How To Calculate Your Risk Tolerance
Develop a better understanding of your ability and willingness to accept corporate risks.
Risk appetite what is the type and amount of risk your organisation is prepared to take in order to achieve its strategic operational or project objectives. How does this this risk appetite change over time.
Risk appetite and tolerance needs to be decided at outset and monitored over time. A clear risk appetite and tolerance statement can help organisations achieve corporate goals and support business sustainability.
Risk tolerance what an organisation can actually cope with at its most extreme.
What can your business do? What must your business not do when trying to be more successful in business?
ccessful performance looks like. This question may be easier to answer for a commercial organisation than for a government department, but can usefully be asked by boards in all sectors.
Putting it into practice
We have sought to develop an approach to risk appetite that:
- Is theoretically sound
- Is practical and pragmatic: we do not want to create a bureaucracy, instead we are looking to help find solutions that can work for organisations of all shapes and sizes
- Will make a difference.
Subscribe for free to BusinessRiskTV to find out more about our risk management workshops. Identify the best opportunity for you to increase your risk knowledge and business intelligence.
We have developed two guidance documents. An Executive Summary aimed at boards and a detailed guidance document for risk professionals
Building your risk tolerance:
- Identify and measure what is too much enterprise risk
- What to do if you already have too much risk
- Evaluate risk management measures to select best ones for your culture and organisation
Develop a better risk assessment process to embed the best risk reward culture for your business regardless of the economic cycle.
Are you a risk taker or just reckless?
Not understanding the types and size of corporate risks means you are reckless, not a risk taker. Risk takers accept and manage corporate risks after careful assessment. Once their risk knowledge is enhanced they take decisions that on the balance will bring the reward they want. The risk they need to take to receive that level of reward is acceptable. To others it maybe unacceptable, but they is irrelevant.Whats important is that you take risks in the full knowledge of the level of risk you are taking not just crossing your fingers and hoping for the best.
To build a more certain future for your business you need to determine your risk tolerance and set your risk management strategy accordingly.
Using a risk based decision strategy for your business can be more productive. It can also maximise your business performance by targeting the highest reward return based on the highest level of risk you can tolerate. If you and your business have a low risk tolerance then it is crucial not to overstretch your assets as this could result in disastrous collapse of your business.
Risk Appetite is something different. Your risk appetite should be less than your risk tolerance. Building in headroom between risk appetite and risk tolerance will build in a safety buffer or margin for your business so that you can flex-up should you need to in order to seize new business opportunities. The buffer will also provide some protection against changes in external risk drivers you may have no control of but can absorb in your margin between risk appetite and risk tolerance.
Changing Risk Perception and Risk Attitudes Workshop
Pursue retain or avoid risk with respect to risk appetite and tolerance
Risk Appetite is the total impact of risk an organisation is prepared to accept in the pursuit of business objectives. Internal and external risk factors will drive your risk perception and attitude to risk.
Risk appetites may vary across the whole business depending on the risk perceptions and risk attitudes of senior managers executives risk owners and risk control managers. Their risk perceptions and risk attitudes may change the level of risk business is exposed to including taking too much or too little risk to achieve business objectives.
Risk appetites and risk attitudes can change depending on the experience of persons responsible for risks. If you have skilled and experienced employees they may have a different perception and attitude to risks and this changes how a business responds to risks. Emerging risks or existing risks that are changing may mean experienced and trained employees need regularly skills development and business intelligence building opportunities to grow their risk knowledge.
The type of risk may change risk appetite and risk tolerance. The risk perception of the impact on business may be accurate or inaccurate but can dramatically change risk appetite and risk tolerance.
There is no right or wrong decision on risk appetite and risk tolerance. However this is a major area which must be addressed in the risk assessment process otherwise the business maybe under performing and not getting the most out of its assets..
