Will you get pulled over if you are driving at 68 miles per hour(mph)? It depends. Are you in a school zone, where the speed limitis 20 mph, posted with a flashing yellow sign? Are you in a denselypopulated area where you are not supposed to go over 40 mph? Or areyou on a highway, where the posted speed limit is 65 mph, but youknow that your state police patrol is fairly lenient, and won'tpursue cars passing under 75 mph?

In and of itself, the fact that you are going 68 mph isn'tnecessarily bad when considering the risk of a potential legalviolation. Rather, the amount of risk in getting pulled over duringyour travels is entirely dependent on the external guidelines andtolerances for speeding set by local authorities under a set ofparticular circumstances, or in a specific environment. It is ameasurement of risk set against the community's tolerancefor the risk of speeding – the maximum speed the community iswilling to accept on that particular road.

A closely linked question then is how willing are you tocontinue to drive 68 mph when passing through different speedzones? Your risk appetite could be considered yourwillingness and desire to continue to move at 68 mph, knowing thatyou are in a zone where the posted limit is lower. Risk appetite isabout the pursuit of risk. It may be greater, less than, or equalto risk tolerance depending on the circumstance. However, both riskappetite and risk tolerance are intricately linked to performanceover time.

For companies, setting either a tolerance or appetite forrisk—setting how they will progress against a “speed limit”—is acritical component of an effective enterprise risk management (ERM)program. Since there is no way that companies can eliminate allrisks of doing business, clarifying the amount and type of riskthat an organization is willing to pursue or maintain, by line ofbusiness or functional area, helps companies evaluate whereits resources should best be allocated to minimize its mostsignificant risks. It also helps companies make strategicdecisions, such as how to reach capital allocation targets and/ordevelop investment plans. On the flip-side, life in the slow laneis not always best either. Not having a high enough tolerance forrisk can mean failure to pursue lucrative opportunities, leading tostagnation.

How do organizations set effective risk tolerance or appetitelimits? Most companies track dozens, if not hundreds of risks, andprioritizing which risks should have a formalized, stated limit canbe a gut-wrenching challenge. Often, a “small bites” approach isbest.

One helpful tool in formulating an approach is the whitepaperissued in January 2012 by the Committee of Sponsoring Organizationsof the Treadway Commission (COSO), “Understandingand Communicating Risk Appetite” by Dr. Larry Rittenberg andFrank Martens. To determine risk appetite, this paper suggests thatmanagement, with board review and agreement, should focus on threesteps:

1. Developing a risk appetite framework
2. Communicating the appetite throughout the organization
3. Monitoring and updating risks to tolerances

Developing a Risk Appetite Framework

The first step towards establishing a company's risk appetite isto develop an overall framework for senior management review andapproval, setting a “tone from the top.” Clarifying roles of theboard of directors and key risk managers in the process iscritical, asking questions such as:

• Will the board and risk committee be the primarydecision-makers for setting all or some risk tolerance levels,or are limits going to be established within the organization,by business unit heads or line managers responsible for therisk?
• How will risk and risk appetite be reviewed and evaluated inlight of the company's goals and strategy? Will risk review bepart of the formal business planning process, or as a separateprocess of its own?
• Will there be multiple levels of approvals or workflowsassociated with the process?
• What information will be relayed to the board or riskcommittee, and with what frequency?

Risk appetite is company-specific, and contingent on eachorganization's goals, culture, financial position and operatingenvironment. Companies may set a risk appetite or tolerance levelfor such diverse risk areas such as capital or liquidity levels,earnings volatility, reputational rankings or operationaltargets.

Since there is no one best set of risk limits, companies must atleast establish solid procedures for weighing all relevant factors,and making informed decision with participation by all interestedstakeholders. The more thought that goes into designing an overallrisk tolerance or appetite framework, determining measurement andreporting processes up-front, the easier it will be to startestablishing individual limits on a risk-by-risk basis.

To this end, the next step is to build the framework out withcomprehensive metrics and data necessary to monitor areas forcloser attention. Without a robust, centralized database trackingall of the company's risks, the company cannot identify what itsmajor vulnerabilities are, and will never get enough information todetermine what they can or cannot handle as loss.

Risk appetite must also be considered in light of the controlenvironment of the company. A company's willingness to take risks,such as enter a new line of business or develop a new product,frequently depends on its ability to mitigate loss througheffective controls, policies and procedures.

Most companies undertaking an ERM program will thus kick offtheir risk appetite efforts by creating a core risk and controlregisters or libraries which will centralize and streamlinedescriptions of the company's risks, and enable the risks to bescored or ranked against each other through a risk assessmentprocess. Risks are typically assessed or evaluated with some formof financial-based scoring methodology, but quantitative measureslike degree of reputational risk, can also be used.

