The concepts of risk appetite and risk tolerance were introduced in 2004 in The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's)
Enterprise Risk Management–Integrated Framework. Specifically, COSO defines
risk appetite as "the amount of risk — on a broad level — that an entity is willing to accept in pursuit of value." Naturally, organizations will have different risk appetites depending on their industry, management philosophy, operating style, culture, and objectives. Therefore, a range of appetites potentially exist for distinct risks, which may change over time. It is conceivable that organizations with separate business segments with various operations or subsidiaries operating in differing industries will have varying levels of risk appetite. In pursuing diverse business objectives, organizations should broadly understand the risk they are willing to undertake.
Risk tolerance is the acceptable range of variation in the achievement of objectives. Both quantitative and qualitative measures are recommended when evaluating risk tolerance. And while risk appetite is about the pursuit of risk, risk tolerance is about what an organization can actually cope with at a more granular level. There is a lot of confusion surrounding risk appetite and risk tolerance, providing an opportunity for internal auditors to educate organizational stakeholders and facilitate risk measurement and management.
An Updated Risk Framework
COSO's 2017 framework update,
Enterprise Risk Management–Integrating With Strategy and Performance, likely will create a heightened expectation for risk and compliance functions. Internal auditors are expected to educate executive management and the board in this area and to apprise them of key enterprise risk management (ERM) developments. COSO's 2017 ERM revision appropriately reflects the growing realities of the complexities and speed of risks in the global business environment and the need to integrate risk considerations with strategy and performance. Internal audit is positioned to provide an assessment of the propriety of the measures of the organization's risk appetite and tolerance.
The 2008 financial crisis and the subsequent recovery highlight how some of the largest corporations defined and measured their areas of risk and related appetite for risk, but still experienced massive business failures due to their risk management systems crashing. Many of the failures can be attributed to the lack of understanding about the level of risk tolerance an organization can truly accept. Despite setting clear goals, there may not have been any articulation of risk appetite or identification of those responsible when risks were incurred. Since the recovery, organizations have developed even more systems to address and measure their level of risk appetite, but a disconnect continues to exist as to how much risk tolerance the organization can truly accept — despite the proliferation of chief risk officers in certain industries.
Internal Audit's Role
As the independent function within an organization, internal audit ideally is positioned to assess what level of risk tolerance is truly being accepted by an organization. The unique relationship that internal audit has with operational management, senior management, and the board of directors allows for unbiased reporting of risk appetite and the level of tolerance that can be accepted.
Over the years, organizations were more aligned with documenting and reporting what their risk appetite was and did not extend that to the level of risk tolerance the organization might accept. In other words, organizations became adept at measuring the size of the risk meal, but not the potential consequences of consuming the whole meal. Taking that analogy further, the result of overconsumption typically leads to indigestion — and it may lead to dire consequences for the organization.
Addressing risk appetite and risk tolerance under the updated COSO ERM framework leads the internal auditor toward a matrix reporting of the organization's risk areas, risk appetite, and risk tolerance. Today, many internal audit functions use reporting tools such as heat maps, which can be adjusted to include qualitative and quantitative measures, enhanced visual presentations, and other forms of output indicating the potential risk tolerance outcomes the organization accepts.
A matrix reporting structure allows for a more robust picture of risk within the organization to senior management and the board. It includes results of internal audit testing presented by functional and business areas (See "Sample Matrix of Risk Reporting Within Organizations" at right). A risk issue in purchasing would be reported not solely for purchasing, but also for manufacturing and finance to reflect the wider impact to the organization. Further, this reporting would provide both quantitative and qualitative risk tolerance and risk appetite assessments and indicate whether additional action may be required. To illustrate, an automotive parts manufacturer provides its purchasing department the forecast for its aluminum raw material needs for the next six months. Purchasing is rewarded based on the level of cost controls over major essential purchases and in preventing stock outs of essential purchases. Suppose the purchasing department buys double the amount requested because the supplier offered a special volume discount. On the surface, the organization would have viewed its level of risk appetite in purchasing as low because raw materials are readily consumed. However, the level of risk tolerance being accepted by allowing the purchasing department to overstock has qualitative issues (e.g., rewards based on cost and on preventing stock outs). From a quantitative standpoint, the risk tolerance may be unacceptable given that the over-ordering of aluminum could lead to cash flow problems for payment, logistics costs for storing excessive amounts of inventory, and plant efficiency issues because of the space taken up by excess inventory. Reporting of this qualitative excess of risk appetite to purchasing, manufacturing, and finance would bring the wider effects into sharp relief. Given the integrated nature of manufacturing operations and incentive compensation systems, such effects must be carefully considered before taking action.
