is willing to take in achieving
its strategic objectives”. This is risk
appetite and tolerance by any other name.
11
12. 104
This Section is further
105
This paper explores the risk How has “risk appetite”
expanded in the detailed management ramifications of
provisions of the Code: these high level statements, been used before?
and in particular those Risk appetite is a phrase that is
relating to the “nature and extent of the 107 widely used but frequently in
C.1 Financial and Business significant risks [the board] is willing to different contexts and for
take in achieving its strategic objectives”. different purposes. It is a
Reporting These are the words that replace the phrase that for some people conveys
C.1.2 The directors should include references to risk appetite and tolerance poorly its meaning, and in respect of
in the annual report an explanation in earlier drafts. It is worth noting that this which the meaning is different for
of the basis on which the company sentence immediately precedes the different groups of people. Based on the
generates or preserves value over requirement that “the board should work that was undertaken in writing this
the longer term (the business model) maintain sound risk management and paper it was clear that there is little
and the strategy for delivering the internal control systems”. So we might certainty as to what the phrase means, but
objectives of the company. infer that this is not empty rubric, but there seems to be almost unanimity that it
rather a matter of substance, especially could be, and indeed ought to be a useful
C.2 Risk Management and since Code Provision C.2.1 goes on to concept, if only it could be properly
Internal Control require the board “at least annually [to] expressed. Some people prefer other
conduct a review of the effectiveness of terms such as risk attitude or risk capacity.
Main Principle the company’s risk management and As far as we are concerned there is
internal control systems...” To some this nothing fundamentally wrong in using
The board is responsible for
sounds like a recipe for Sarbanes-Oxley any of these terms. Suffice it to say that in
determining the nature and extent
s404 style work. This is clearly not the writing this guidance we are taking a very
of the significant risks it is willing
intent of the FRC, nor would it be pragmatic view: risk appetite is the most
to take in achieving its strategic
welcomed in most UK boardrooms. common phrase that we have come across,
objectives. The board should
However, the fact of this review has to be it is the one that was used by the FRC in
maintain sound risk management
reported to shareholders. The the context of the draft Corporate
and internal control systems.
juxtaposition of the “significant risks” Governance Code and therefore we
Code Provision sentence with the requirement to would prefer to define this term in a way
maintain “sound risk management and that begins to make sense for as many
C.2.1 The board should, at least
internal control systems” might lead the people as possible.
annually, conduct a review of the
reader to surmise that the risk appetite
effectiveness of the company’s risk Given the lack of conformity
element is one of the reasons that
management and internal control
organisations require risk systems. Overall 108 about the meaning of the
systems and should report to phrase, it is worth looking at
this is a radical new departure for the FRC
shareholders that they have done the key standards on risk
and introduces a new concept for many
so. The review should cover all management, ISO31000 (ISO, 2009) and
directors and boards of non-financial
material controls, including financial, BS311001 (British Standards, 2008), to see
services organisations.
operational and compliance controls. what light they shed on the subject.
As an aside, it seems that the
106 terms “risk appetite” and “risk
Interestingly ISO31000, the international
standard, is silent on the subject of risk
tolerance” have deep appetite (focusing instead on ‘risk
associations with the financial attitude’ and ‘risk criteria’), although
services industry in some minds, and Guide 73 (ISO, 2002) defines risk appetite
attempts to move non-financial services as the “amount and type of risk that an
organisations in that direction might have organisation is willing to pursue or
been difficult. However these words can retain.” Some people argue that ISO31000
be seen, for all intents and purposes, as is silent on the subject of because it is
being indistinguishable from the previous neither a useful phrase not a meaningful
phrases. While many commentators see concept. They therefore focus more on risk
them as inseparable phrases, we focus criteria. On the other hand, we believe
predominantly on the concept of risk that there is a benefit from exploring
appetite in this paper as a way of what we think is turning out to be a
providing guidance to directors and those useful and meaningful concept.
tasked with advising directors on the
requirements of the Code in so far as they
relate to risk appetite and tolerance.
Definition of Risk Appetite
ISO 31000 / Guide 73 BS31100
Amount and type of risk that an Amount and type of risk that an
organisation is willing to pursue or retain organisation is prepared to seek, accept or
tolerate
1
At the time of writing, this document is undergoing
revision. Nevertheless the approach in the 2008
document has proved most useful for this discussion.
