Risk Appetite and Tolerance Statements:
Identifying the Risk You’re Prepared to Accept
Have you ever been skydiving? I have not. To quote Clint Eastwood, “Jumping out of a perfectly good airplane is not a natural act.” Yet the US Parachute Association reported that in 2021, around 39,412 of its members made 3.57 million jumps.
Do you have an adjustable-rate (ARM) or fixed-rate mortgage? When I was younger and poorer, I considered an ARM before choosing a fixed rate. Back then, ARMs were trendy. They became less popular in the low-interest rate environment of our recent past. Perhaps they’ll gain popularity once again.
Do you drive faster than the speed limit? As a young man, I was clocked at 65 mph in a 35-mph zone. My defense? I was driving a straight-away on a clear, country road. The officer didn’t buy it, and I ended up spending two hours in remedial driving school for “aggressive drivers.”
Why all the questions? To make a point. Both the ways in which each of us measures risk and the amount of risk we’re willing to assume can vary widely. We are individual and unique humans, with awareness and risk tolerance built into our DNA. Brain chemicals like dopamine impact our perception of risk—as do age, gender, race, stress, upbringing, etc.
RISK APPETITE & TOLERANCE FOR ORGANIZATIONS
In 1987, Nick Leeson, a currency trader with Barings Bank, made failed bets on Nikkei futures totaling approximately $1.3 billion. His bets exceeded the total value of his employer’s capital and reserves. As a result, the 233-year-old bank was forced into bankruptcy. One audacious individual brought down a sophisticated and mature organization that most certainly did not share his appetite for risk.
To align risk, it’s important to develop risk appetite and risk tolerance statements—written documentation of the risks an organization is and is not willing to accept.
Risk appetite statements serve as guidelines for developing strategic plans, operational processes, and business continuity plans. An excellent example is TD Bank’s statement, which reads as follows:
TD takes risks required to build its business, but only if those risks:
- Fit its business strategy, and can be understood and managed.
- Do not expose the enterprise to any significant single-loss events.
- Do not risk harming the TD brand.
Here’s another example from the Office of the Comptroller of the Currency (OCC):
- The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure.
- The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives.
- The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology.
Risk tolerance statements further refine and “operationalize” broader appetite statements to provide specific context. They serve as tangible risk limits, setting clear boundaries within which a business must operate. Risk tolerance statements must be measurable, realistic, and capable of being monitored. For example:
- At all times, the [organization] will maintain a rating of [xx] from [rating agency]
- Annual employee turnover will not exceed [xx%]
- Operational losses will not exceed [xx%] of [transaction type]
- Minimum investment grade of no less than “A” for investment securities
For many risks, there is a range of acceptable levels. Let’s take information security risk as an example. We want to avoid this risk, right? What is the easiest way to do so? Disconnect all your computers from the internet. But taking this extraordinary step has consequences—no (external) email, no cloud computing, and no working from home. In other words, requiring zero risk can hamper or even prevent us from accomplishing our objectives.
Recognizing the benefits of being interconnected, most organizations have chosen to accept some level of information security risk. Some level of risk is fine, but too much risk is not. Over time, navigation of these risks starts to resemble a road, with edge lines and guard rails; the acceptable place to drive is in the middle.
WHAT DO I DO WITH RISK APPETITE AND RISK TOLERANCE STATEMENTS?
Use them. Ensure that individuals who make decisions affecting the organization’s risk profile understand these statements. Decision makers should consider how their choices affect an organization’s risk level—specifically, whether their decisions leave the organization within its established risk appetite and tolerance parameters or push the organization outside those limits.
Report on them. Senior executives and risk committees should require regular updates on their organization’s status related to risk appetite and risk tolerance statements. Discussions might include:
- Is the organization within its risk tolerance for 15 of its 16 metrics?
- If so, what does the organization feel about the final metric?
- If the organization is uncomfortable accepting this level of risk, then the metric effectively identifies an area that needs attention. Risks in this area need to be reduced.
- In contrast, if the organization does not feel that current risks are unacceptable, then risk metrics might need adjustment. This is common. Initial risk metrics are like a new pair of shoes; you need to experience them for a while to see if they pinch.
- If so, what does the organization feel about the final metric?
Don’t let them get stale. The last thing you want to do is create these statements, then put them on the shelf to forget. Just as organizations change over time, so does risk appetite.
Periodically revisit your organization’s risk appetite and risk tolerance statements to determine whether they are still appropriate and relevant or need to be adjusted. Also consider whether the statements are understood by everyone or require additional context. We recommend conducting this evaluation while developing a strategic plan. After all, where we want our organization to go and where we don’t want it to go are interrelated considerations.
Risk appetite and risk tolerance statements provide important guidance to employees about which risks are acceptable and which are not. They help align individual employee tolerances to organization-wide tolerances, for more consistent risk response across the board.