1.1 Risk Capacity, Appetite and Tolerance
First step of any risk management learning is to understand following three important terms:
Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:
Let us understand this with an practical example:
Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700. If the markets are good he is willing to further invest $50.
Risk Capacity: Total amount available i.e. $1000
RIsk Appetite: His willingness to take risk i.e. $700
Risk Tolerance: Acceptance deviation from risk appetite i.e. $750
Relationship between Risk Capacity, Risk Tolerance and Risk Appetite:
Risk Capacity is always greater as compared to tolerance and appetite.
Tolerance can be either equal to or greater than appetite. Risk tolerance levels are acceptable deviations from risk appetite.
Risk acceptance generally should be within the risk appetite of the organization. In no case, it should exceed risk capacity.
Periodic review of Risk Appetite & Tolerance
Risk appetite and tolerance need to be reviewed at regular intervals. Factors such as new technology, organizational restructuring, or changes in business strategy may require the organization to reassess its risk portfolio and reconfirm its risk appetite. Risk appetite and tolerance are the deciding factor for prioritization of risk response. Risks with low appetite need to be addressed immediately.
It is important that Risk appetite and tolerance should be defined and approved by senior management.
Alignment of Risk Appetite with Business Objective
Risk appetite should be aligned with business objectives to ensure that resources are directed towards areas of low risk tolerance. For critical business processes, risk appetite should be thoroughly monitored and controlled. This will help a risk practitioner to build more controls for the areas or processes where risk appetite and risk tolerance is low.
Let us understand this with an example. An organization has three business objectives. One of them is most critical with 80% of business derived from that area. Other two objectives are not as critical. Organizations would like to spend more resources on this critical business objective to keep the residual risk within limit.
Compliance with Risk Appetite
Risk practitioners can determine the compliance with risk appetite by evaluating the residual risk i.e. residual risk should be within the risk appetite (i.e. acceptable risk). For example, an organization does not want to expose more than $50 for a given project i.e. their risk appetite or acceptable risk is $50. Organization will have to keep their residual risk within $50 to comply with risk appetite.
Factors affecting Risk Appetite
Risk appetite differs from organization to organization. Risk prone organizations may have high levels of risk appetite whereas risk averse organizations may have low levels of risk appetite. Organization adopts their risk appetite on the basis of their culture and predisposition towards risk taking.
Responsibility of monitoring the Risk
Risks should be monitored on a continuous basis and results of the monitoring should be communicated to respective risk owners. Risk owners are responsible to ensure that risk is within the tolerance level.
Benefits of defining risk capacity and appetite
It provides evidence of the risk-based decision-making processes.
It helps to understand how each component of the enterprise contributes to the overall risk profile.
It helps in prioritization and approval of risk response.
It helps in identifying specific areas where a risk response is warranted.
Key aspects from CRISC exam perspective