12
13. The original BS31100 We are concerned that this In conclusion, BS31100
109 contained more detail. It 111 focus treats risk in an unduly 113 provides some guidance on
defined risk appetite as the negative way, something how to use risk appetite, but it
“amount and type of risk that which we are challenging in does not (nor did it ever set out to)
an organisation is prepared to seek, accept this booklet in the sense that there should provide guidance on how to calculate or
or tolerate” – very similar to Guide 73. The be a maximum tolerance for risk taking as measure risk appetite, although the
standard went on to define risk tolerance well as risk avoidance. standard does suggest the use of
(bearing in mind that the definition of risk “quantitative statements”, without
While neither standard is very
appetite includes reference to tolerating
risk) as an “organisation’s readiness to
112 informative, it is instructive to further elaborating. It is interesting to
see how the “appetite” word note that the revised version of BS31100
bear the risk after risk treatments in order has substantially removed references to
or similar words were used in
to achieve its objectives”. The definition risk appetite to bring it in line with
the original BS31100:
then includes a rider which states: “NOTE: ISO31000. This leaves something of a
risk tolerance can be limited by legal or Paragraph 3.1 Governance includes vacuum on the subject, which this
regulatory requirements”. a bullet to the effect that the risk guidance seeks to fill.
management framework should have
Notwithstanding the regular “defined parameters around the level of
110 appearance of risk appetite and risk that is acceptable to the organisation,
risk tolerance in the same and thresholds which trigger escalation,
sentence (or definition in the review and approval by an authorised
case of BS31100) it is our belief that risk person/body.”
tolerance is a much simpler concept in that
Paragraph 3.3.2 Content of the risk
it tends to suggest a series of limits which,
management policy has the first explicit
depending on the organisation, may either
reference to risk appetite saying that
be:
this should be included in the policy
and should outline “the organisation’s
• In the nature of absolute lines drawn
risk appetite, thresholds and escalation
in the sand, beyond which the
procedures”
organisation does not wish to proceed;
or Paragraph 3.8 Risk appetite and
• More in the nature of tripwires, that risk profile provides a much more
alert the organisation to an impending comprehensive commentary on risk
breach of tolerable risks. appetite, which is set out below:
1. “Considering and setting a risk
appetite enables an organisation to
increase its rewards by optimizing
risk taking and accepting calculated
risks within an appropriate level of
authority
2. “The organisation’s risk appetite
should be established and/or approved
by the board (or equivalent) and
effectively communicated throughout
the organisation
13
14. Risk “appetite” and
risk “tolerance”
The difference can be
114
Before we started on this
project, it was our belief that
115 illustrated in the diagrams on
118
On the other hand, our
“appetite” for risk is likely to
we, and more importantly the bottom of this page.
be shown by a narrower band
directors and risk of performance outcomes
Figure 1 shows performance
professionals, could easily distinguish
between risk appetite and risk tolerance 116 from the current time (t0) to
shown by the triangle AMN.
and that the former was the more sometime in the future (t1).
Risk tolerance can therefore
complicated concept. In practice we have The line AB shows the current
expected direction of travel in terms of
119 be expressed in terms of
found that in many instances these terms absolutes: for example “we
are used inter-changeably. We think that is performance. Figure 2 shows that in
will not expose more that x%
conceptually wrong: there is a clear practice this is subject to risks which,
of our capital to losses in a certain line of
difference between the two. It is also should they materialise, could result in
business”, or “we will not deal with a
worth noting that in the eyes of some performance along the line AC, or to
certain type of customer”. Risk tolerance
commentators, risk tolerance is the more opportunities (positive risks) which could
statements become “lines in the sand”
important concept. While risk appetite is result in performance along the line AD.
beyond which the organisation will not
about the pursuit of risk, risk tolerance is The potential risk universe or the total risk
move without prior board approval.
about what you can allow the exposure is shown by the difference
organisation to deal with. Without a between C and D. (see Figure 3)
Risk appetite on the other
doubt there will be occasions where an
What is clear is that following
120 hand is about what the
organisation can deal with more risk than
it is thought prudent to pursue. 117 line AC is not desirable. Less
organisation does want to do
and how it goes about it. It
clear is that it might also be
therefore becomes the board’s
undesirable to follow line AD
responsibility to define this all important
because pursuing it might throw up
part of the risk management system and
substantial additional risks. Consequently,
to ensure that the exercise of risk
there are some risk outcomes for which
management and all that entails is
there is no tolerance, and moreover no
consistent with that appetite, which needs
tolerance for taking those risks. Moreover,
to remain within the outer boundaries of
since we are using the generally accepted
the risk tolerance.
concept of risk as being potentially
positive as well as negative, that suggests
While we have focused
that there is a range shown by the triangle
AXY (See Figure 4), outside of which the
121 primarily on risk appetite,
organisation will not tolerate exposure. some entities (such as
This is the risk tolerance. Government departments)
may be more focused on risk tolerance.
