A 3-step Approach to Implementing Risk Appetite and Tolerance

August 1, 2017

Step 1: Understanding Risk Appetite and Tolerance

Whilst Risk Appetite deals with the level of risk that the organisation will pursue to meet their organisational objectives, Risk Tolerance defines the upper and lower levels that an organisation is able to deal with / absorb, without significantly impacting the achievement of the strategic objectives.

Tolerance levels can be graphically represented alongside the appetite levels on what is referred to as a risk matrix or heat map taking into account the Impact (Consequence) x Likelihood of the risk. The example below shows the appetite line, above and to the right of which performance is deemed to be sub-optimal and action should be taken.

Figure 1 Risk Appetite and Tolerance Thresholds

Step 2: Setting the Risk Appetite Scale

2a: Qualitative Risk Appetite

Most organisations use risk impact and likelihood rating scales / models similar to the tables below which gives guidance to risk owners on how to rate the impact and likelihood of their risk/s:

Figure 2: Impact Rating Scale

Risk Impact Model by Rating Category
Rating Financial Impact Health and Safety Natural Environment Social & Cultural Reputation Legal
1 Insignificant >0% T/O Minor medical treatment Limited damage Low level repairable Public concern restricted Low level legal issue
2 Minor > 1% T/O Moderate irreversible Minor effects Minor social impacts on local population Minor / local public or media attention Minor legal issue
3 Moderate >2% T/O Significant irreversible disability Moderate short term effects Ongoing social issues Serious adverse national media Serious breach of regulation
4 Major >4% T/0 Very serious irreversible injury Very serious long term effects Permanent social issues International media coverage Significant prosecution and fines
5 Critical >5% T/O >50 fatalities Very significant impact on highly valued ecosystem Very serious wide-spread social impact Prolonged international condemnation High fines and potential jail terms

In many cases, organisations state the financial impact in absolute values (i.e. Rand based) using risk threshold values (appetite) which are applicable at a group level but not at a regional, divisional, business unit level. For example, the financial risk value of R1,000,000 may be ‘Insignificant’ (rating 1) at the group level but may be ‘Critical’ (rating 5) to a smaller business unit. A better approach is to set specific risk impact models for each level of the organisation so that financial risk impact values are relevant at the lower levels of the organisation. Alternatively the financial scale could be based on % of Turnover (T/O) but this will only work where you know the turnover / materiality per business unit.

When rating the overall impact for a risk, the risk owner would use the worst (most impactful) rating across all impact rating categories.

For example assume the following ratings for ‘Risk A’:

  • Financial Impact (3)
  • Health and Safety (4)
  • Natural Environment (2)
  • Social and Cultural (2)
  • Reputation (4)
  • Legal (5)

The risk owner would rate the impact of the risk as a 5 (i.e. the highest value which happens to be ‘Legal’).

Figure 3: Likelihood Rating Scale

Likelihood Ratings
1 Rare – Risk will not even occur long term
2 Unlikely – Risk unlikely to occur even medium term
3 Possible – Risk could occur medium term
4 Likely – Risk certain to occur in the short term
5 Almost certain – Risk is pervasive and occurring regularly

Based on our risk impact appetite model (Figure 2) and the likelihood ratings (Figure 3), we are able to rate all risks qualitatively (impact and likelihood) and map them on our heat map against our risk appetite. The heat map in Figure 4 shows risks across multiple business units mapped against our risk appetite.

Figure 4: Qualitative Risk Heat Map

2b: Quantitative Risk Appetite

Where possible, we should also rate our risks quantitatively, albeit that some risks such as ‘reputational risks’ may be difficult to quantify. The nice thing about quantifying risks is that it make aggregation across business units relatively simple.
You can define quantitative thresholds at each level (unit) of your organisation in terms of:
(a) aggregated risk appetite thresholds (at the unit level)
(b) risk impact values applicable to each risk within the specific business unit

Figure 5: Quantitative Risk Appetite Thresholds

(a) In the example above (Figure 5), the aggregated risk value of R0 to R750,000 is green, R750,000 to R950,000 is yellow and above R950,000 is red. The aggregated value is derived from the sum of all risks for the unit you are working on and all child units below this unit.
(b) In the example above (Figure 5), the risk impact values relate to each risk within the unit you are working on.

Step 3: Reporting against Risk Appetite

3a: Qualitative Risk Reporting

It’s one thing to plot all your risks (across different business units) on a heat map as shown in Figure 4, or to show the average of all your risk ratings by category of risk. However, neither of these two methods take into account the significance of the each business unit within your organisation. How do we ensure that a risk which is ‘critical’ in a small business unit does not end up as a ‘critical’ risk at the group or regional level (unless required)?

One way is to weight each business unit and apply this weighting when calculating the qualitative risk rating. The problem with this approach is that it is very difficult to set weightings per business unit especially where your organsational hierarchy runs into the 1000s of business units.

A better way is to categorise your business units based on their significance (Importance) and then plot your risk ratings, taking into account the ‘significance’ of each business unit. For example:

Figure 6: Qualitative Risk Heat Map by Unit Weighting Category

The heat map in Figure 6 takes into account the ‘significance’ of the various business units. On point 1 in the heat map, we see that the risk ‘03. Accountability of goods not accepted by the customer’ is plotted as a ‘yellow’ risk (Unacceptable, Category B business unit) even though in the detailed grid below it is rated as 25 (i.e. a red risk in its own business unit: Johannesburg > Finance). On point 4 on the heat map, we see that the risk ‘Noncompliance GNR 0924 of 3’ is plotted as a ‘red’ risk (Serious, Category A business unit) even though in the detailed grid below it is rated as 16 which is lower than the risk ‘03. Accountability of goods not accepted by the customer’ with a rating of 25.

3b: Quantitative Risk Reporting

It is relatively simple to aggregate the Rand value of risks at any and all levels of the organisation and map them to our risk appetite thresholds specified at each level of the organisation as illustrated in Figure 7.

Figure 7: Aggregated Risk Exposure mapped by Unit Appetite

In Summary:

Step 1: Understand the definition of risk appetite and tolerance and how it relates to your organisation.
Step 2: (a) Formulate and rate risks based on your qualitative risk appetite model / statement. Define risk appetite model/s that take into account materiality at group, divisional and business unit level (b) set up your quantitative risk appetite thresholds at key levels (units) of your organsational.
Step 3: Report qualitatively as well as quantitatively on your risks, taking into account the significance (importance) of the different units within your organsational.

Written by Jonathan Crisp, Director, BarnOwl GRC Software

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Europe and the UK. BarnOwl supports best-practice risk management, compliance and audit frameworks (e.g. COSO, ISO31000, Compliance Institute’s Handbook, International Professional Practice Framework) while offering a highly flexible and configurable parameter-driven system, allowing you to configure BarnOwl to meet your specific requirements.

Further Reading

Please see useful links below: