Getting Practical on Risk Appetite and Risk Tolerance

December 2011 Bonus Resource

Over the past year, I’ve helped many management teams and boards get clarity about the concepts of risk appetite and risk tolerance. They came to me because, although there is a lot of chatter on the topics of risk appetite and tolerance, much of the literature is so jargon-filled that it’s a struggle to find the practical application of the concept.

Over the summer Melanie Herman, Executive Director of the Nonprofit Risk Management Center, invited me to co-author a white paper* with her on the topic of risk appetite. I jumped on the opportunity to distill my practical experience into a simple process that any organization can use to articulate its risk appetite and effectively integrate it in their decision-making. Here are the 5 steps of the process:

1. Define parameters (principles) for risk-taking
2. Calibrate the organization’s appetite for each major category of risk
3. Verify that the organization’s risk taking culture is aligned with the risk appetite statement
4. Apply the risk appetite statement when evaluating risks
5. Review risk appetite statements on a periodic basis

There is only room to provide details on part of the approach in this article, so I’ve chosen to share the first step in the risk appetite articulation process because it is essential for correctly framing the risk appetite discussion by the executive team and the Board.

Defining the parameters or principles for risk-taking involves reflecting on the organization’s mission and its corporate strategies aimed at achieving that mission. For example, a nonprofit whose mission is to help low-income residents of a rural community may decide its core strategy is to work through existing social services agencies rather than serve clients directly. An innovative partnership with a new agency would be mission and strategy-consistent. An innovative program to deliver services directly (eliminating the “middle-man”) would not.

Here are a few questions that you can use to define your organization’s parameters for risk-taking:

• What must exist for risk-taking to be palatable?

For example:

• promise of/potential for mission-advancement
• consistent with tax-exempt purpose (for nonprofits)
• commitment and clear strategies to learn from success or failure
• calculation of the cost of failure and consideration of organizational responses if the risk doesn’t pay off

• What level of unrestricted net assets is available for risk-taking? By risk-taking we mean doing something for which the outcome is highly uncertain but potentially mission-advancing.
• What risks would the organization never take? For example, the board of a professional society may decide that any risk-taking that could negatively impact the stature of members is unacceptable.
• What is the Board’s comfort with respect to the organization’s reputation? You’ll want to begin by determining if the organization’s current reputation is fragile, solid, improving, declining, etc. Then see if you can uncover what principles management and the board are currently or would like to apply for decisions that impact reputation. For example, an organization that is viewed by stakeholders as old-fashioned or out of touch may take bold risks to change that reputation, while an organization with a reputation for trustworthiness would never take a risk that might cause stakeholders to question its integrity.

Employees and managers need to understand the organization’s parameters for risk-taking to ensure that their decisions lead to the most efficient and effective use of resources and balance potential upside and downside effects. In the absence of a clear statement of risk appetite, it is left to each manager and employee to infer what he or she believes is the organization’s risk appetite. Invariably this leads to inconsistent risk taking and situations where risk is either under- or over-managed. Either case can result in sub-optimal organizational performance and resilience.

* The complete white paper (including a more detailed explanation of how-to articulate and apply a risk appetite and risk tolerance framework) is available in the second edition of Ready… or Not: A Risk Management Guide for Nonprofit Executives.

Follow the links to:

• Read this month's Feature Article - Risk Management Basics – Step 3: Integrate ERM into Business Practices
• Download a printable version of the entire December 2011 Issue of the Risk Management Made Simple Advisory.
  
• View the Article Index to access back issues of the Risk Management Made Simple Advisory.