INTRODUCTION

The objective of this chapter is to enable you, the reader, to understand and use risk tolerance.¹ To do so, we answer these questions: What is risk tolerance? Why is setting risk tolerance important? What are the factors to consider in setting risk tolerance? And, once determined, how can you make risk tolerance useful in managing risk?

Given this objective, the approach and principles set out in this chapter are practical rather than academic.² Moreover, in applying them, it is important to remember that risk tolerance is but one topic to consider in implementing enterprise risk management (ERM). ERM, stripped to its bare essence, is all about an organization ensuring and demonstrating that it is identifying and managing the significant risks to which it is exposed. ERM also is but one component of a broader framework that brings together corporate governance,³ strategic management,⁴ and risk management⁵—all supported by an organization’s control environment.⁶ These components are interconnected and they must work together in order for an organization to purport that it is “well managed.”⁷ Risk tolerance is a topic that underlies each of the four components of this overall framework—and is a key element of ERM. Setting risk tolerance ensures an organization makes risk decisions and manages risk exposures according to established expectations.

WHAT IS RISK TOLERANCE?

Risk tolerance is the risk exposure an organization determines appropriate to take or avoid taking. This definition is simple. But three key concepts are important to understanding and implementing it.

The first is “risk.” Risk is commonly referred to as the chance, possibility, or uncertainty of outcome or consequences. Risks stem from every activity an organization undertakes. Risks include those directly related to the organization’s principal business activities (i.e., the risks that are unique to those business activities) as well as risks stemming from the operations supporting those principal activities (e.g., operational risks). These risks exist continuously, whether you have identified them or not. But a risk event first must happen before it can have a risk impact, and such risk impacts can be positive or negative. You should not always view risks as bad things. It is only if you do not identify, understand, and manage risks that consequences can be bad.

This leads us to our second key concept: risk exposures. As the term implies, risk exposures are simply the extent to which you are exposed to a risk (or a portfolio of risks). Risk exposures are a function of the potential impact of a risk event and its probability of occurrence. Potential risk events can impact an organization’s financial position, its ability to achieve its goals (which can be financial or other goals), and its reputation. In the past, organizations have been concerned mostly with the material financial impact of a risk event. But as risk events in recent years have shown us, we also must consider two other factors: (1) the potential reputational impact of a risk event, and (2) the potential impact a risk event could have on an organization’s ability to carry out its goals. The potential impact of a risk event can range from insignificant to high. You also need to think about the likelihood of a risk event happening. The probability that a risk event will occur can range from highly unlikely to highly likely.

Finally, you need to understand the concept of “appropriate.” Determining what is appropriate requires applying judgment. You must apply judgment while individually and collectively considering your risk attitude, goals, operational capability, and capacity to take risk and the cost/benefit of managing the risk—factors that will be addressed later in this chapter. This is true even for organizations that model their risk positions using portfolio theory. These models require judgment about the key assumptions used in the models. An organization’s judgment about the appropriateness of its risk exposures needs to be able to withstand the scrutiny of persons who are independent of the organization, objective in terms of their perspective, and knowledgeable about the specific risk under review. To be considered appropriate, a knowledgeable outsider giving careful consideration to the nature, magnitude, complexity, and implications of the risk should be able to come to substantially the same conclusion as to the risk exposure as does the organization.

WHY IS SETTING RISK TOLERANCE IMPORTANT?

Setting risk tolerance clarifies what is (and what is not) an acceptable risk exposure. Clarity enables an organization to know with certainty what risk exposures it can take and what risk exposures it must avoid.

Establishing risk tolerance also allows an organization to compare actual risk exposures against authorized risk exposures. Comparing helps an organization determine whether it is undermanaging—or conversely—overmanaging a given risk. It answers the question: Do we need to do more, or less, to manage this risk?

Determining risk tolerance also helps an organization skirt the risk intolerance trap (i.e., running for the hills whenever a risk creeps out of the bushes). Without a common understanding that “risk” is not always a “four-letter word,” an organization could default to trying to eliminate its risks (i.e., following a “better safe than sorry” risk management strategy). There is potential upside and downside to taking risks. Trying to dodge risks altogether—rather than managing and leveraging them—could harm an organization in the long run. Remember what Jawalarlal Nehru, the first Prime Minister of India, once said: “The policy of being too cautious is the greatest risk of all.”⁸

WHAT ARE THE FACTORS TO CONSIDER IN SETTING RISK TOLERANCE?