Frequently, the results of internal audit reporting require management to address risk appetite in a cross-functional manner. For instance, an acceptable level of risk appetite in purchasing may be unacceptable in finance. Although the planning phases of ERM typically may involve executive management across functions, this may not be true when results of risk assessments or findings are shared. A concerted effort should be made to share these results broadly to avoid narrow acceptance of findings and unintended consequences. In other words, the same breadth of organizational input that went into planning should exist when evaluating the output and outcomes as well.
A Complex Assessment
The basic risk-reward theory from financial economics informs us that assuming a certain threshold of calculated risk is necessary for business success. Once a certain level of risk within the risk appetite has been assumed, the next step is to worry about how much more risk can be tolerated. Business environments globally are dynamic and ever-changing. As such, both risk appetite and risk tolerance must be evaluated in the context of a shifting landscape, tracking a constantly moving target — a complex assessment that is easier said than done.
Specifically, with regard to risk management policies, reference points, and boundaries, the internal audit function must evaluate existing risk tolerance and risk acceptance relationships to determine whether:
- Existing risk tolerances are appropriately linked to the organizational risk appetite.
- Additional risk tolerances need to be created to ensure that the business is effectively managed relative to the risk appetite.
- The company is operating within the risk tolerance parameters that it has established.
Once it has completed the risk assessment, internal audit then must communicate its findings to help senior management and the board understand the company's current state. Reporting in a matrix format with assessment of risk tolerance and risk appetite by affected functional areas is useful to allow management to address issues in a more holistic manner. For board and audit committee reporting, the need is to be more concise and direct as to where quantitative or qualitative risk tolerance and appetite areas seem problematic (flag as red), could be cautionary (flag as yellow), or appear acceptable with no items to report or no action required (flag as green). Some boards and audit committees might only want to see items flagged as red or yellow to avoid information overload — critical due to myriad challenges that many organizations face in today's volatile, global economic environment. Volatility is the new norm in today's business climate and requires a greater need than ever to understand the relationship an organization has in its level of risk appetite and risk tolerance. Correspondingly, this reality also underscores the importance of continuously re-evaluating the risk appetite statement in light of changing conditions.
Enhancing Risk Management Capabilities
As organizations move aggressively to enhance their risk management capabilities, risk assessments of risk appetite and risk tolerance are going to assume a new and higher level of significance. While risk appetite will always mean different things to different people, a well-communicated, appropriate risk appetite statement can actively help organizations achieve goals and support sustainability. Clearly, risk management capabilities are evidenced by having disciplined and systematic ways of measuring, calibrating, and responding to risk. In today's environment, such capabilities have become indispensable. Unless internal audit coaches executive management and the board to thoroughly understand the relevance and importance of the vocabulary around risk and control, organizations will still not have learned real lessons from 2008's financial crisis.
Questions for Internal Audit, Executive Management, and the Board
Internal audit should consider:
- Quantitative and qualitative reporting: As the internal audit department updates or develops its risk assessments of the organization by functional areas against pre-established criteria, do they report the level of risk appetite in both qualitative and quantitative terms?
Traffic-light indicators: Are there indictors reported in the assessment of the levels (red/problematic, yellow/cautionary, green/acceptable) of risk tolerance the organization is accepting?
Variability reporting: Are the levels of risk tolerance being presented in terms of variability? Are these within allowable bands of variation?
ERM training adequacy: Are the levels of training provided for internal audit personnel and for those in governance over risk policies, management, and acceptance processes adequate?
Management should consider:
The board and the audit committee should consider:
- Enterprisewide risk communications: Have the organization's strategies and objectives been fully communicated throughout the organization? Has this communication addressed the level of risk tolerance and risk appetite that is considered acceptable?
- Cross-functional application: Does management have a cross-functional opportunity to address issues raised by internal audit in its reporting of its assessment of risk tolerance and risk appetite?
- Scenario analysis: Does management view risk tolerance and risk appetite assessments using "what if" scenarios to consider business volatility?
Comprehension of ERM philosophy: Does the board understand the level of risk tolerance and risk appetite being accepted in the organization and as implemented by management?
Board/internal audit relationship: Does the board have direct input into the level of assessment being performed by internal audit to report its results quantitatively and qualitatively?
Responsible and prudent governance: Is the risk reporting in sufficient detail to allow the board to fulfill its governance responsibilities to address any concerns that could affect organizational stakeholders?