Risk Appetite and Risk Tolerance
Transcript of Risk Appetite and Risk Tolerance
-
7/27/2019 Risk Appetite and Risk Tolerance
1/25
Presentation
By
James J. Tinarwo
Risk Appetite and Risk Tolerance
-
7/27/2019 Risk Appetite and Risk Tolerance
2/25
The Risk Tolerance Statement
The FSA, clarifies exactly what a tolerance
statement should cover:
Tolerance describes the types and degree of
operational risk that a firm is prepared to incur(based on factors such as the adequacy of its
resources and the nature of its operating
environment). Tolerance may be described in
terms of the maximum budgeted (that is
expected) costs of an operational risk that a firmis prepared to bear, or by reference to risk
indicators such as the cost or number of
systems failures, available spare capacity and
the number of failed trades.
-
7/27/2019 Risk Appetite and Risk Tolerance
3/25
The Risk Tolerance Statement
Tolerance can be quantitative and describe levels
of risk impact or number of events, or qualitative
by addressing factors that are likely to lead to
increased levels of risk (number of unresolvedcomplaints, number of errors, etc).
A risk tolerance statement will generally also
distinguish between risks for which the firm has no
appetite (such as internal theft and fraud or breach
of law or regulation) and those that may beaccepted within reason (staff error, some degree
of inevitable system downtime, etc).
Acceptance is likely to reduce rapidly, however,
when accepted risks are repeated too often.
-
7/27/2019 Risk Appetite and Risk Tolerance
4/25
The Risk Tolerance Statement
Risk tolerance or appetite reflects the degree ofuncertainty that a firm or an individual is preparedto accept in order to achieve financial objectives.
In investment decisions, where a responsibleinvestor will consider the extent of loss that he or
she is prepared to accept to obtain a higher rate ofreturn.
Financial Services Authority (FSA) regulation statesthat an insurance firm must include in its risk policydocumentation details ofthe operational risks that
the firm is prepared to accept and those that it isnot prepared to accept, including where relevantsome consideration of its appetite or tolerance forspecific operational risks.
-
7/27/2019 Risk Appetite and Risk Tolerance
5/25
The Risk Tolerance Statement
The risk tolerance statement must be integratedinto the operational risk process It serves as a signpost provided by the board of
directors to the rest of the organization that
indicates the type of organization that the firmaspires to be.
It should therefore direct the response that all levelsof the firm should produce when confronted by arisk (whether actual or potential) that may exceed
risk tolerance levels.As a result, the tolerance statement will be closely
entwined with all aspects of the operational riskmanagement process.
-
7/27/2019 Risk Appetite and Risk Tolerance
6/25
Definitions: Risk Appetite
ISO 31000 / Guide 73 BS31100
Amount and type of risk
that an organisation is
willing to pursue or
retain
Amount and type of risk that
an organisation is prepared to
seek, accept or
tolerate
-
7/27/2019 Risk Appetite and Risk Tolerance
7/25
Definitions: Risk Tolerance
BS31100 IRM
organisations
readiness to
bear the risk after
risk treatments inorder
to achieve its
objectives.
A series of limits which, depending on the
organisation, may either be:
In the nature of absolute lines drawn
in the sand, beyond which theorganisation does not wish to
proceed;
or
More in the nature of tripwires, that
alert the organisation to animpending breach of tolerable risks.
-
7/27/2019 Risk Appetite and Risk Tolerance
8/25
Definitions
Problems:
Risk is treated in an unduly negative way.
Strategic Risk management should be aboutmaximum tolerance for risk taking as well as risk
avoidance.
-
7/27/2019 Risk Appetite and Risk Tolerance
9/25
Definitions: Summary
Risk Appetite and Risk Tolerance- IRM: While risk appetite is about the pursuit of risk,
risk tolerance is about what you can allow the
organisation to deal with.
The difference can be illustrated in the diagrams
on the bottom of this page.
-
7/27/2019 Risk Appetite and Risk Tolerance
10/25
-
7/27/2019 Risk Appetite and Risk Tolerance
11/25
Performance Over Time
Currentdirection
of travel forperformance
A
B
Time
P
erformance
t0 t1
-
7/27/2019 Risk Appetite and Risk Tolerance
12/25
Performance Over Time
Figure 2 shows that in practice this is subject to
risks which, should they materialise, could result
in performance along the line AC, or
To opportunities (positive risks) which could result
in performance along the line AD.