First weigh the considerations, then take the risks.⁹

—Field Marshal General Helmuth von Moltke

There is no magic quantitative formula for establishing risk tolerance. But, there are five questions an organization needs to ask itself when it comes to establishing risk tolerance.

1. What is my organization’s attitude toward risk?
2. What are the goals of my organization?
3. How capable is my organization of managing risk?
4. Does my organization have the capacity to absorb a potential loss related to taking the risk?
5. What are the costs and benefits of managing the risk?

In summary, risk attitude relates to a person’s willingness to take risk.¹⁰ It depicts whether the person is inherently a risk taker or a risk avoider. Goals, risk management capability, and risk management capacity relate to the amount of risk that would seem appropriate irrespective of a person’s willingness to take risk. In turn, the cost/benefit of managing a risk provides a reality check as to whether seeking to manage a risk within a certain risk tolerance makes sense from a strictly dollars and cents perspective. It is necessary to consider each factor individually, then collectively—reflecting that, at the end of the day, you must be in a position to manage appropriately the risks to which your organization is exposed in pursuing its goals.

Now let us look at these factors in more detail.

HOW CAN YOUR ORGANIZATION MAKE RISK TOLERANCE USEFUL IN MANAGING RISK?

So, after considering the key risk tolerance factors and applying sound judgment, your organization should be in a position to determine appropriate risk tolerances. Now, how can your organization make these useful in application?

The easy answer to this question is to set risk policies that formalize expectations about the management of each major source or category of risk. But more difficult questions arise: What guidance should the policies contain? When should your organization enact the policies? What should your organization do with the policies? The answers depend on who will be making the risk management decision.

We suggest that an organization’s board of directors or similar governing body (referred to as the “board”) should make all policies respecting significant risks. ¹⁵ This reflects the importance of risk management as a governance tool.

In many—but not necessarily all—situations, an organization’s board will direct its management to make risk decisions about significant risks. In other situations, the board will decide to retain discretionary decision-making responsibility.

In each situation, board risk policies should set out:

• What risk management decisions to make.
• Who is authorized to make these decisions.

In situations in which the board has delegated decision-making responsibility to management, such policies also should clarify:

• The risk tolerance (i.e., parameters) within which the board expects management to manage the risk.
• The information management should provide the board about the management of the risk, so that the board can carry out its oversight responsibilities.

Where the board retains discretionary decision-making responsibility, it is usually not helpful for the board to fetter its discretion by establishing risk tolerance decision-making criteria through a board policy. Where the board retains decision-making responsibility, the critical governance principle is to put the board in a position to act with due care in making the decision. This is not a matter about decision-making criteria. Rather, it is a matter of governance process. Accordingly, the issue is not what criteria the board will apply—but rather, what information, analysis, and opinion it wants to have in hand so that it can reach its decision with due care. In these situations, the policies should clarify what recommendations and supporting rationale the board expects to get from management before making its decisions.

This leads us to the next question: When should board policies be made?

The board could set risk tolerance up front. The logic to that is simple. Risk management is all about managing risks within defined parameters. And risk tolerance is all about formalizing these expectations. So, to ensure the organization manages its risks within expectations it would be ideal, in a perfect world, to set risk tolerances up front—before the organization begins taking risks (including before engaging in new activities that expose the organization to new risks).

But setting risk tolerance requires a board to obtain a solid understanding of the risks being considered. For de novo organizations (or types of business), this means providing the board with a theoretical description of the risks, potential risk events, and the potential impact and likelihood of such events. But, most organizations are implementing ERM (and formalizing risk tolerance) well after they have engaged in business activities and started taking risks. In these cases, management should give the board a more practical description of the organization’s actual risks—which includes management’s assessment of the organization’s actual exposure to each risk.

But what should the organization do with these policies once they have been formalized by the organization’s board? This is simple. Once the board has approved the policies, management should communicate them to each person who is in a position to expose the organization to risk. That way everybody understands the board’s expectations. The board also needs to put strong incentives in place to ensure management pays close attention to the policies. For example, the board should require management to advise the board about any policy breaches. And the board should demand an annual formal ERM sign-off from management attesting, among other things, that the organization has an effective ERM process—and that by using this process, it has ensured that significant risks were identified and are being managed in accordance with board risk policies.

