Food for Thought on Risk Appetite

A friend of mine, Richard Anderson, has released a new paper on the topic of risk appetite. Richard is an expert on risk management, especially compared to me. True, I have implemented risk management at one company, run it at another, and assessed risks for management for many years as chief audit executive. But Richard not only has greater experience and insight but has been involved in major risk thought leadership for a long time. For example, he quotes from the BS31100 standard, which he developed, as defining risk appetite as the “amount and type of risk that an organization is prepared to seek, accept, or tolerate.”

The new ISO 31000 standard on risk management lays out the argument for risk appetite. It says:

“The risk management policy should clarify the organization's objectives for and commitment to risk management and should specify ... the organization’s risk appetite or risk aversion.”

The principle is sound: assess the level of risk, and if it is more than the organization’s risk appetite, then take action to reduce the risk level. Richard’s conclusion is:

“As we stand at the moment, risk appetite is almost impossible to measure and can never sensibly be expressed (except for a limited number of risks that are subject to quantitative techniques — and even they have their now well-known limitations). As a consequence risk appetite is never going to be condensed into ... [a] magical single metric.”

I believe there is another practical limitation. I have issues understanding how you can aggregate different risks. This is what I asked him in an e-mail this morning:

“I am of the opinion (but flexible) that you need micro and macro risk appetites, but not necessarily enterprise level. For example, you need a risk appetite for your portfolio of loans, or your total AR (both of which are macro). But you also need a risk appetite for a major IT implementation (micro). With respect to enterprise, how can you accumulate these three areas (none of which ‘value’ risk impact in quantitative terms alone) and get something meaningful? Do you take your total reputation risk level and add it to your cash flow risk to get something meaningful – which implies that if cash flow risk is lower, it is OK to have a higher reputation risk?”

Reflecting further, let’s consider risk appetite for one corporation: me. Just limiting personal risks today, I can identify a few risks that I need to manage:

  • Personal safety: I might have an accident while driving to/from work.
  • Reputation: I might say something, including my microblogging (here or on Twitter), that damages the little reputation I have.
  • Health: I need to eat and exercise wisely, and avoid individuals who are clearly ill.
  • Career development: I am in a number of important meetings today, and the perceptions of others might impact my career aspirations.

How do I value them, and should I aggregate them? Does it make sense to have a total level of risk appetite? That implies that I am prepared for one risk area to go up, should another go down.

An easy answer is to set a risk appetite for each of the individual risks — and that may be the best answer as well.

But how does this work when there is guidance that suggests top executives and the board (in its risk oversight role) need to set a corporate risk appetite and monitor against it?

My suggestion is to break down organization risks into buckets where it makes sense to aggregate them and to monitor actual levels against appetite. For example, I could see a business setting risk appetite for:

  • Reputational risk.
  • Cash flow risk.
  • Risk of a material weakness in financial reporting.
  • Competitor risk.
  • Etc.

But I am not persuaded that some artificial aggregate measure makes sense.

What do you think?


Posted on Feb 2, 2010 by Norman Marks

Share This Article:    

  1. Norman

    Great thoughts, with the clarity of putting it through that is typical of you. I completely agree with your stand, but expanding on what you said, I feel that even bucketing risks into logial categories might have challenges in defining the apetite, because it might be difficult to put a quantification to the apetite for the bucket as a whole. For some estimation, each micro 'key' component (key to the achievement of the objectives at the relevant portfolio level) need to be analyzed to quantify the acceptable risk, and then the logical elements can be clubbed into the macro buckets. This might sound transactional, and as I write it, I feel that while you and I believe in the 'top down' approach to risk management, the risk apetite estimation process I describe here seems to indicate bottoms up.

    I invite your thoughts.

    Best regards



  1. Hi Norman, I think we cannot define risk appetite in easy terms.  I'm thinking that we need to start by defining a set of standards that would define risk appetite.  Inn financial markets they use terms like conservative, aggressive, moderate to define your investment "appetitie"  Perhaps we can use these to start defining risk appetite?  I think it is important that we understand risk appetitie from not only a corporate view but from an individual's perspective as well.  There are many instances of how an individuals "risk appetitie" has caused the downfall of corporations (Barings Bank) or countries (Germany, Iraq).  I'm looking at how we manage risks as a means of identifying our risk management philosophies.

  1. Hi Norman

    Thanks for the reference! I really believe that this is one of the hardest areas of risk management at the moment. Many banks totally failed to live by their risk appetites: nary a one had a risk appetite statement that said we want to help bring down the entire financial system by taking some excessive risks.

    I am beginning to think in terms of three components:

    1. An organisation's propensity to take risk, which will, amongst other things depend on its views of why it engagtes with risks, and what sort of risks they are talking about;
    2. An organisation's propensity to manage risk, which will depend on the ability of the organisation to explicitly or implicitly manage the risk and its preferred risk control strategies; and
    3. A measurement yardstick, which might be some form of shareholder value approach (or a substitute for public or third sector organisations).

    If we accept that suggestion, I would suggest that it is incumbent on the board to set a risk appetite and to stipulate what it is, both to alert stakeholders (shareholders, vendors, employees) and to inform staff how they are expected to behave.

    The next challenge is to take that down to a level of granularity that allows you to actually do something with it. But hey, even if we only start with influencing the risk taking/risk avoiding culture in the organisation, we might be making a start. And to Mark's point, that would allow you to assess individuals' risk appetites against the corporate appetite - although quite whether Nick Leeson would have been identified, or Saddam constrained, I don't know!

    Happy to discuss!



  1. Hello Norman:   I'm no expert at this; this is an emerging practice for even some of the largest banks and this crisis will send them back to the drawing board I suspect.  Here are some thoughts on questions one might ask in developing risk appetite and related policy statements:

    1) What leverage and liquidity standards will we live within as a corporation?

    2) Is our company a first-mover or follower and in which aspects of our business?

    3) Are we following a value strategy or a growth strategy overall and in particular businesses?

    4) What is the cost of capital / ROI we expect on projects before we provide capital to fund them?

    5) What are the disbursement or investment authority limits assigned to particular levels of management?

    6) What bets will we make and which will we not make? 

    7) What is our core competency or core business and what is peripheral to that competency?

    8) Value at Risk (VAR) involves a probability, amount and time period: "We are only willing to accept a 1% probability of a loss greater than $1 million on any given day."  Does such a standard apply to our business?

  1. Thanks all for the comments.

    I am fine with the principle of risk appetite or tolerance. What I am having trouble with is the concept of aggregating across multiple risks of different types to get an overall corporate risk tolerance that is approved by the board.

    People are able to calculate values, often translated into dollar terms, for each risk. But you can't necessarily add them up to something meaningful. If you do, it implies that is OK to have one risk as long as another falls by as much or more.

    But is that valid?

  1. Hi Norman,

    I'm a humble practioner - We have come up with a specification, that works for us - both on macro, and on micro level.Our definition of risk appetite comes in two parts - one on single risks, and one on the risk portfolio.

    We make a 5x5 riskmap of the risks of the comany, as well as on any individual project. The probability scale is percentages - the impact scale is based on the planned benefits. Very high impact is "losing the full benefit". High is then half of that, medium is 25%, low is 10% and very low is 5%. The same goes if the benefit is non-financial.

    The risk map defined a number of "cells" as "priority 1". One element of our risk appetite is, that we are not "allowed" to have any priority 1 risks after mitigation.

    The second element is one of portfolio. In this, all impact measures are "translated" into financial targets, and hence a "very high" non-financial impact is considered equal to a very high financial impact.

    With re-scaling of all risks in the project - a Monte Carlo simulation is run, and a 5% worst case scenario is calculated. We have defined criteria for, what is acceptable.

    If/when projects meet both criteria they are ERM approvable . The same goes for the operation of the company as a whole, where our total 5% worst case risk exposure does not exceed the defined % of our planned profitability, and we don't have priority 1 net-risks.

    This is communicatable and applicable. We do it, and so far, we are prospering - and don't know that we are wrong (if we are).

  1. Hi Norman:

    On concept of aggregation and how it could be done, think about the steps prior to aggregation. Then aggregation will be much easier

    There are five important questions to establishing risk appetite which are:

    Your company's attitude to risk. What is it? Are your board members risk takers, risk neutral or risk averse.

    Your company's goals. This is critical to know because you will be framing the risk appetite in context of these goals. You used five captions or so as examples but are your goals stated in context of these five captions or stated on something else. I doubt whether Toyota when it restated one of its goals to double market share in  five years time, that it necessarily thought through all the implications of this.

    Thirdly, what capabilities exist within your organization to manage risk. There are several factors that go into understanding what capabilities exist. Paul Sobel's book on Auditor's risk management guide did a good job in articulating this area further.

    Fourthly, what is your company's capacity to absorb a big hit? Do you have the financial wherewithal or not? If a company has the financial wherewithal, this could allow it to set an appetite that permits death of an employee from an accident.

    Lastly, costs versus benefits

    Once you have this info, the board should craft a quantitative and qualitative document using judgment directed to accomplishment of the goals. The roll up aggregation is a complex process that interlinks many of the risks to then compare against the trolerances but I like the concept of the buckets you describe. I have much more to say on this subject but for another communication.


  1. Hi Norman, we know that there are some risks that are enterprise in scope (horizontal; example is market) and some risks that are business or geographical specific (vertical; example is earthquake).  I do not see a way to aggregate all risks into a single level or even multiple levels.  I also think that we need to articulate more than just the risk appetite and tolerance.  I think that risk appetite and risk tolerance add up to the risk culture of an organization.  The risk culture describes how aggressive or conservative an organization is in achieving it's business outcomes.  It starts with individual risk appetites and tolerances at the board and executive level.  These need to be aggregated and a decision at the board level should be made to determine the risk culture (what position the organization will take in pursuing objectives).  That should set the tone for risk management.

  1. An appropriate topic for us in the UK as anew draft standard applying to listed companies states, ‘The board is responsible for defining the company’s risk appetite and tolerance. The board should maintain a sound system of risk management and internal control to safeguard shareholders’ investment and the company’s assets.’ ( Looking at the problem from an internal auditor’s point of view, the defining of risk appetite is important because any risks above the risk appetite need to be bought below the risk appetite, usually with internal controls. This implies that the risk appetite has to be defined in the same way as risks are measured, for example by impact and likelihood scores. This is fine in theory and not so difficult for a simple organisation (I’ve scored risks for a charity). However, for a large organisation there are problems, as other contributors have noted. For example, in a large company with small overseas subsidiaries, if you use one measure for impact across the group the subsidiaries are never considered high risk and might never get audited. Is this right? In my experience it is important not to get tied up with complex measurements but to always focus on the end objective: ‘Can I sleep soundly at night with this risk managed in this way?’

  1. David, I am with you 100%. Can you describe what is presented to the board so they can approve the "risk appetite and tolerance"? It has to be something simple enough for them to understand and approve, yet effective as a yardstick to ensure aggregated risks do not exceed tolerance.

    Some risks (e.g., AR risks) aggregate fairly readily. Others don't (e.g., trade compliance risks).


    Norman, I’ve been involved with the risk management of two organisations, one a multi billion pound company with world wide subsidiaries and the second as trustee responsible for risk management of a charity providing 59 homes for retired people on low income. Ironically it was the second that provided me with the sleepless nights since many risks were ‘life or death’. If an elderly person falls in their residence they could die if unable to summon assistance – that’s some risk!
    In both cases risks were measured by scoring the impact and likelihood of the risk on a scale of 1 to 5. The definition of a score of 5 would be ‘catastrophic risk resulting in death or serious injury, extreme monetary loss or other circumstances resulting in the termination of the organisation’. Each score for impact and likelihood would be similarly defined. Scores can then be applied to each risk – not an exact science- but possible. Takes time though, we had over 200 risks for the charity! Having scored the risks you then have a clearer picture of those risks which need managing. In the case of the charity, I provided a complete list of risks to the trustees but also asked them to endorse the list of risks I considered had to be managed, that is those above the risk appetite. In this instance the risk appetite was set at those risks which could injury or death to residents or staff, whatever the likelihood. Only very serious financial risks were considered. As you would hope, we already had controls for most of them. While this approach is rather informal, it achieved the main purpose of highlighting risks which had to be managed. To be continued..
  1. Continued .. 

    The approach for the company was different. The board of each subsidiary was asked to set value limits for each measure of impact. So an impact score of 5 might mean a loss of £1bn for a large subsidiary but only £100m for a smaller one. There is the problem of how to assess ‘loss’ – loss of cash, loss of value. What about loss of reputation following a product recall? It has to be given a monetary loss. This method has the disadvantage that, from a group point of view, subsidiaries are measured on a different basis. The way round this is to also score the subsidiary risks from the group point of view, although it does mean that some very small subsidiaries might never be audited, as they are such low risk from the group point of view.
    Having set values for each impact score, a matrix can be drawn up of impact v likelihood (sounds similar to Hans at Lego). The board can use this to set a risk appetite. See my book at   ( page 20 for an example.
    Other useful publications are:
    Implementing Turnbull – a Boardroom Briefing, ICAEW
    Orange Book – The management of risk – principles and concept, HM Treasury.

    Thinking about risk (3 publications). HM Treasury.

  1. David, from what I can see in your book and your response, you are not aggregating risks. Rather, you are sharing the more significant risks and their level (comparing each to tolerance/appetite) with the board.

    That approach is the one I have taken in the past. However, the ISO and COSO guidance is that the board sets risk appetite. Have you, or anybody else, seen any board approve risk appetite/tolerance where they are aggregating a number of risks? I doubt it is possible to come up with a single number, but perhaps people have defined a limited number of types of risk, each with a risk appetite/tolerance level.

  1. IMHO we are barking up the wrong tree if we ONLY look for a single number or single suite of numbers. That is why above I talk about the cultural issues of a propenisty to take risk and a propensity to exercise control. Both of these can be measured by attitudinal surveys and can be built into mechanisms for deciding on a risk response. That then leaves the third dimension which is measurement. And that I think can be done via a shareholder value model (or equivalent for public and third sector organisations). The important part of a shareholder value model is that one of the key drivers of value is the competititve advantage period, and a lot of the "softer" risks will fall under that bucket.

    Kind regards


  1. Let me suggest an answer.

     Each organization has a multitude of risks (to its success) that need to be understood and managed.However, only a relatively few are of such significance that they merit board attention.Management and the board should work together to identify and approve the organization’s risk appetite for each of these more significant risks.  These may be a grouping of related risks (see below). The risk appetite/tolerance may be defined in either quantitative (e.g., for currency risk) or qualitative terms (e.g., for employee safety) – or a combination of both - depending on the nature of the risk.Management is then responsible for developing risk management processes to ensure the level of risk within the organization is managed within the approved levels. The board should understand those processes.
    While the standards may discuss the board setting or approving risk appetite, in practice they approve levels for those risks (or groups of risk, where they are capable of being aggregated) that may be of a significance meriting their attention.  
  1. In an August 2008 article in ”New Perspectives”, authors Dan Helming and Arnold Schanfield listed 24 ‘buckets’ or groups of risk that might be considered for a healthcare organization:

     1. Climate Change
    2. Competition Risk
    3. Compliance Risk
    4. Country Risk
    5. Customer Risk
    6. Distribution and Logistics Risk
    7. Divestiture Risk
    8. Due Diligence Acquisitions/Joint Ventures Risk
    9. Economic/Market Risk
    10. Facilities and Fixed Assets Risk
    11. Financial Statements Risk
    12. Governance and Risk Management Risk
    13. Hazards Risk
    14. Human Resources Risk
    15. Industry Risk
  1. 16. Information Technology Risk

    17. Intellectual Property Risk
    18. Manufacturing Risk
    19. Nuclear Proliferation Risk
    20. Outsourcing Risk
    21. Pandemic Risk
    22. Products and Services Risk
    23. Strategic Risk
    24. Treasury Risk


