risk appetite and risk tolerance

7/27/2019 Risk Appetite and Risk Tolerance

1/25

Presentation

By

James J. Tinarwo

Risk Appetite and Risk Tolerance


2/25

The Risk Tolerance Statement

The FSA, clarifies exactly what a tolerance

statement should cover:

Tolerance describes the types and degree of

operational risk that a firm is prepared to incur(based on factors such as the adequacy of its

resources and the nature of its operating

environment). Tolerance may be described in

terms of the maximum budgeted (that is

expected) costs of an operational risk that a firmis prepared to bear, or by reference to risk

indicators such as the cost or number of

systems failures, available spare capacity and

the number of failed trades.


3/25


Tolerance can be quantitative and describe levels

of risk impact or number of events, or qualitative

by addressing factors that are likely to lead to

increased levels of risk (number of unresolvedcomplaints, number of errors, etc).

A risk tolerance statement will generally also

distinguish between risks for which the firm has no

appetite (such as internal theft and fraud or breach

of law or regulation) and those that may beaccepted within reason (staff error, some degree

of inevitable system downtime, etc).

Acceptance is likely to reduce rapidly, however,

when accepted risks are repeated too often.


4/25


Risk tolerance or appetite reflects the degree ofuncertainty that a firm or an individual is preparedto accept in order to achieve financial objectives.

In investment decisions, where a responsibleinvestor will consider the extent of loss that he or

she is prepared to accept to obtain a higher rate ofreturn.

Financial Services Authority (FSA) regulation statesthat an insurance firm must include in its risk policydocumentation details ofthe operational risks that

the firm is prepared to accept and those that it isnot prepared to accept, including where relevantsome consideration of its appetite or tolerance forspecific operational risks.


5/25


The risk tolerance statement must be integratedinto the operational risk process It serves as a signpost provided by the board of

directors to the rest of the organization that

indicates the type of organization that the firmaspires to be.

It should therefore direct the response that all levelsof the firm should produce when confronted by arisk (whether actual or potential) that may exceed

risk tolerance levels.As a result, the tolerance statement will be closely

entwined with all aspects of the operational riskmanagement process.


6/25

Definitions: Risk Appetite

ISO 31000 / Guide 73 BS31100

Amount and type of risk

that an organisation is

willing to pursue or

retain

Amount and type of risk that

an organisation is prepared to

seek, accept or

tolerate


7/25

Definitions: Risk Tolerance

BS31100 IRM

organisations

readiness to

bear the risk after

risk treatments inorder

to achieve its

objectives.

A series of limits which, depending on the

organisation, may either be:

In the nature of absolute lines drawn

in the sand, beyond which theorganisation does not wish to

proceed;

or

More in the nature of tripwires, that

alert the organisation to animpending breach of tolerable risks.


8/25

Definitions

Problems:

Risk is treated in an unduly negative way.

Strategic Risk management should be aboutmaximum tolerance for risk taking as well as risk

avoidance.


9/25

Definitions: Summary

Risk Appetite and Risk Tolerance- IRM: While risk appetite is about the pursuit of risk,

risk tolerance is about what you can allow the

organisation to deal with.

The difference can be illustrated in the diagrams

on the bottom of this page.


10/25


11/25

Performance Over Time

Currentdirection

of travel forperformance

A

B

Time

P

erformance

t0 t1


12/25

Performance Over Time

Figure 2 shows that in practice this is subject to

risks which, should they materialise, could result

in performance along the line AC, or

To opportunities (positive risks) which could result

in performance along the line AD.

The potential risk universe or the total risk

exposure is shown by the difference between C

and D. (see Figure 3)


13/25

Possible Outcomes

Where youmight

get to if somegood things

happen

A B

Time

Performance

t0 t1

Where you might

get to if some bad

things happen

D

C


14/25

Risk Universe

Risk Universe: The full range of risks which

could impact, either positively or negatively, onthe ability of the organisation to achieve its long

term objectives.


15/25

Risk Universe

A

B

Time

Performance

t0 t1

D

C

RiskUn

iverse


16/25

Risk Tolerance

Risk Tolerance; The boundaries of risk taking

outside of which the organisation is not preparedto venture in the pursuit of its long term

objectives.


17/25

Risk Tolerance

A

Time

Performance

t0 t1

D

C

X

Y


18/25

Risk Appetite

Risk Appetite: The amount of risk that an

organisation is willing to seek or accept in the

pursuit of its long term objectives.


19/25

Risk Appetite

A

Time

Performance

t0 t1

D

C

N

M


20/25


What is clear is that following line AC is not desirable. Less clear is that it might also be undesirable to follow

line AD because pursuing it might throw upsubstantial additional risks.

Consequently, there are some risk outcomes for

which there is no tolerance, and moreover notolerance for taking those risks.

Since there can be potentially positive as well asnegative risks, that suggests that there is a rangeshown by the triangle AXY, outside of which the

organisation will not tolerate exposure. This is the risk tolerance. Its about identifying what COSO calls the sweet spot

Its about identifying what COSO calls the sweet spot


21/25

Definitions

Optimal Risk-TakingOptimal

Risk-TakingInsufficientRisk-Taking ExcessiveRisk-TakingExpected

EnterpriseValue

Risk Level

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise

Risk Management Integrated Framework, 2004.

Sweet

Spot


22/25


On the other hand, our appetite for risk is

likely to be shown by a narrower band of

performance outcomes shown by the triangle

AMN.

Risk appetite has at least two components:

Risk and control and that to consider either in

isolation could result in sub-optimal decisions.


23/25

Risk Tolerance and Risk Appetite

Risk tolerance is expressed in terms of

absolutes: for example we will not expose more

than x% of our capital to losses in a certain line

of business, or we will not deal with a certaintype of customer.

Risk tolerance statements are lines in the sand

beyond which the organisation will not movewithout prior board approval.


24/25

Risk Tolerance and Risk Appetite

Risk appetite is about what the organisation does

want to do and how it goes about it.

It therefore the boards responsibility to define this

all important part of the risk management system

and to ensure that the exercise of risk

management and all that entails is consistent with

that appetite, which needs to remain within theouter boundaries of the risk tolerance.


25/25

Integrating the Risk Tolerance

Statement into the Operational Risk

Process

The risk tolerance statement serves as a signpost

provided by the board of directors to the rest of the

organization that indicates the type of organization

that the firm aspires to be. It therefore should direct the response that all levels

of the organisation should produce when confronted

by a risk (whether actual or potential) that may

exceed risk tolerance levels.

The tolerance statement will be closely entwined with

all aspects of the operational risk management

process.

risk appetite and risk tolerance

Documents