A well defined risk appetite statement includes the following elements
- Reflects actual business strategy business plans and business objectives not what managers hope will happen
- Reflects key significant activities and risks of the organisation
- Acknowledges and encourages taking risks
- Has specific measurable achievable realistic and time bound SMART aims with regard to assets resources skills and technology needed to manage risk exposures within risk appetite and risk tolerance constraints
- Has been approved signed off and promoted by senior management team
The risk appetite statement needs to be regularly reviewed in the light of changes to internal and external risk factors to ensure it still reflects immediate medium and long term risk appetite and risk tolerance evaluations. It also needs to be reviewed when business objectives are missed or achieved and risk control measures effectiveness change.
Risk appetite and risk tolerance statement needs to cover all significant risk classifications impacting on business objectives. Our holistic risk management approach links risk appetite and risk tolerance to overall business strategy.
Our Changing Risk Perception and Risk Attitudes Workshop will help you define your Risk Appetite Statement
- Define business objectives. What are your objectives in respect of market share growth governance branding reputation compliance profitability etc? Why are these objectives the most important to key organisation stakeholders? What is that these stakeholders expect from the business and how will their expectations be managed? Whether objectives are SMART should be explored. The objectives themselves may need to change if they are not SMART. Do not try to manage risks from business objectives that are not SMART as you are probably setting yourself up for failure from the outset.
- Align enterprise risk profile to the business plan. What are the significant risks that may prevent the achievement of business objectives? What are the significant rewards that could be achieved if the risks impacting on the opportunities are managed well? Measure the risks holistically to identify the net benefits and drawbacks using risk assessment process. Use risk assessment process to better understand current risk taking capacity. Consider the risk headroom you have that gives you flexibility or makes your business more fragile to risk exposure as this may influence attitude to risk taking. Be clear about Red Lines where you have zero tolerance risk exposures. Where you can tolerate risk what is the bottom line risk tolerance exposure level across which you will never want to cross regardless of potential rewards. Clearly defining business objectives risk tolerance risk appetite and risk headroom will give you a firm foundation for the level of risk you want to take to achieve business objectives.
- Identify risk tolerance ranges for specific risks. Your risk appetite must not cut across your Red Line risk tolerance levels for each type of risk. Risk tolerance threshold is a key element of aligning a more risk based business strategy. If more risk taking is envisaged then extra risk monitoring measures maybe needed to control the risk exposure more dynamically. This will give you more opportunities to correct business risk management for improved performance over the longer term. It is crucial that all levels of the organisation are involved in risk reporting and monitoring to embed more responsive risk management strategy. Risk tolerance thresholds should be very specific and measurable so that it is clear where the organisation stands at any time in terms of risk exposure.
The risk appetite also needs specific risk control strategy set and and monitored by risk assessment process
- Risk Rating higher than Risk Appetite should trigger risk management action plan
- Risk Rating lower than Risk Appetite should trigger risk management review to identify if organisation could make changes to boost performance.
It should be remembered that the closer the organisation gets to optimal performance the more exposed to risk the organisation gets. Risk events when working at optimal performance are harder to overcome than when there is more headroom in the risk management system.
Inherent risk is the risk faced without any mitigation or control measures. Residual risk is the risk faced after mitigation or control measures have been taken into account.
Residual risk levels can be higher or lower if the persons completing the risk assessment process have different skills experience or attitude to risks. Residual risk levels arrived at by the organisation need to take into account Risk Perceptions.
The more control over risk a person has the more confident they are that the risk is under control. They may perceive risks they have control over as lower risks. They maybe overconfident on their ability to control the risk. The residual risk could therefore be higher than recorded on the risk register for example.
On the flip side lack of control over a risk may lower the risk assessors risk tolerance. This may reduce business performance. Maybe increased training and risk information can change risk perceptions of risk assessors. An organisation could take on more risk with more confidence without really increasing corporate risk tolerance.
Involving people outside of the organisation can bring fresh eyes or a different outlook on corporate risks. This could change risk assessors risk perceptions to improve business performance and build business resilience.
Subscribe of free to find out more about BusinessRiskTV workshops