What is Risk Tolerance?

2010-06-29 / Risk Tolerance / 0 Comments

In the online course feedback, people have asked how to determine risk tolerance in their enterprise risk management framework, as well as a risk appetite definition. ERM has inherited a collection of terms from the world of financial risk management – risk tolerance and risk appetite are two – and people have difficulty making sense of them when applying risk methods to the wide variety of working contexts that ERM comprehends. Let’s review first the conventional connotation of risk tolerance.

Risk Tolerance and Risk Appetite in Finance
Risk tolerance in personal finance is of course the degree of willingness to accept risk of loss in an investment portfolio (in anticipation of correspondingly higher degrees of return). An individual will fill out one of those questionnaires to acquire a rating, such as low, medium or high, and then select investments, perhaps on the basis of the measure of historical volatility (beta risk).

In corporate finance, the firm might publicize a statement indicating a general stance or attitude regarding the degree of risk it will usually take on. A “required rate of return”, set by policy, is a risk-adjusted percentage return on capital, used as a guideline to evaluate project proposals. It therefore indicates a degree of risk tolerance. We characterized risk tolerance in a previous post as degree of variability or volatility that the organization’s capital structure can support.

A few accounting firms’ white papers on risk tolerance (just Google it) discuss the closely related term “risk appetite”, as well as “risk capacity”, and agree that various stakeholders will have different appetites for risk: an investor want s to see a return, while policyholders or rating agencies want to see the risk of default minimized. Risk tolerance might be defined as exactly how much capital the firm wants to risk.

But I think the question for many enterprise risk managers is: how does all this translate into risk tolerance, not strictly in financial terms, but for the strategic and operational objectives in my manufacturing facility / university / software firm / health services organization / etc.? The finance definitions are not suited.

Performance Measures
I’m going to digress, but it’s relevant. This reminds me of when I was giving my final report for the master’s program in public admin. My project involved developing performance measures for electronic service delivery – specifically, electronic payment options for banking/cash management branch. There was a suite of payment programs, each in a different stage of maturity and serving different clients.

Now, here’s the point: the performance measures for these programs necessarily were of many different types and qualities. They ran the gamut from reliable calculations of savings-per-transaction, with year-over-year percentage changes in take-up and acceptance by clients, to mere indicator data showing simple numbers of transactions completed, to anecdotal reporting and narrative for those programs having no data. In other words, you have to assess the validity and relevance of quantitative measures, and recognize the value of qualitative analysis.

At the end of my presentation, my advisor asked me what the chances were of attaining a universal language of accountability and reporting. (He would express frustration about board members unable to read financial statements.) I thought then and still do that we should not force a universal language, because it will be reductionist. It seems to me that we are steeped in a culture of measurement (it tells us categorically, if you can’t measure it, you can’t manage it) and specifically of financial measurement. In ERM, risk is, indeed, often construed purely as quantitative financial risk management, but even the finance experts warn against this:

“CEOs discovered too late that they had traded their old-fashioned blind spots for a new kind of blindness: one induced by the comfort of new technology and elaborate quantitative models […] With such disasters [Société Générale’s US$7B rogue trading loss] as a backdrop, many risk management experts say it’s time for companies to revisit the fundamentals.” ~Bennett Voyles, April 2008

“[With] too much dependence on the math, you lose sight of the dynamics… that the world really moves, and that it’s a complex system.” ~Peter Bernstein, Jan 2008, interviewed by McKinsey

In my next post, I will tie it all together and suggest an approach to defining risk tolerance in any context.

Read More

How to do Risk Assessment–Establish the Context-Pt-1

2010-05-18 / How to do Risk Assessment / 0 Comments

The basis of sound risk methodology is to establish the context. I’ve found that if people pay attention to risk context at all, they often treat it as background information or a pro forma introduction. But it’s really a tool to ensure a rigorous and comprehensive risk assessment. (In future articles, we can discuss subsequent steps in risk assessment.)

The original AZ/NZS 4360 (now replaced by ISO 31000) addresses context, although mostly in connection with organization-wide implementation. The CAN/CSA-ISO 31000-10 (public review copy) and the accompanying Q850-10 Implementation of Risk Management – I was on the CSA technical committee – specify context for the purpose of applying the risk process. Similarly, in the ERM Guideline ver. 2.2 that I wrote when I was in BC Government, you’ll see “Context Analysis to Prepare for a Risk Identification Session” (section 2.2.2, page 17). The idea is to write a short risk context statement following recommended headings. Use this more complete template for context posted in this article: Risk Assessment Template-Establish Context.

Establishing the context means to define the bounds of what you want to analyze for risk, whether a strategic or operational plan, industrial or administrative process, program, project or other management initiative. The context paper sets out the scope of the analysis and the criteria you will use to assess risk. NB: This means your work will be internally consistent, and the results defensible.

Apart from establishing scope and assumptions, there’s a second purpose to writing a context paper: it serves as an agenda to help the team identify risk in a reasonably comprehensive and ordered way.

In the next post I’ll discuss context in more detail.

Read More