Only when the individual risk and control factors important tothe company are centrally organized and cataloged, can a fullevaluation be undertaken of what degree of risk a companypractically can–or is willing to–assume.

Communicating Risk Appetite throughout theOrganization

What is the use of having a speed limit if no one sees the sign?Communicating risk appetite is as important as setting it. Mostcompanies start their communication plan by crafting a broad formal risk appetite statement for each major categoryof risk, then honing it down to meet the needs of specific businessareas or functional departments. The proper level will vary basedon company goals and the specific risk involved. In any event,however, the language used for the statement should be simpleenough to foster a base understanding of the risk concept, butdetailed enough to help direct behavior in line with the appetite.Risk appetite or tolerance statements also often reflect thecompany's culture, which might be seen or phrased on a spectrumfrom cautious, measured, or steady, to leading, bold orinnovative.

• First-time risk appetite statements are frequently set in ascale or range of broad narrative, such as “high, medium, low”or “averse/avoid, cautious, moderately open, encouraging oractively pursuing.” For example:

Whilst pursing innovation in our products, CompanyX will notcompromise its reputation for excellence in customer service andtreating customers fairly, nor its commitment to legal andregulatory compliance. Consequently, we tolerate very lowrisk in the area of employee education and training,ensuring that underwriting and claim staff are given regulartraining on important legal, compliance and regulatorydevelopments, as well as extensive training on customerservice-related policies and procedures.

Appetite can also be established with a specific percentageor dollar amount, as noted in the followingexamples:

• On this line of business, our net unreinsured loss shouldnot exceed $1M.
• As a leader in our specialty lines of business, we striveto maintain an S&P rating of A or better for all of ouroperating entities.
• Our goal is to have capital in excess of ABC% of requiredrisk-based capital.

As companies become more sophisticated and grow in their ERMpractices, risk appetite statements generally become more explicitand measurable, more focused, and may be better targeted tospecific business practices or financial goals. Here, quantitativemeasurements in the risk appetite or tolerance statement shouldhelp define how individual risks should be managed on a dailybasis, transmitting enough information to provide some strategic oroperational directive to staff responsible for measuring, managingor controlling risk.

Documenting and communicating risk appetite, however, needs tobe tailored to all relevant stakeholders and their expectations.Risk appetite must take into account differing views at astrategic, tactical and operational level. Internally,statements may need to be tailored specifically to groups such asthe board of directors, senior management and employees.Externally, rating agencies, regulators, policyholders, andcreditors may have different needs and uses for information.Understanding and tracking how risk tolerance and appetite isinterpreted throughout the business, both top-down and ground-up,is important.

A report going to senior managers, for example, may need to be ahigh-level overview of the entire organization—a “30,000-foot view”that not only cuts across business units and breaks down silos ofinformation, but also rolls up and aggregates tolerance data fromacross departments. On the flip-side, other managers may want to beable to get more detail on a particular issue, and drill-down to see what is behind an aggregated view periodically, to confirmwhat their business units are doing, track whether risks areexceeding tolerances for a particular issue or analyze theinterrelationships between multiple risks. Dashboards and reportsshowing risk appetite should therefore be flexible, designedcarefully, and based on a broad spectrum of data collected fromdifferent parts of an organization that can be sliced and diced indifferent ways.

Monitoring and Updating Risks Appetite

Once a risk appetite or tolerance statement is defined andinitially communicated, it must be reviewed and refreshed on aregular basis. Company goals and strategies change. People change.Controls change, and their effectiveness may decline or improve.How the company responds to risk, therefore, is in constantflux.

Keeping abreast of change is, however, a major challenge formost companies. The process can be improved on the front end bycreating a common hierarchy, taxonomy and language for the risk andcontrol library. This enables risks and controls from differentfunctional areas to be compared against each other, and aggregated,so that a change to risk or a breach of risk tolerance in one areawill lead the reviewer naturally to changes in the risk as itimpacts other departments.

Procedures should also be developed for monitoring riskassessment levels, and flagging or highlighting circumstances whererisk tolerances are exceeded. Monitoring risk and tracking to risktolerance can be done manually or through specialized informationmanagement report systems. Today, many ERM systems permit thecomparison of routinely generated risk-relative data to anestablished target, to completely automate identification ofbreaches, and notify all interested stakeholders.

Ultimately, the goal of developing a formal risk tolerance orappetite framework is to help manage the direction of the companytowards its ever-evolving goals and objectives, steering managementthrough risk obstacles and opportunities. By developing a solidfoundation of risk identification procedures, collecting andcentralizing risk and control data, communicating statements ofrisk tolerances, and consistently monitoring risks to statedlimits, decisions can be better aligned to push performance and profitability.

Denise Tessier is senior regulatory consultant for InsuranceCompliance Solutions, Enterprise Risk Management and the ConsultingPractice at Wolters Kluwer Financial Services. She may be reachedat [email protected].