The potential risk universe or the total risk
exposure is shown by the difference between C
and D. (see Figure 3)
-
7/27/2019 Risk Appetite and Risk Tolerance
13/25
Possible Outcomes
Where youmight
get to if somegood things
happen
A B
Time
Performance
t0 t1
Where you might
get to if some bad
things happen
D
C
-
7/27/2019 Risk Appetite and Risk Tolerance
14/25
Risk Universe
Risk Universe: The full range of risks which
could impact, either positively or negatively, onthe ability of the organisation to achieve its long
term objectives.
-
7/27/2019 Risk Appetite and Risk Tolerance
15/25
Risk Universe
A
B
Time
Performance
t0 t1
D
C
RiskUn
iverse
-
7/27/2019 Risk Appetite and Risk Tolerance
16/25
Risk Tolerance
Risk Tolerance; The boundaries of risk taking
outside of which the organisation is not preparedto venture in the pursuit of its long term
objectives.
-
7/27/2019 Risk Appetite and Risk Tolerance
17/25
Risk Tolerance
A
Time
Performance
t0 t1
D
C
X
Y
-
7/27/2019 Risk Appetite and Risk Tolerance
18/25
Risk Appetite
Risk Appetite: The amount of risk that an
organisation is willing to seek or accept in the
pursuit of its long term objectives.
-
7/27/2019 Risk Appetite and Risk Tolerance
19/25
Risk Appetite
A
Time
Performance
t0 t1
D
C
N
M
-
7/27/2019 Risk Appetite and Risk Tolerance
20/25
Risk Appetite and Risk Tolerance
What is clear is that following line AC is not desirable. Less clear is that it might also be undesirable to follow
line AD because pursuing it might throw upsubstantial additional risks.
Consequently, there are some risk outcomes for
which there is no tolerance, and moreover notolerance for taking those risks.
Since there can be potentially positive as well asnegative risks, that suggests that there is a rangeshown by the triangle AXY, outside of which the
organisation will not tolerate exposure. This is the risk tolerance. Its about identifying what COSO calls the sweet spot
Its about identifying what COSO calls the sweet spot
-
7/27/2019 Risk Appetite and Risk Tolerance
21/25
Definitions
Optimal Risk-TakingOptimal
Risk-TakingInsufficientRisk-Taking ExcessiveRisk-TakingExpected
EnterpriseValue
Risk Level
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise
Risk Management Integrated Framework, 2004.
Sweet
Spot
-
7/27/2019 Risk Appetite and Risk Tolerance
22/25
Risk Appetite and Risk Tolerance
On the other hand, our appetite for risk is
likely to be shown by a narrower band of
performance outcomes shown by the triangle
AMN.
Risk appetite has at least two components:
Risk and control and that to consider either in
isolation could result in sub-optimal decisions.
-
7/27/2019 Risk Appetite and Risk Tolerance
23/25
Risk Tolerance and Risk Appetite
Risk tolerance is expressed in terms of
absolutes: for example we will not expose more
than x% of our capital to losses in a certain line
of business, or we will not deal with a certaintype of customer.
Risk tolerance statements are lines in the sand
beyond which the organisation will not movewithout prior board approval.
-
7/27/2019 Risk Appetite and Risk Tolerance
24/25
Risk Tolerance and Risk Appetite
Risk appetite is about what the organisation does
want to do and how it goes about it.
It therefore the boards responsibility to define this
all important part of the risk management system
and to ensure that the exercise of risk
management and all that entails is consistent with
that appetite, which needs to remain within theouter boundaries of the risk tolerance.
-
7/27/2019 Risk Appetite and Risk Tolerance
25/25
Integrating the Risk Tolerance
Statement into the Operational Risk
Process
The risk tolerance statement serves as a signpost
provided by the board of directors to the rest of the
organization that indicates the type of organization
that the firm aspires to be. It therefore should direct the response that all levels
of the organisation should produce when confronted
by a risk (whether actual or potential) that may
exceed risk tolerance levels.
The tolerance statement will be closely entwined with
all aspects of the operational risk management
process.