Learn how risk appetite and tolerance statements can help answer “how much risk is too much risk”
Leveraging Your Risk Register for Decision-Making
Your risk register gives you a list of your institution’s risks and can help you establish some priorities, but it doesn’t necessarily tell you how well you are managing that risk or when you need to act. Organizations use risk appetite and tolerance statements to help answer those questions.
From a recent URMIA webinar offering, here is an overview of what these statements are along with suggestions for how to employ them at your organization.
What Is a Risk Appetite Statement
A risk appetite statement is a broad statement about how much risk your organization is willing to take on to pursue its objectives. Unfortunately, ambiguous terms like “medium” or “responsibly pursue” are commonly found in risk appetite statements and these terms can mean different things to different people.
It can be helpful to establish a scale or criteria to organize or categorize these statements, and using a four-point scale instead of a three-point scale can be beneficial. This way, participants have to pick either a net-negative or net-positive side of the proverbial fence. This definite positive/negative ground gives you actionable data for prioritization of risk categories.
The goal of having a solid risk appetite statement is to set some guardrails around how much risk the organization is willing to take to pursue their mission and objectives and get everyone on the same page. Having less “squishy” terms can help eliminate some of the ambiguity.
Also, there is what we call a "Big A" risk appetite which represents formal, institution-wide statements. There is also "Little a" risk appetite which is more informally established. An example of "Little a Risk Appetite" is when an organization says that any risks with a certain risk rating need additional risk treatments or controls. The act of requiring new actions indicates the risk is beyond the organization's risk appetite and that action is required.
Sample "Big A" Risk Appetite Statement: “We will responsibly pursue opportunities related to enrollment, carefully consider risks related to financial performance and stewardship, and avoid risks that threaten our safety or compliance performance.”
What Is a Risk Tolerance Statement
A risk tolerance statement is more specific and defines your acceptable range of performance or tolerance about a certain risk or risk category.
Sample Risk Tolerance Statement: “We will pursue financial risk as long as it does not impact our debt rating, and we will increase enrollment to 105-110% of estimated capacity.”
What You Get When You Use Both Statements
Once an organization outlines its risk appetite and risk tolerance, it now has clearer insight for when action is required. The tolerance statement helps set a threshold for acceptable and unacceptable performance and, once you see a particular risk crossing that line – either above or below it, you know it is appropriate to act because the risk is no longer within the parameters, or guardrails, that your group established for that particular risk. The key is having the metrics and data in place that can provide this insight on how you are performing on a particular risk.
Putting It into Practice in Higher Education
The University of Maryland, Baltimore (UMB) is working on establishing its risk appetite by focusing on its top five or top ten risks and using these to set the thresholds for producing its risk appetite and tolerance statements.
There is some good comfort around how this is being done for UMB's top risks, so now focus is shifting to help figure out how to set its appetite and tolerance for anything below its top ten risks.
UMB’s enterprise risk management (ERM) office is integrating this process with the university’s strategic plan which, through its global outlook for the university, can help forecast some of the emerging risks that haven’t been thought of or may be coming in the future.
Where Does This Fit in Your ERM Process
ERM is the perfect avenue to make the risk appetite and risk tolerance process successful as it:
- Provides a structured and repeatable process for risk assessment
- Aligns with strategy and reconciles context and risk
- Facilitates a risk-aware / risk-intelligent culture
However, there is not just one way to implement a risk appetite/risk tolerance process. You have to know your institution and find what works for you.
One procedure for consideration is:
- Board and leadership set strategy
- Leadership recommends risk appetite and board approves
- Engage risk owners, discuss key risks, and apply ERM process
- Establish risk tolerance and, subsequently, treatments to achieve risk appetite
Another approach was undertaken by UMB. While the university always had risk appetite and tolerance in mind, it wasn’t thought about at the beginning, so has been applied later in the process.
The institution set its strategy at the beginning by consulting the university leadership and then went right into evaluating risks by going through the risk assessment process that included identifying risk owners and applying the ERM process to evaluate those risks.
In doing so, UMB realized they were setting their appetite as they evaluated the risks by knowing where the top five and top ten risks were landing. The institution is now in the middle of setting its risk tolerance.
Support and Measure Over Time
The real challenge may not be in the establishment of the risk appetite and risk tolerance. It may be in the ongoing maintenance that is required to ensure you are managing and acting on these thresholds. You will need to:
- Measure performance against data thresholds over time
- Discuss regularly in leadership meetings and with mid-level and on-the-ground staff
- Evaluate and consider changes in context and how these shifts impact your risk register - you might have your prioritized list, but you need to continuously review your risk ratings
- Maintain risk data
You can find the complete webinar recording in the URMIA Library for more information.
2/26/2024
By Victoria Meadows, Manager, ERM Program, University of Maryland, Baltimore
By Lisanne Sison, Managing Director, ERM and ESG, Gallagher
Insights Home
#InsightsArticle