Defining Risk Appetite and Risk Tolerance
Risk Tolerance is on the mind of every CEO, board member, and investor these days. In a world of ever-evolving risks, how do companies analyze and decide what risks they are willing to take?
Major institutional shareholders and proxy advisory firms increasingly evaluate risk oversight matters when considering votes in uncontested director elections and routinely engage companies on risk-related topics. Risk management is no longer merely a business and operational responsibility of management. It has also become a governance issue that is squarely within the oversight responsibility of the board.
In Part One, of BoardBookit’s two-part series on the risk conversation in the boardroom, we will discuss some of the basic definitions and processes associated with risk in the boardroom. There are different categories or terms often discussed surrounding the idea of risk mitigation. Those are Risk Appetite and Risk Tolerance. Those sound like they might even be synonyms of the same process or idea, but they refer to different parts of the Risk Conversation. Part 2 of the Risk Conversation in the BoardRoom mini-series will delve into how corporations and boards implement risk management.
Defining “Risk Appetite”
To strike the appropriate balance between creating and protecting value, management and the board consider an overall risk profile in order to develop expectations that are established by the risk appetite of the company. (NSCU
The Institute of Risk Management defines risk appetite as “the amount and type of risk that an organization is willing to take to meet its strategic objectives.” Risk appetites vary widely between different industries, but can also vary within an organization by department, business unit, etc. CSO Online shares John Gray’s quote, “People have different risk appetites based on role and responsibility. Legal has a different appetite than the business developers do” to explain the varying levels of risk appetite within a company.
There is occasionally a disconnect between management and the board when managers fail to see the full picture. Managers can sometimes view limits imposed based on risk appetite consideration as “an impractical, one-time assessment that limits them when making decisions.” Companies should be able to articulate their risk appetite based on actions made by both management and the board of directors because management and the board may have slightly different understandings or comfort levels with the risks assessed.
Exploring “Risk Tolerance”
Risk Tolerance, on the other hand, refers to the organization’s or stakeholder’s willingness and ability to handle the risk in the case that it should come to fruition. They have to consider what the risk treatment would be in order to achieve company objectives and goals. Risk is defined as the effect of uncertainty on objectives, while risk treatment is defined as the process to modify that risk. “The term ‘risk treatment’,” as shared by Corporate Compliance Insights, “can be further explained by noting that the process can involve one or more of the seven following actions:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
- Taking or increasing risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk with another party or parties (including contracts and risk financing)
- Retaining the risk by informed decision”
The Board’s Place in Risk Management
“Boards should demand regular reports on the current “residual risk status” of strategic and core business objectives. One approach is to implement a repository of essential business objectives senior management and/or the board want assurance on, including value creation objectives, reliable financial statements, and others.” (Harvard Law School) This can be accomplished by assigning specific owners to the action items in order to maintain consistent governance with regular reports on the risk. To empower boards to assign and track objectives, BoardBookit has implemented a task management feature to our board management platform.
“The vast majority of board members recognize that managing risks well is a key element of sustained business success. What many boards grapple with is the need to transition from managing risk with limited formal and visible processes and structure—an approach that may not be adequate given the complexity and speed of change in today’s world. Boards must acknowledge that increased risk management rigor and structure are increasingly expected by regulators, credit rating agencies, institutional investors, customers, and the courts.” (Harvard Law School)
Ready to get started?
Schedule a live demo and discover the BoardBookit Difference.
Interested in Learning More?
Read the latest board governance resources from our blog.