Last reviewed 24 July 2013
There has been a fair amount of debate in recent years about risk tolerance and risk appetite. Mike Sopp considers how these concepts might be defined, with reference to some recent reports.
Strategic decision-making to meet organisational objectives will always involve some form of risk. However, risks, including health and safety risks, must be appropriately managed and owned by the senior management of the organisation.
Indeed, the Financial Reporting Council’s UK Corporate Governance Code, which applies to all UK listed companies, states that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives”.
The nature and extent of the risk that an organisation is willing to take is often referred to as being an organisation’s risk appetite and/or risk tolerance. However, there has been much debate and conjecture as to what these terms mean and how they can be applied to health and safety risk management.
Consultation and guidance
Commenting on the Corporate Governance Code, the Institute of Risk Management (IRM) has stated that its application “represents an opportunity to place risk management, and in particular risk appetite, right at the centre of the debate on effective corporate governance and the role of the board in running organisations”.
However, the IRM also recognised that risk professionals are divided as to how to determine risk appetite and risk tolerance. There is little guidance on the subject but if it can be correctly defined, approached and implemented it “could be a fundamental business concept that will make a substantial difference to how businesses and organisations are run”’.
In May 2011, the IRM published a consultation paper on the subject of risk appetite and risk tolerance, the purpose being to develop guidance for directors and risk advisors on the design and implementation of a risk appetite framework.
Following the consultation period, the IRM published Risk Appetite and Tolerance: Guidance Paper. Commenting on its release, the IRM stated that the consultation process had shown that there is considerable interest in this topic in the public sector as well as the private sector and beyond the UK, and that “while some specifics might differ, the underlying principles hold true for all sectors and all geographical locations”.
Importantly, the document makes the connection between risk and control. It notes that the dual focus on taking risk and exercising control is “both innovative and critical to a proper understanding of risk appetite and risk tolerance” with the innovation being to look at ‘the interaction of risk and control as part of determining risk appetite”.
It also links the concept of risk appetite with an organisation’s risk management capability. This is the organisation’s current risk management maturity and capacity in terms of resources that are capable of being deployed to manage risk.
The document also suggest that, proportionately, more time is likely to be spent on risk taking at a strategic level than at an operational level, where the focus is more likely to be on the exercise of risk control.
Defining risk appetite and tolerance
The IRM guidance document discusses and explores the definitions of risk appetite and risk tolerance in some detail. It concludes that the two phrases have often been used interchangeably but argues that this is conceptually wrong.
In respect of risk appetite, the document notes that this is “a phrase that is widely used but frequently in different contexts and for different purposes” but that “there seems to be almost unanimity that it could be, and indeed ought to be a useful concept, if only it could be properly expressed”.
The IRM then provides a definition of risk appetite, which is given as “the amount of risk that an organisation is willing to seek or accept in the pursuit of its long-term objectives”.
Although it has provided a straightforward definition, it is accepted that risk appetite can be a complex concept and that “excessive simplicity, while superficially attractive, leads to dangerous waters: far better to acknowledge the complexity and deal with it, rather than ignoring it”.
The document also recognises that, other than in the very simplest of organisations, there will be more than one risk appetite and that it is inevitable that risk appetite has to be capable of being expressed differently for different classes of risk and at different levels of the organisational structure.
As stated above, risk appetite must be integrated with the control culture of the organisation, which leads to defining risk tolerance. The definition given is “the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long-term objectives”.
The IRM comments that this is a much simpler concept in that it tends to suggest a series of limits which, depending on the organisation, may either be:
in the nature of absolute lines drawn in the sand, beyond which the organisation does not wish to proceed, or
more in the nature of trip-wires, that alert the organisation to an impending breach of tolerable risks.
This concept is also touched on in British Standard (BS) 31100:2011 which, although providing an alternative definition of risk tolerance, notes that “risk tolerance can be limited by legal or regulatory requirements”, such as health and safety legislative requirements.
Although health and safety standards do not specifically mention risk appetite or tolerance, the now-superseded BS 8800 did make reference to “tolerable risk” which was defined as “the risk at a level that can be accepted provided risk controls are implemented to reduce risk as low as is reasonably practicable”. Typically this will be by following best practice guidance.
