In the online course feedback, people have asked how to determine risk tolerance in their enterprise risk management framework, as well as a risk appetite definition. ERM has inherited a collection of terms from the world of financial risk management – risk tolerance and risk appetite are two – and people have difficulty making sense of them when applying risk methods to the wide variety of working contexts that ERM comprehends. Let’s review first the conventional connotation of risk tolerance.
Risk Tolerance and Risk Appetite in Finance
Risk tolerance in personal finance is of course the degree of willingness to accept risk of loss in an investment portfolio (in anticipation of correspondingly higher degrees of return). An individual will fill out one of those questionnaires to acquire a rating, such as low, medium or high, and then select investments, perhaps on the basis of the measure of historical volatility (beta risk).
In corporate finance, the firm might publicize a statement indicating a general stance or attitude regarding the degree of risk it will usually take on. A “required rate of return”, set by policy, is a risk-adjusted percentage return on capital, used as a guideline to evaluate project proposals. It therefore indicates a degree of risk tolerance. We characterized risk tolerance in a previous post as degree of variability or volatility that the organization’s capital structure can support.
A few accounting firms’ white papers on risk tolerance (just Google it) discuss the closely related term “risk appetite”, as well as “risk capacity”, and agree that various stakeholders will have different appetites for risk: an investor want s to see a return, while policyholders or rating agencies want to see the risk of default minimized. Risk tolerance might be defined as exactly how much capital the firm wants to risk.
But I think the question for many enterprise risk managers is: how does all this translate into risk tolerance, not strictly in financial terms, but for the strategic and operational objectives in my manufacturing facility / university / software firm / health services organization / etc.? The finance definitions are not suited.
I’m going to digress, but it’s relevant. This reminds me of when I was giving my final report for the master’s program in public admin. My project involved developing performance measures for electronic service delivery – specifically, electronic payment options for banking/cash management branch. There was a suite of payment programs, each in a different stage of maturity and serving different clients.
Now, here’s the point: the performance measures for these programs necessarily were of many different types and qualities. They ran the gamut from reliable calculations of savings-per-transaction, with year-over-year percentage changes in take-up and acceptance by clients, to mere indicator data showing simple numbers of transactions completed, to anecdotal reporting and narrative for those programs having no data. In other words, you have to assess the validity and relevance of quantitative measures, and recognize the value of qualitative analysis.
At the end of my presentation, my advisor asked me what the chances were of attaining a universal language of accountability and reporting. (He would express frustration about board members unable to read financial statements.) I thought then and still do that we should not force a universal language, because it will be reductionist. It seems to me that we are steeped in a culture of measurement (it tells us categorically, if you can’t measure it, you can’t manage it) and specifically of financial measurement. In ERM, risk is, indeed, often construed purely as quantitative financial risk management, but even the finance experts warn against this:
“CEOs discovered too late that they had traded their old-fashioned blind spots for a new kind of blindness: one induced by the comfort of new technology and elaborate quantitative models […] With such disasters [Société Générale’s US$7B rogue trading loss] as a backdrop, many risk management experts say it’s time for companies to revisit the fundamentals.” ~Bennett Voyles, April 2008
“[With] too much dependence on the math, you lose sight of the dynamics… that the world really moves, and that it’s a complex system.” ~Peter Bernstein, Jan 2008, interviewed by McKinsey
In my next post, I will tie it all together and suggest an approach to defining risk tolerance in any context.