Without this, efforts to manage and optimise risk will be futile
Before embarking on the development of a risk management framework, an organisation’s tolerance levels must be agreed upon and operationalised, so that the Board’s risk appetite is effectively executed.
Before we delve into how the Board uses risk tolerance to support risk governance, it is worth pausing to clarify the terms ‘risk appetite’ and ‘risk tolerance’ as they are often used interchangeably in our industry.
Risk appetite can be defined as the amount of risk an organisation is willing to accept to achieve its objectives, covering both risk-taking and risk-aversion, and is captured in a series of statements, approved by the Board.
Certainly, risk varies among organisations and industries, so each company must develop its own risk appetite statements that reflect its internal and external context and overall business goals.
Conversely, risk tolerance is defined as “the acceptable deviation from the level set by the risk appetite and business objectives.”
Conceptually, risk tolerance sets the boundaries of risk taking that the organisation will not encroach in pursuit of its long-term objectives. It can be viewed as the operating application of the risk appetite statement, establishing quantitative measures for various risk categories (eg, technology, financial, reputation) to support the risk assessment and oversight activities (eg, monitoring, reviewing, and adjusting).
Risk tolerance is measured in a variety of ways, depending on the risk category. For instance, a technology risk can be measured as a percentage while financial risk can be measured in dollars.
Communicating risk tolerance
Increasingly, organisations in most industries are being questioned by key stakeholders, such as, investors, analysts, and the public, to clearly state their understanding of the risks being undertaken to pursue strategy and the extent of the organisation’s readiness to accept this risk.
Globally, markets, regulators and governments are now directing organisations to establish a board-approved risk appetite statement which is understood and consistently implemented through a risk management framework for the organisation.
One of the key benefits of the regulatory mandate is the increased organisational maturity for risk management, such as establishing a consistent and standardised approach for risk practices, encouraging a risk-aware culture, and establishing risk governance protocols.
With regulatory, market, and public (e.g., privacy) expectations continuing to increase, many boards are improving their governance practices by applying risk tolerance measures, introducing new processes for risk professionals to address to meet the Board’s enhanced mandate for risk management.
Asking the right questions
A risk professional must understand how risk tolerance levels are used by the Board to support risk governance and meet requirements from external stakeholders (eg, regulators, market). This includes setting, implementing, and monitoring the achievement of strategic objectives through a risk management framework.
Accordingly, some of the key questions a risk professional must ask include:
- How much risk can the organisation accept to pursue strategic objectives?
- What is our risk culture and capabilities for managing risk?
- What is our risk exposure and are we exceeding our tolerance limits?
Typically, risk tolerance is communicated in quantitative terms, such as:
- Standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.
- Service levels for system uptime require 99.5 percent availability on monthly cases; however, isolated cases of 99.4 percent will be tolerated.
Here are some key considerations for risk professionals as they work with the Board to establish risk tolerance levels:
- Providing Risk Oversight and Reporting
The Board’s role is to set the risk appetite of the organisation and then ensure it has a risk management framework to identify and manage risk on an ongoing basis through the use of risk tolerance levels.
An example is the use of key risk indicators (KRI) to establish limits and thresholds to monitor if risk is increasing in exposure (this provides an early warning system).
A Risk Dashboard using RAG (Red, Amber, and Green colours) to display the status of KRI can be used for Board reporting and monitor compliance with the risk appetite.
Also, to identify emerging risks, a scenario analysis exercise can be conducted using risk tolerance limits where the broader environment is considered, analysing implications of internal and external risk factors.
- Fostering risk culture in the organisation
A risk culture encourages open discussion and ensures acceptable levels of risk are defined and communicated to the enterprise. A risk culture begins at the top with Board members and senior management who set the tone for risk-taking with alignment to the risk appetite, ranging from very risk averse to risk taking and opportunity seeking.
A positive risk culture promotes risk-based decision making, using tolerance levels, and rewards appropriate behaviours.
- Enabling risk-based decision making
A risk assessment exercise allows an organisation to determine its risk exposure. However, it is risk tolerance that defines how much risk will be accepted, establishing a data-driven approach for risk response decision-making.
This ensures alignment to the Board’s attitude to risk, operating environment and the risk culture. It also provides a solid foundation and appropriate boundaries for a risk professional to operate within.
Educating and embracing
A risk professional who can foster a workplace whereby all employees understand, communicate and apply risk terminology consistently, will support effective enterprise risk management. It allows for clearer comparisons of risk types across the organisation and provides for meaningful input into risk-based decision-making processes.
Most importantly, helping the Board to crystallise risk tolerance boundaries in relation to their risk appetite will enable a risk manager to implement controls to ensure risk exposure does not exceed risk appetite.
In the long-term this will be imperative in helping to deliver the organisation’s strategic objectives, thereby being the primary outcome that will judge the value of an organisation’s risk management framework, governance, and culture.
Mary Carmichael, CISA, CFE, CPA, is the assistant director of technology risk and assurance at the University of British Columbia (Vancouver, British Columbia, Canada). Find out more in the ISACA’s latest whitepaper.