Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

Clear Graphic


Risk appetite definitions
Issues and answers

by Matthew Leitch 9th December 2009 (revised 11 March 2010 in light of new research)



  • Provides straight answers to the main questions people have about 'risk appetite.'

  • Includes a collection of definitions of the phrase 'risk appetite' from different sources, including COSO, the IIA, and ISO 31000.


Please note

The author is available to help with work to evaluate existing arrangements for governing risk taking, design new tools and processes, write guidance on their use, review work done using them for lessons to learn, and (in the UK) to provide relevant training.



This article is a study of alternative definitions of the phrase 'risk appetite' and is designed to provide clear, definitive answers to the questions people most often ask.

Key points

The key points from this analysis, presented as answers to common questions, are as follows:

Published definitions

The definitions quoted below were found by searching the internet in late 2009 using Google and search facilities on the websites of likely sources, such as COSO's website and the website of the Basle Committee.

All the definitions found conflict with either each other, with actual practice, with decision making logic, or a combination of these. Several high profile organizations who frequently use the phrase 'risk appetite' did not offer a definition on their website (or it failed to come to light using searches). These included the Basle Committee, the FSA (despite 88 mentions in its handbook across 34 documents), the Financial Reporting Council, ACCA, AIRMIC, and IRM.

Other wide ranging risk and finance glossaries and organizations you might expect to provide a definition did not. These included the ICAEW, AICPA, London Stock Exchange, New York Stock Exchange, Reuters, www.investorwords.com, www.riskglossary.com, the Turnbull report, the Bank of England, Society for Risk Analysis, David Hillson (author of two books on risk attitude), Institute of Actuaries, Association of Consulting Actuaries, and the Government Actuary's Department.

Given the strong support for 'risk appetite' from government in the UK I was surprised to find it defined by so few, and this may indicate that the idea is less widely popular than it perhaps seems.

Definition as a maximum amount

The simplest definitions explain 'risk appetite' as an overall maximum amount of risk, on some basis.

Source Definition of 'risk appetite'
Institute of Internal Auditors, from its glossary "The level of risk that an organization is willing to accept."
ISO 31000:2009 and ISO Guide 73:2009 "amount and type of risk that an organization is prepared to pursue, retain or take"
HM Treasury's Orange Book "The amount of risk which is judged to be tolerable and justifiable"
Society of Actuaries ERM 'factsheet' "the level of aggregate risk that an organization can undertake and successfully manage over an extended period of time."
COSO's ERM framework offers two slightly different versions (1) "the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals."
(2) "the amount of risk an entity is willing to accept in pursuit of value."

These attempts at definition reflect a number of common misconceptions:

Definition as willingness

Other definitions talk about degrees of willingness to take given risks.

Source Definition of 'risk appetite'
Business Continuity Institute, from its glossary "The willingness of an organisation to accept a defined level of risk in order to conduct its business cost-effectively."
www.IRMI.com "The degree to which an organizationís management is willing to accept the uncertainty of loss for a given risk when it has the option to pay a fixed sum to transfer that risk to an insurer."
Lloyds Market "the willingness to take on risk"*

* This is not a very clear definition and other text from the same source suggests a concept based on maximum amount.

Note that these definitions make 'risk appetite' a function giving the level of willingness for any given risk. Methods for quantifying 'willingness' are not discussed.

Other definitions

The following definitions either suggest different ideas to those already covered or are offered by consultants and authors rather than by more 'official' sources.

Source Definition of 'risk appetite'
OGC glossary, referencing M_o_R Refresh 2007 "An organizationís unique attitude towards risk-taking which in turn dictates the amount of risk that it considers is acceptable."
Oxford Risk (consultants on risk psychology) in their glossary "A person's propensity to prefer riskier or safer alternatives."
Risk Appetite: The Foundation of Enterprise Risk Management by Towers Perrin available here "the total risk that an organization is willing to take to achieve its strategic objectives and meet its obligations to stakeholders."
Whatís your risk appetite? by Oliver Wyman available here "the variability in results that an organization and its senior executives are prepared to accept in support of a stated strategy"
John Thirlwell in a presentation from 2007 "the amount that a firm is willing to risk (for a given risk-reward ratio)"
Currency Financial Inc, in their glossary "The amount of capital that you are willing to lose in order to generate a potential profit."

Some of these attempts at definition reflect a number of additional common misconceptions:

Interpretation in practice

In practice, when banks and insurance companies write about their 'risk appetite' in annual reports it is clear that they are mainly talking about a system of limits operating mainly on numbers, some of which are risk assessments but many of which are not. However, there is a lot of variation in the way these are explained and much of the text concerns how the limits are arrived at. Often, the 'risk appetite' part of their limit system is just a high level set of limits or policies of some kind, with the rest of the system being named in some other way.

Here are five illustrative examples from the UK.

Company and source Numbers used in 'risk appetite' control system
Prudential Annual Report 2008 "European Embedded Value (EEV) operating profit"
"International Financial Reporting Standards (IFRS) operating profit"
"EU Insurance Groups Directive (IGD) capital requirements"
"economic capital requirements"
Aviva Annual Report 2008 What they do is not entirely clear but what they say is: ďWe monitor the financial impact of the changes to market values (including our staff pension schemes) through our measurement of economic capital and sensitivities to our key performance measures and set our risk appetite in respect of the amount to be invested in different types of asset.Ē
Barclays Annual Report 2008 The long description is frustratingly unclear and includes a lot of puffery. It seems they rely on budgets and their risk models and try not to disappoint shareholders through low dividends or market value falls. Limits are set for individual businesses, and possibly for types of risk too, but it's not clear.
Lloyds TSB Annual Report 2008 They say: "Business risk appetite is encapsulated in the Group's budget and medium-term plan, which are sanctioned by the board on an annual basis. Divisions and business units subsequently align their plans to the Group's overall business risk appetite.

Credit risk appetite is expressed both in terms of credit risk economic equity and in terms of the impact of credit risk on earnings volatility.

Credit risk appetite is set by the board and is described and reported through a suite of metrics derived from a combination of accounting and credit portfolio model parameters which in turn use the various credit risk rating systems as inputs. These metrics are supplemented by a variety of policies, sector caps and limits to manage concentration risk at an acceptable level.

Market risk appetite is defined with regard to the quantum and composition of market risk that exists currently in the Group and the direction in which the Group wishes to manage this.

This statement of the Group's overall appetite for market risk is reviewed and approved annually by the board. With the support of the group asset and liability committee, the group chief executive allocates this risk appetite across the Group. Individual members of the group executive committee ensure that market risk appetite is further delegated to an appropriate level within their areas of responsibility.

Insurance risk appetite is defined with regard to the quantum and composition of insurance risk that exists currently in the Group and the direction in which the Group wishes to manage this.

Operational risk appetite is defined as the quantum and composition of operational risk identified in the Group and the direction in which the Group wishes to manage it.

The Group has developed an impact on earnings approach to operational risk appetite. This involves looking at how much the Group could lose due to operational risk losses at various levels of certainty. In setting operational risk appetite, the Group looks at both impact on solvency and the Groupís reputation, including customer service requirements.

For legal and regulatory risk the Group has minimal risk appetite and seeks to operate to high ethical standards. The Group encourages and maintains an appropriately balanced legal and regulatory compliance culture and promotes policies and procedures to enable businesses and their staff to operate in accordance with the laws, regulations and voluntary codes which impact on the Group and its activities.

Liquidity and funding risk appetite for the banking businesses is set by the board and reviewed on an annual basis. It is reported through various metrics that enable the Group to manage liquidity and funding constraints. The chief executive, assisted by the group asset and liability committee and its sub-committee the senior asset and liability committee, regularly reviews performance against risk appetite. The board reviews liquidity and funding risk on a quarterly basis.