  1. We should acknowledge a couple of things:

    ·         A risk is being taken as to which risks will be taken to the board. However, they have limited time and attention so we have to be diligent about what they review and approve. 24 is at the upper end of what they can be expected to consume.
    ·         When it comes to groups of risks, care must be taken with aggregation. For example, it is appropriate to aggregate risks related to customer default on accounts receivable – the total of default amounts is monitored against tolerance. However, when it comes to compliance risks (if there is a “compliance” grouping), each risk in the group may monitored against tolerance.
    As a next step, management should report to the board all risks, not just those above, where actual risk levels exceed approved tolerances above a specified threshold.
  1. I agree that aggregating different types of risk is problematic.  As the commentators above point out, different risks are measured differently and have different risk profiles.

    For the board to be able to respond concretely, risk must be broken down into different categories.  The transactional analysis underlying each type of risk will also vary.  If risk is not disaggregated, board members will have difficult understanding the sources of risk and, therefore, how to address each type of risk.  Different types of risk -- e.g., intellectual property versus compliance -- require different responses. 

  1. Norman, I fully understand your problems with the board and their span of attention! I haven’t aggregated risks and don’t understand the reason unless it is to indicate to the board which areas of the business have the highest risks. I don’t see that risks need to be aggregated to set a risk appetite. The risk appetite can be set at $100m for a probable likelihood, for example. This would mean that they should be informed if an occurrence resulting in a loss of $100 was probable. This might arise if a major debtor was likely to go bankrupt, or if a country was to run out of foreign currency such that individual debtors in that country could not pay.

    I apologize for my website being out-of-date, I hope to update it sometime this year.


    The discussion so far has been excellent and thought provoking. Let’s remember that the ultimate aim is to ensure all risks are managed to below the board’s risk appetite. Our major problem is not scoring and categorizing risks – it’s to persuade the board that understanding risks will help them run the business. In the large company I worked in, this involved working with the external auditors in running a risk workshop so the directors could identify their risks. This is an essential part of the risk process and helps the board understand the importance of risk management.
    I see the board as having three responsibilities regarding risk management:
    1. Instigating a culture of risk management throughout the company, starting with their identification of risks.
    2. Setting a risk appetite, based on the scoring methodology used to rank risks
    3. Ensuring, usually through the Audit Committee and Internal Audit, that the management of the company are maintaining risks below the risk appetite and reporting instances where this is not being achieved.
  1. Norman:

    Over the years when working with organizations on ERM initiatives  I found a simple rule very effective - I would tell business units and executives you can accept any level of residual risk you are prepared to allow senior executives above you, up to and including the board on major risks, see and understand. 

    This however, leads to the much more complex issue of how much boards actually know about the company's true retained risk status and how does the board decide what is tolerable.  Since few IA departments focus on reporting on residual risk status, and not many organizations have robust risk self-assessment processes, we don't know much about how board's decide other than many allocate certain risks to dedicated committees.

  1. Tim,

    I would suggest that it is not Internal Audit's responsibility to assess and report residual risk status. That is a management responsibility. The exception is where the board has asked the CAE to serve as Chief Risk Officer as well.

  1. This was just posted on the Harvard Law School Forum:

    It doesn't get into this topic in detail, but I thought you would find it interesting.

  1. Norman:

    I whole heartily agree that it should be management's responsibility to report on residual risk status to the board not Internal Audit.  However, what happens if management is not providing reliable and material complete reports on residual risk?  What then is IA's responsibility?  In cases where management is not providing the information I suggest having IA do it is better than nobody doing it.  

    Many of the major corporations at the root of the current economic crisis would have been well served if the board was fully apprised of the residual risks being accepted.

  1. Tim, if management is not doing the necessary work around risk management, my expectation is that Internal Audit advise executive management of the issue and report it to the board or audit committee.

    Internal Audit should not step in and perform a management function.

    However, if asked by management and approved by the board, IA can provide consulting services in this area. That may extend to facilitating management assessment of residual risk status, as well as helping establish ongoing risk management processes.

    I am also not opposed to the CAE also being CRO, if it is understood that the CAE only facilitates management assessment, and neither owns the assessment nor the actions required to manage risks.

Leave a Reply