With the scarcity of useful guidance to help organizations determine risk appetite and risk tolerance, the Institute of Risk Management (IRM) is seeking to clarify and produce guidance to more effectively communicate an understanding of risk appetite. As a result, IRM released a consultation paper with detailed approaches on developing and using risk appetite and risk tolerance in risk management.
In general, risk appetite relates to the amount and type of risk an organization is willing to pursue, whereas risk tolerance relates to the amount of risk the organization is willing to endure to achieve objectives. The topic of risk appetite is outlined in four categories:
Designing a risk appetite:
- A model of risk appetite is presented and recommended to be tailored to the needs and maturity of the organization.
- Four dimensions of maturity should be considered by the board in designing a risk appetite, including the business context, risk management culture, risk management processes, and risk management systems.
- It is important to recognize that multiple risk appetites may exist for different levels of risk, such as operational, strategic, and tactical.
- Risk culture will affect an organization’s ability to function within its risk appetite.
Constructing a risk appetite
- The three levels of risk appetite should be addressed: strategic, tactical, and operational.
- An understanding of the control culture of the organization is necessary by looking at the “propensity to take risk” and the “propensity to exercise control.”
- A realistic measurement approach using relevant sources of data is essential for management and the board to identify and manage risk appetite.
Implementing a risk appetite
- Before implementing, the organization should have a defined strategy, understand principal risks, and be able to describe the maturity of the risk management program in place.
- Engage with stakeholders to ensure risk taking and control activities are aligned.
- Risk oversight committees should review and approve the risk appetite.
- Critically review and be prepared to adjust risk appetite at the end of each reporting cycle.
Governing a risk appetite
- The board should govern four important points of the risk appetite model, including approval, measurement, monitoring, and learning.
- The risk appetite statement will shape the way the organization is managed.
The paper further states issues worth keeping in mind, especially since risk appetite will continue to evolve over time. Also, questions are listed throughout the document with the suggestion that they should be asked in the boardroom to guarantee that risk appetite and risk tolerance are being adequately addressed.
Click below to download the paper