Risk Tolerance and Risk Appetite

… a core concept used in Implementation and Delivery and Atlas107

Click for free e-book

Concept description

Andrew Graham (reference below, e-book on right) defines risk tolerance as “the degree of risk that an organization is will to tolerate in a given situation” (p. 85) and risk appetite as “a higher level statement that considers broadly the levels of risks that management deems acceptable and necessary to meet its objectives” (p. 134).

Graham notes that setting risk tolerance is an important leadership role and says:

“Here are some potentially helpful practices that have been used for this:

  • Ensuring that there are clear understandings of the use of risk matrices.
  • Developing a risk tolerance discussion in the risk identification and assessment process.
  • Gathering together information about tolerances that are already used within the organizations, e.g. control frameworks for financial transactions, safety incident reports and accident levels, budget limits, specific operational tolerances such as level of production versus plan, overtime reporting.
  • Develop a hierarchy of reporting that stresses risk levels, thereby signaling that increased management attention goes to those risks that cross tolerance levels.
  • Workshops are another way to develop and communicate risk tolerances in areas where measurement is difficult or there is uncertainty.
  • In a similar vein, canvas opinions on risks as part of the risk assessment phase, but ensure that the players interviewed clearly articulate what would be acceptable and what not – roll these up for senior management to confirm or redirect the tolerances: this may be source of surprise for senior managers.
  • In risk discussions and exercises, insist that those defining risks also add in the time dimension: when do we think this will happen and for how long. This introduces the notion of ‘stacking risks’ in the sense that a long-term risk or one with a long-term likelihood can be subject to quite different tolerances and approaches than a short-term one.
  • Before making any decisions on risks, determine your risk capital available: that is the amount of available capital (through credit, held in reserves or not allocated for other purposes) that could go towards mitigation.
  • Above all, avoid asking “What is your risk tolerance.” You will get a series of possible answers that seldom answer the question, such as: none, don’t know, 3.988789 or very little. You create risk tolerances through experience.” (p. 61)
Atlas topic, subject, and course

Managing Risk (core topic) in Implementation and Delivery and Atlas107.

Sources

Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.

Page created by: Ian Clark, last modified 21 September 2017.

Image: Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.