Risk management - Part 2 exploring risk
Risk Appetite vs Risk Tolerance
In business, we talk a lot about risks that are within our “appetite”. But what does that actually mean?
Risk appetite is the total amount of risk, on a broad level, that the business is willing to accept in pursuit of value before action is deemed necessary to reduce the risk. This defines the parameters that an organisation employs when deciding whether to take the risk or not.
And that helps the business to define the types of risks, markets, products, services, and clients that they will pursue. This makes up your risk appetite statement.
It is not easy to define Risk appetite constraints because each business will be able to tolerate different levels of risk. What is important however, is that each business has a common understanding of risk and have prepared correctly for the likelihood and impact of these. Businesses should look at the maximum level of risk tolerance for each type of risk before they take any action.
Risk tolerance is the maximum level of risk we can accept per individual risk - so the maximum level of risk a business can absorb before breaching its capital base, liquidity levels, obligations to shareholders, clients and so on.
The business will set a number of different risk categories and apply a risk appetite for each. These are known as risk appetite statements and are based on different perspectives, concerns, and implications of external changes.
Examples may be:
Know your risks, respond better
Risk Response Planning is a process of identifying what you will do with all the risks in your profile. There are 4 main response types that we will look at in more detail.
- Risk Avoidance
Risk avoidance is simply not performing any activity that may carry risk. Risk avoidance attempts to minimise any vulnerabilities, which could threaten the business. Risk avoidance and mitigating risks can be achieved through a number of actions, such as having policies and procedures in place to clarify how the business complies with its obligations, identifying and providing training and education to ensure people fully understand, adhere to, and take action for their responsibilities, and technology implementations that ensure a risk cannot happen.
The easiest way for a business to manage its identified risk is to avoid it altogether. Avoidance takes place when the business refuses to engage in activities known or perceived to carry a risk of any kind. For instance, a business may wish to expand and look at potential buildings for suitability. However, it could decide not to purchase a building within a specific location, as the risk of the venue not generating enough revenue to cover the cost of the building is high. The response in this case would be to avoid the risk entirely.
There have been many recent examples of risk avoidance. We have all been impacted by inclement weather. A classic example of risk avoidance is when a business decides to close due to imminent extreme weather conditions. This is choosing to avoid actions that will trigger the risk, which in this case, would be that people are unable to travel home and so on.
- Risk Reduction
Risk reduction deals with reducing the likelihood and severity of a possible loss from a risk occurring. This technique puts controls in place to reduce the amount of risk there is to the business.
Simply put, risk reduction deals with mitigating potential losses. An example of this would be an investment risk. A business may invest in stocks that are deemed to have increased risk attached to them. For example, there is political risk associated with the production of oil, which means that the stocks have a higher level of unsystematic risk. The business can reduce the risk they have by diversifying their stock portfolio and investing in other industries, particularly those that carry less risk and are in the opposite direction to oil equities. This reduces the overall level of risk.
- Risk Transfer
In some instances, businesses choose to transfer risk away from the organisation. Risk transfer typically takes place by engaging an insurance company in exchange for protection against substantial financial loss. For example, every business will ensure that they are protected from accidental or deliberate damage to their building or other assets through property insurance.
- Risk Acceptance
Risk Acceptance must be a conscious decision, not a default action due to lack of information or desire to act in the right way.
Risk acceptance is an appropriate choice where the impact of an event and/or the likelihood of the event occurring does not justify the cost of mitigating the risk. Acceptance of risk however does not mean that the business is not prepared or that there are no actions to be taken. It normally means that the risk is within the appetite of the business and there is acceptance that the business is willing to carry the risk without putting additional controls in place.
In summary, when addressing risk controls and thinking about the mitigation response, remember that accepting the risk is an option. Choosing to “Do Nothing” can be the right option provided that due diligence has been completed and that the decision made by the business is not based on a lack of information or desire to control, but rather is based on a conscious and carefully thought out plan.
Risk Response options
Which is the best response for the risk we have?
The strategy you take ultimately depends on a number of factors but the principle approach is how it aligns with your risk appetite.
The best option to apply is always to avoid the risk entirely. However, whilst this may seem like the easiest choice, it is not always a practical one. If a business decides to utilise the avoidance option too often, this can result in the business operating well below its risk appetite, and in some cases, may miss any opportunities to achieve enterprise objectives. An element of risk within business is healthy and can provide room for growth provided they are well managed.
In cases where there is zero tolerance for the risk, then avoidance is the best strategic response.
It is important to note however, that risks are not static; they change over time, and as a result, the response to the risks must change over time as well. Unless the business decides to avoid the risk altogether, it is likely that a combination of the other risk response options will be utilised.
Risk Mitigation and our Responses
- Inherent Risk
Inherent risk is the raw or untreated risk. This is the risk as identified, before any mitigation has been applied or any action taken.
- Risk Appetite
Risk appetite is the total amount of risk the business is willing to accept.
- Residual Risk
Residual risk is the amount of risk that remains after controls have been identified and put in place.
Monitoring the Risks
Risk monitoring is the process of tracking how effective the risk management execution is and supports the continual identification and assessment of new risks.
Continuous monitoring of the risks we have identified ensures that the risk response strategy and the associated action plans we have implemented are progressing effectively. This process also provides assurance to the business that the controls in place are appropriate and that the overall management of the risks and the required actions are clearly understood and being followed as expected.
This helps to provide a clear view that:
- The treatment actions we have adopted have resulted in what was planned
- The business is improving how it manages its knowledge and using risk management to identify lessons learnt for future project delivery
The risk monitoring process can result in required revisions to the risk profile of the business and the identification of other risks that require treatment.
For example, monitoring may identify:
- Changes in the level of gross risk that would subsequently change the probability and impact assessment
- Changes in the effectiveness of existing mitigation technique and strategy
- An increase in the residual risk against our overall tolerance for losses
If we don’t effectively complete the risk management lifecycle, then the controls we put in place may not be fit for purpose, because we are not checking that the corrective actions are making a difference in our business. We also may miss secondary risks, new risks, become unable to take quick and decisive corrective action when a risk materialises, or not notice any trends that are emerging.
Remember, monitoring the risks by themselves is not enough. We need to feed that back into our risk governance process and take action. Risk monitoring provides us with the ability to look at the effectiveness of our controls but we need to make sure that they are discussed, challenged and acted upon!
Managing your Risk profile
- Risk Appetite is the total amount of risk we can accept as a business
- Risk tolerance is the maximum level for individual risks
- We need to define our risk response strategy
- Each risk may have a different response strategy
- We can avoid, reduce, transfer or accept the risk
- Risk is a continuing lifecycle
- Monitoring is the final stage but also where operational risk management begins
- We cannot eliminate all risks but we can control them