Will you get pulled over if you are driving at 68 miles per hour (mph)? It depends. Are you in a school zone, where the speed limit is 20 mph, posted with a flashing yellow sign? Are you in a densely populated area where you are not supposed to go over 40 mph? Or are you on a highway, where the posted speed limit is 65 mph, but you know that your state police patrol is fairly lenient, and won’t pursue cars passing under 75 mph?
In and of itself, the fact that you are going 68 mph isn’t necessarily bad when considering the risk of a potential legal violation. Rather, the amount of risk in getting pulled over during your travels is entirely dependent on the external guidelines and tolerances for speeding set by local authorities under a set of particular circumstances, or in a specific environment. It is a measurement of risk set against the community’s tolerance for the risk of speeding – the maximum speed the community is willing to accept on that particular road.
How do organizations set effective risk tolerance or appetite limits? Most companies track dozens, if not hundreds of risks, and prioritizing which risks should have a formalized, stated limit can be a gut-wrenching challenge. Often, a “small bites” approach is best.
One helpful tool in formulating an approach is the whitepaper issued in January 2012 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Understanding and Communicating Risk Appetite” by Dr. Larry Rittenberg and Frank Martens. To determine risk appetite, this paper suggests that management, with board review and agreement, should focus on three steps:
Since there is no one best set of risk limits, companies must at least establish solid procedures for weighing all relevant factors, and making informed decision with participation by all interested stakeholders. The more thought that goes into designing an overall risk tolerance or appetite framework, determining measurement and reporting processes up-front, the easier it will be to start establishing individual limits on a risk-by-risk basis.
To this end, the next step is to build the framework out with comprehensive metrics and data necessary to monitor areas for closer attention. Without a robust, centralized database tracking all of the company’s risks, the company cannot identify what its major vulnerabilities are, and will never get enough information to determine what they can or cannot handle as loss.
Communicating Risk Appetite throughout the Organization
What is the use of having a speed limit if no one sees the sign? Communicating risk appetite is as important as setting it. Most companies start their communication plan by crafting a broad formal risk appetite statement for each major category of risk, then honing it down to meet the needs of specific business areas or functional departments. The proper level will vary based on company goals and the specific risk involved. In any event, however, the language used for the statement should be simple enough to foster a base understanding of the risk concept, but detailed enough to help direct behavior in line with the appetite. Risk appetite or tolerance statements also often reflect the company’s culture, which might be seen or phrased on a spectrum from cautious, measured, or steady, to leading, bold or innovative.
As companies become more sophisticated and grow in their ERM practices, risk appetite statements generally become more explicit and measurable, more focused, and may be better targeted to specific business practices or financial goals. Here, quantitative measurements in the risk appetite or tolerance statement should help define how individual risks should be managed on a daily basis, transmitting enough information to provide some strategic or operational directive to staff responsible for measuring, managing or controlling risk.
Documenting and communicating risk appetite, however, needs to be tailored to all relevant stakeholders and their expectations. Risk appetite must take into account differing views at a strategic, tactical and operational level. Internally, statements may need to be tailored specifically to groups such as the board of directors, senior management and employees. Externally, rating agencies, regulators, policyholders, and creditors may have different needs and uses for information. Understanding and tracking how risk tolerance and appetite is interpreted throughout the business, both top-down and ground-up, is important.
Keeping abreast of change is, however, a major challenge for most companies. The process can be improved on the front end by creating a common hierarchy, taxonomy and language for the risk and control library. This enables risks and controls from different functional areas to be compared against each other, and aggregated, so that a change to risk or a breach of risk tolerance in one area will lead the reviewer naturally to changes in the risk as it impacts other departments.
Procedures should also be developed for monitoring risk assessment levels, and flagging or highlighting circumstances where risk tolerances are exceeded. Monitoring risk and tracking to risk tolerance can be done manually or through specialized information management report systems. Today, many ERM systems permit the comparison of routinely generated risk-relative data to an established target, to completely automate identification of breaches, and notify all interested stakeholders.