Formalized risk tolerances also provide a useful reference point against which you can gauge risks and risk exposures when communicating with external stakeholders. In this regard, an organization’s annual report provides an opportunity to report on risk and risk management. In addition to describing risk governance and management practices, it can report on whether risk exposures fall within the organization’s accepted range of tolerance. And if they do not, it can explain why this is the case and what the organization is doing to correct the situation.

CONCLUSION

Risk tolerance describes the risk exposures that are appropriate for your organization to take or not to take. It is an important component of risk management in that it clarifies what risk exposures are acceptable to take and what exposures are to be avoided. However, it is but one topic to consider in implementing enterprise risk management, which in turn is but one component of a broader framework that brings together corporate governance, strategic management, and risk management—all supported by an organization’s control environment.

Determining risk tolerance involves applying judgment giving careful consideration to five key factors:

1. Your organization’s attitude toward taking risk.
2. Your organization’s goals.
3. Your organization’s capability to manage the risk.
4. Your organization’s capacity to absorb the impact of potential loss related to taking the risk.
5. The cost/benefit of managing the risk.

Each factor must be considered individually and collectively—reflecting ultimately that your organization must be in a position to demonstrate that it is appropriately managing the risks to which it is exposed in pursuing its goals.

An important way of formalizing and communicating risk tolerance is through policies. When risks could be important to an organization’s financial position, achievement of its goals and/or reputation, the organization’s board of directors should establish policies respecting those risks. Such policies should set out the risk management decisions to be made and who should make these decisions. Where the board of directors has delegated decision-making responsibility to management, policies should also clarify:

• The risk tolerance (i.e., parameters) within which the board expects management to manage the risk.
• The information that management should provide to the board about the management of the risk, so that the board can carry out its oversight responsibilities.

But, where the board retains decision-making responsibility, it is usually not helpful for the board to fetter its discretion by establishing risk tolerance decision-making criteria through a board policy.

In theory, an organization should establish risk policies before conducting business activities. In practice, most organizations implement ERM (and formalize risk tolerance) well after they have engaged in business activities and started taking risks. In such situations, organizations set risk tolerance policies once they have a better understanding of their actual risk exposures.

The board and management should communicate risk policies to everyone who is in a position to expose the organization to risk, so that those people know the organization’s expectations. The board and management should put the right incentives in place so that policy breaches get identified and reported.

An organization’s performance against established risk tolerances provides a useful reference point against which an organization can report on its risk and risk management to its external stakeholders. In addition to describing risk governance and management practices, organizations should consider reporting on whether risk exposures fall within the organization’s accepted range of tolerance. And if they do not, organizations should explain why this is the case and what they are doing to correct the situation.

In sum, risk tolerance is about taking calculated risks—that is, taking risks within clearly defined and communicated parameters set by the organization.

ABOUT THE AUTHORS

Ken Mylrea is Director, Corporate Risk for Canada Deposit Insurance Corporation (CDIC). He is responsible for putting enterprise risk management (ERM) in place at CDIC. Ken also has helped other organizations in Canada and abroad implement ERM and has spoken about ERM implementation issues at governance and risk management conferences.

Ken has more than 30 years experience in the financial services sector. Prior to taking on his current role, he worked in the public sector in the areas of bank analysis, bank examinations, and public policy. Among his accomplishments include the development of governance, strategic management, risk management, and control standards for financial institutions, as well as the development and implementation of bank accounting standards, board governance policies, and risk assessment and rating methodologies, including deposit insurance premiums systems.

Joshua Lattimore is Policy and Research Advisor at Canada Deposit Insurance Corporation. His areas of knowledge relate to corporate governance, enterprise risk management, and public policy. He is currently coordinator of a subcommittee at the International Association of Deposit Insurers for developing guidance for governance of deposit insurers and coordinator of a subcommittee for developing research on risk management. Joshua has a master’s degree in international affairs from Carleton University in Ottawa, Canada, and a bachelor’s degree in international relations from the University of Toronto.