Capital risk appetite is set by the board and reported through various metrics that enable the Group to manage capital constraints and shareholder expectations. The chief executive, assisted by the group asset and liability committee, regularly reviews performance against risk appetite. The board formally reviews capital risk on an annual basis.

The risk of reputational damage, loss of investor confidence and/or financial loss arising from the adoption of inappropriate accounting policies, ineffective controls over financial, prudential regulatory and tax reporting and the failure to disclose information on a timely basis about the Group.

The risk appetite is set by the board and reviewed on an annual basis. It includes the avoidance of the need for restatement of published financial and prudential regulatory data, public disclosures about the Groups financial, including tax, performance and its legal constitution."
Nationwide Building Society Basle II Pillar 3 disclosures 2009 "Profitability
Return on Capital
External Rating
Liquidity
Solvency
Funding
Economic Capital
Asset quality"

Some of the documents whose definitions of 'risk appetite' have been quoted above also include statements revealing the reality of what is envisaged.

Source Definition of 'risk appetite' Related explanation
HM Treasury's Orange Book The amount of risk which is judged to be tolerable and justifiable "5.2 In either case the risk appetite will best be expressed as a series of boundaries, appropriately authorised by management, which give each level of the organisation clear guidance on the limits of risk which they can take, whether their consideration is of a threat and the cost of control, or of an opportunity and the costs of trying to exploit it. This means that risk appetite will be expressed in the same terms as those used in assessing risk. An organisationís risk appetite is not necessarily static; in particular the Board will have freedom to vary the amount of risk which it is prepared to take depending on the circumstances at the time."
COSO's ERM framework offers two slightly different versions (1) "the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals."
(2) "the amount of risk an entity is willing to accept in pursuit of value."
They say that the broad-based overall level is to be translated into risk tolerances, which they define as follows: "Risk tolerances are the acceptable level of variation relative to the achievement of objectives."
Lloyds Market "the willingness to take on risk" In section 3 of their Risk Management Toolkit they give detailed suggestions about how to write a risk appetite statement using lists of numerical limits and statements in text form.

In the cases of the Orange Book and Lloyds Market the definitions of 'risk appetite' are inconsistent with the ideas subsequently explained.

Connotations of 'appetite'

Although the phrase 'risk appetite' is getting some high level publicity at the moment (largely from the world of accountancy) it is not as widespread or as popular as one might imagine.

So far we've seen that many organizations and sources that one expects would provide a definition of 'risk appetite' do not and even some high profile organizations that use the phrase do not offer a definition. The definitions available are inconsistent with each other, with actual interpretations, and with the logic of decision making under uncertainty.

Further evidence of reluctant usage comes from the report Getting It Right recently published by the ICAEW and written by Independent Audit Limited. People they interviewed had a familiarity with the phrase and were able to talk about it, but few used it within their own companies.

More recently, my own survey on the phrase 'risk appetite' has confirmed that it means different things to different people and it is easy to come up with clearer, more self-explanatory terms to label the concepts we want to use.

Do we really need research to tell us that this phrase is a confusing one? Not really. The phrase 'risk appetite' is an analogy with physical appetites such as for food or drink but it doesn't work. We have appetites for things we like or even need, whereas risk is generally seen as a bad thing by definition, though often a necessary evil. Furthermore, the word 'appetite' suggests something personal and instinctive rather than a part of good, thoughtful, rational management of an organization in the interests of its stakeholders.

It is hardly surprising that many people think 'risk appetite' is a psychological construct of some kind related to personality or mood. This idea is also reflected in some of the definitions shown above.

Summary

It's good to govern risk taking. It can be helpful to set limits and there are other methods that can be used also.

What is not good, and should be avoided, is using the phrase 'risk appetite'. From the start it has had illogical connotations and now it has a multiplicity of poor published attempts at definition.

Use more self explanatory and accurate phrase such as 'risk limits' or 'policies governing risk taking' instead.


© 2009 Matthew Leitch
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr