Risk appetite should be viewed in relation to objective: ERM expertPosted On: Nov. 3, 2011 12:00 AM CST
SAN DIEGO—Determining an organization's risk appetite is an essential element of an enterprise risk management program, but it's important to consider the appetite in relative terms and avoid absolutes, according to one ERM expert.
Speaking at the Risk & Insurance Management Society Inc.'s inaugural ERM Conference on Wednesday, Robert G. Torok, executive consultant, financial management services at IBM Canada Ltd. in Toronto, defined risk appetite as an expression of how much risk an organization is willing to accept in pursuit of its goals or objectives.
But, he noted, it's essential to remember that that risk appetite is “relative to an objective.” For example, a company might be willing to accept a certain amount of risk to achieve a specified profit margin on a product, Mr. Torok said.
Reflect expected loss
In addition, he said, “The appetite for a risk or the willingness to take on a risk has to have something to do with your ability to do something about it.” While an organization's risk appetite discussion might initially be shaped by the potential impact and likelihood of an exposure, the conversation must go beyond those considerations to include management's ability to control the impact or likelihood of the risk, Mr. Torok said.
Risk appetite should reflect the expected loss. “But you cannot say, ‘That event is below our risk appetite so we just live with it,'” the IBM consultant said. “You've got to force the conversation as a risk manager to say, ‘Can we withstand the absolute loss if it happens?' Not, ‘Can we withstand the anticipated loss?'”
In considering its risk appetite, an organization also must consider the impact of multiple events, Mr. Torok said, and whether there are individual and cumulative risk appetites.
Beware ‘zero tolerance'
In defining risk appetite, companies need to be careful of absolute statements involving words such as “zero tolerance,” as the organization might quickly find itself violating its own policy. “Your organization probably wants some wiggle room,” Mr. Torok said. “You have to accept that mistakes occur. So you have to ask the question, ‘Why was the mistake made? And then perhaps act.”
Culture, time and cost of management are other factors that should play into risk appetite discussions, Mr. Torok said. With respect to culture, the consultant noted that different organizations have different risk tolerances, and that risk tolerance within an organization can change over time.
Risk appetite also can vary with regard to short-term or long-term investments, and an organization has to consider the cost of mitigating risks to an acceptable level, he said.
The nature of the loss is another important consideration. A customer bankruptcy leading to a $1 million write-off can be an unfortunate business outcome, while a $1 million loss due to fraud likely indicates an internal control problem resulting in a situation that's both embarrassing to the business and likely outside the bounds of its risk appetite, he said.