Enterprise Risk Management (ERM) is all about the organization making sure and proving that it is identifying and managing the significant risks to which it is exposed to. Failure to identify and manage these risks can have devastating effects on business performance and the long term value of the organization.
If we look back at the origins of the global financial crisis of 2008, lessons abound of what happens when organizations decide to give risk management a back seat and treat the function as a non-strategic one. A handful of reputable financial institutions went under because of poor risk management implementation practices. In search of higher short-term returns and profits, these institutions took questionable risks that proved damaging in the long run.
When implementing ERM, it is therefore important to determine the organization’s risk tolerance. This is the risk exposure an organization determines fit to take or avoid taking. Risk exposures are the extent to which your business or organization is exposed to a risk or portfolio of risks and the extent of this exposure is a function of the potential impact (financial, reputational or ability to carry out goals) of a risk event and the probability of that event happening. The potential impact of the identified risk events can range from insignificant to very significant. The probability that a risk event will occur can range from highly unlikely to highly likely.
Setting the risk tolerance ensures the organization makes risk decisions and manages risk exposures according to established expectations. It helps clarify what is and what is not an acceptable risk exposure and clarity helps the organization to know with certainty what risk exposures it can take and what risk exposures it must avoid. Furthermore, setting the risk tolerance helps the organization to evaluate actual risk exposures against authorized risk exposures which in turn helps determine whether it needs to do more or less to manage the identified risk or portfolio of risks.
When establishing its risk tolerance, the organization must consider the following five factors:
- Risk attitude. This relates to the willingness to take risk. Are you a risk taker, risk-averse or risk neutral? Suppose there is an investment with an average monetary return and an equal probability that the return will occur or not occur, how much you are prepared to invest on the investment determines if you are a risk taker, risk averse or risk neutral. If you are willing to invest more than the average return, you are a risk taker. If you are willing to invest less than the average return, you are a risk avoider. If you are willing only to invest the average return, you are risk neutral.
- Organization’s goals. From a risk-tolerance perspective, goals set the target to which an organization directs its resources. Differing goals lead to differing risk tolerances. For example, public and private organizations have different owners, goals and performance measures. This dictates how the organization sees and reacts to its risks. Some risks exist for private sector organizations but not for public-sector organizations.
- Risk management capability. This is refers to the organization’s ability to manage its risk exposures within the accepted risk tolerance ranges. In order to determine your organization’s capability to manage risks, you should ask the following questions:
- Does your organization understand the risks it is exposed to, in terms of potential risk events that could result in the occurrence of a risk and the potential impact and likelihood of these events?
- Does your organization have risk measurement models capable of looking into the future and predict risk events instead of making decisions based solely on historical information?
- Does your organization have sufficient, qualified and experienced people to manage risks?
- Does your organization have appropriate and effective risk management practices to manage risks?
- Does your organization have appropriate and effective controls and oversight in place to ensure that risk management practices are working?
- Does your organization’s risk management environment (tone from the top and structure) support or impede the management of risks?
- Risk-taking capacity. The organization’s risk capacity determines its ability to assume the impact of an adverse risk event. When setting your organization’s risk tolerance, you need to consider its financial capacity to absorb losses related to adverse risk events, the potential impact of adverse risk events on the achievement of organizational goals and its reputation.
- Cost and benefit of managing risk. The benefits of managing each risk exposure must exceed the cost of doing so.
Each of the above factors must be considered individually and collectively. Risk tolerance is about taking risks within clearly defined and communicated boundaries set by the organization. There is always potential upside and downside of taking risks. Trying to eliminate risks altogether, rather than managing and leveraging them, could harm the organization in the long run.