Measuring Risk Appetite

This week Tony and John discuss the importance of measuring risk appetite using operational risk software and how to go about it.   

This article is an abridged section taken from their book Mastering Risk Management…

Determining the risk appetite of a firm is an important component of any firm’s risk management approach. Used effectively, risk appetite will influence the risk culture (and vice versa), risk operating style and risk resource allocation. Risk appetite represents the firm’s view of how much risk can be taken to help achieve business objectives, while respecting the constraints within which the firm operates. 

The risk appetite of the firm is also important in managing shareholder expectations regarding the amount and type of risk which are accepted.  While the quantitative appetite of the firm for some risks is relatively easy to articulate, there will be other elements which are more difficult to measure quantitatively, including some risks for which there may be no appetite whatsoever, such as employee deaths or injuries due to poor health and safety procedures. 

Quantitative and qualitative appetites 

A firm has two types of appetites: quantitative and qualitative. A firm’s quantitative appetite is that which most people consider naturally. For example, a firm may have changed one of its business objectives to increase its sales by 30% in the next year and therefore is likely to be running a higher risk of mis-selling. The quantitative appetite for mis-selling may be expressed as the number of times per 1000 sales that there is an occurrence of mis-selling. 

Given that the sales staff will be under significant pressure to bring in more sales, the firm should recognise that its quantitative appetite for mis-selling is likely to need to be increased as there will inevitably be more occurrences of this risk. This is likely to be the case even though the firm may have previously stated that its qualitative appetite is to be conservative in its sales techniques. Clearly the qualitative and quantitative appetites must be consistent with each other. Therefore, either the qualitative appetite also requires changing because of the change in objectives or additional controls are required in order to keep the firm within its previous quantitative appetite.

Mixing quantitative and qualitative measurements

As the example above demonstrates, the firm’s risk appetite for each material risk should be determined both quantitatively and qualitatively and this should be based on its overall risk appetite, risk capacity and risk profile. The quantitative measures included should be translatable into risk limits applicable to business lines, which can in turn be aggregated and disaggregated (where possible) to enable measurement of the whole risk profile against risk appetite and risk capacity. The non-quantitative measures, i.e. the measurement of the qualitative statements, should include some form of boundary or metric that enables the monitoring of these qualitative risk statements. All appetites should be forward-looking and also subject to scenario and stress testing to ensure the firm understands what events might push the firm outside its risk appetite and/or risk capacity. 

Aggregation of appetites 

A question which often occurs during a discussion of qualitative and quantitative appetites is whether or not appetites can be aggregated. It is very tempting to think that a number of appetites at a departmental level can be aggregated (in some way) to give an overall appetite for a firm. However, this attributes a pseudo-mathematics to appetite, which is especially inappropriate for non-financial risks.

Risk appetite limits 

This part of risk appetite covers the detailed levels of risk to which the firm is willing to be exposed in order to achieve its business objectives. In particular, it concerns the allocation of the firm’s aggregate risk appetite statement to business lines, legal entities where applicable, specific risk categories, concentrations and other appropriate levels.

The limits should be specific and should take account of the sensitivities of the risks that they are measuring. In short, the limits should follow the SMART acronym: specific, measurable, assignable, realistic, time-based.  They should also be based on forward-looking assumptions as the risk appetite is itself a forward-looking management control. 

Early warning levels or tolerances 

Firms often have two escalation levels of appetite: a level below the amount of risk that the firm is willing to take and the actual level. An early warning level is that level at which action can be taken, if felt appropriate, so that the actual limit is not exceeded. Among some parties there is considerable debate as to whether this early warning level is in fact the actual appetite or whether it is a ‘tolerance’ level before the appetite.

Targets and tolerances 

It is easy to choose large numbers of metrics. However, there should be a balance between comprehensiveness, the monitoring costs and the effectiveness of the limits in enabling management action when necessary. It is also easy to choose limits which are sufficiently high that they are unlikely to be breached. A true limit will be set at a level which constrains risk-taking within the risk appetite while simultaneously allowing the firm to achieve its business objectives. 

There is often a temptation to use limits which are similar to those used by peers or, when they exist, to default to regulatory limits. It should not be forgotten that every firm is unique and, although its risk appetite may be comparable to others in its chosen industry, its risk appetite should reflect its own culture and business objectives.

In summary – don’t be put off

At first glance, risk appetite can appear either confusing or daunting. However, having an appetite is fundamental to the management of risk. If appetite is broken down into its component parts and then analysed one part at a time, appetite becomes both manageable and useful for the business.

Taken from Mastering Risk Management by Tony Blunden and John Thirlwell and published with kind permission from Pearson Education Published.  Readers of this blog are entitled to a 25% discount on Mastering Risk Management through the following URL: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317   Please use discount code MSTRSK-25 (valid until 31/12/2022)

For more information contact us today on sales@risklogix-solutions.com