This in itself becomes a more complicated
Where you might
issue where the risk of insolvency (the
get to if some
“good” things happen
ultimate determination of failure for
D corporates) is absent. Defining success and
Performance
Performance
Current direction
of travel for performance failure is therefore very important. This is
an area where we believe further work is
A A
required. What is clear is that different
B B
boards in different circumstances will take
different views as to which of these two
t0 t1 t0 t1
Time Time
concepts is more important for them at
any given time.
Where you might
get to if some
“bad” things happen C
Figure 1 - Performance over time Figure 2 - Possible outcomes
D M
Performance
Performance
Performance
X
Risk
Risk
A Risk A Appetite
A Tolerance
B Universe
Y
N
t0 Time t1
t0 Time t1 t0 Time t1
Where you might
get to if some Where you might
Figure 3 - Risk Universehappen
“bad” things C Figure 4 - Risk Tolerance
get to if some
“bad” things happen
Figure 5 - Risk Appetite
14
15. A word of caution Key Terms and Phrases
The word “appetite” brings connotations of food, In this section we have used three key terms which
122 hunger and satisfying one’s needs. We think that this 124 we will continue to use throughout the document. In
metaphor is not always helpful in understanding the the absence of helpful definitions elsewhere, we are
phrase “risk appetite”. When those two words appear together defining them as set out here:
we think it is more appropriate to think in terms of “fight or
flight” responses to perceived risks. Phrase Meaning
Most animals, including human beings have a “fight or flight” Risk appetite The amount of risk that an organisation is
response to risk. In humans this can be over-ruled by our willing to seek or accept in the pursuit of its
cognitive processes. Our interpretation of risk appetite is that it long term objectives.
represents a corporate version of exactly the same instincts and
cognitive processes. Except of course, as a legal fiction(as opposed Risk tolerance The boundaries of risk taking outside of which
to biological reality) organisations do not have their own brains, the organisation is not prepared to venture in
nervous systems, sensory organs and instincts. They ‘borrow’ these the pursuit of its long term objectives.
from members of their boards and from their employees. Risk universe The full range of risks which could impact,
either positively or negatively, on the ability
These systems have to be created in terms of interactions of
of the organisation to achieve its long term
people, data systems and management information which enable
objectives.
people in the organisation to act as if they were parts of the same
physical organism.
It is our expectation that for most organisations, the
125 risk appetite will be smaller than the boundaries
Conclusion depicted by its risk tolerance.
123
There are four early conclusions that The rest of this document
we have drawn from the work we
We have set out a route through this topic of risk
have undertaken in preparing this 126 appetite in the rest of this document as follows
guidance: under the following main headings:
Section II: Designing a risk appetite
• he first is that we would benefit from a renewed
T
focus on defining the terms that we are using. We Section III: Constructing a risk appetite
have therefore developed glossaries of key terms and
phrases which appear throughout this guidance. Section IV: Implementing a risk appetite
• he second is that setting a risk appetite is only a
T Section V: Governing a risk appetite
worthwhile exercise if you, as an organisation, are Section VI: The journey is not over
able to manage the risk to the level at which it is set.
In Section VI we explore some of the issues that we will need to
• he third is that there is very little by way of formal
T explore as we develop this concept as a boardroom topic over the
guidance on the definition of risk appetite. We coming years.
have reviewed plenty of documents both from
professional organisations and from consulting firms.
However, our belief is that this subject remains under
developed and the remainder of this booklet aims to
play a part in redressing that shortcoming. Background - Questions for
• he fourth is that risk appetite can and indeed must
T
change, for example as the economy shifts from
the Boardroom
boom to bust and back again, or as cash reserves • What are the significant risks the board is willing to
fall. Risk appetite, and indeed risk tolerance, both take? What are the significant risks the board is not
have a temporal element, which is reflected in the willing to take?
way in which we have discussed the monitoring and • What are the strategic objectives of the organisation?
governance of risk appetite later in this booklet. Are they clear? What is explicit and what is implicit in
those objectives?
• Is the board clear about the nature and extent of the
significant risks it is willing to take in achieving its
strategic objectives?
• Does the board need to establish clearer governance
over the risk appetite and tolerance of the
organisation?
• What steps has the board taken to ensure oversight
over the management of the risks?
15