Whether or not the concepts of risk appetite and tolerance have a role to play in health and safety risk management is a matter of conjecture.
Application to health and safety
It is widely recognised that health and safety is a corporate governance issue and that the board should integrate health and safety into the main governance structures.
The Institute of Directors, in the publication INDG417 Leading Health and Safety at Work, states that “protecting the health and safety of employees or members of the public who may be affected by your activities is an essential part of risk management and must be led by the board”.
The same publication suggests that organisations should aim to protect people by introducing adequately resourced management systems and practices that ensure risks are dealt with sensibly, responsibly and proportionately. This is clearly linked to risk tolerance being limited by regulatory or legal requirements to reduce risks to as low as reasonably practicable. In other words, it is the propensity to control risks.
However, following the IRM consultation, the Institution of Occupational Safety and Health (IOSH) published a response paper that noted that “currently the questions to the board (detailed in the consultation paper) refer only to risk appetite and not to risk tolerance, which we think is more appropriate for downside risks”.
Making reference to the phrase risk appetite, IOSH states that “though this term has existed for several years now, there are concerns about how helpful or necessary it is, given that it implies ‘risk desire’, when really what is being ‘desired’ or needed, is the reward or benefit that may result from the risk-taking and not the risk itself”.
Crucially, IOSH suggested that “the paper needs to differentiate between upside and downside risks, as the term risk appetite should only be applied where there is upside risk”. They also suggested that the guide should make clear “that risk areas such as occupational safety and health are not part of an organisation’s risk appetite only its risk tolerance”.
IOSH also disagreed with the proposition that risk control is mostly operational, is not driven by strategy and requires substantial time and effort at a strategic level, making the point that “operational risk-taking can sometimes create strategic risk, eg reputational damage or loss of licence to operate”.
Risk appetite framework
The final IRM guidance document reflects the differences suggested by IOSH and notes that while risk appetite is concerned with the pursuit of risk (ie the propensity to take risk), risk tolerance is concerned with what risk the organisation is able to deal with (ie the propensity to exercise control).
However, rather than being totally separate entities, they suggest that both form part of the organisations “risk universe”, which is defined as “the full range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long term objectives”.
In response to concerns about the idea that risk tolerance is non-strategic, the guidance notes that the monitoring of approaches to risk appetite and risk tolerance should be high on the agenda of appropriate risk committees and that “the board of directors is responsible for the company’s risk appetite, risk tolerance and attitude to risk taking”.
The IRM recognises that different boards, in different circumstances, will take different views on the relative importance of appetite and tolerance, hence the need to include both in the overall risk appetite framework.
Indeed, the IRM identifies key questions that boards should address.
Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation?
Do leaders provide a role model in risk management thinking and actively discuss tolerance to risk issues?
The IRM suggests that there are four key elements that need to be taken into consideration when setting out on a risk appetite process. These can be summarised as follows.
Business context in terms of nature, size and complexity as well as pertinent regulatory environment (eg health and safety regulation).
Current risk management culture, most particularly attitudes towards governance, control and regulation.
Risk management process in terms of risk identification, assessment and monitoring.
Risk management systems in terms of policy, strategy and organisational structure.
The IRM guidance document provides a series of questions that the boardroom should address when it comes to the development of the framework. It is also worth noting that the framework proposed by the IRM specifically suggests that both risk appetite and tolerance activities can be undertaken at strategic, tactical and operational level.
Although the concept of risk appetite and risk tolerance framework development is in its infancy, there is potential for the process to be a useful tool to ensure that health and safety risk management forms part of the overall organisational risk management process.
As the IRM notes, it is “dealing with a topic that is relevant to many people in many organisations of different types in all sectors” and that the approach contained in the guidance “has far-reaching resonance with anyone who is interested in the subject of risk appetite and tolerance”.
Risk Appetite & Tolerance — Guidance Paper, Institute of Risk Management
Risk Appetite and Risk Tolerance. IOSH Response to the Institute of Risk Management Consultation Paper, Institution of Occupational Safety and Health
The UK Corporate Governance Code 2012, Financial Reporting Council
BS 31100:2011 Risk Management. Code of Practice and Guidance for the Implementation of BS ISO 31000, British Standards Institution