Working In Uncertainty

Making sense of risk appetite, tolerance, and acceptance (2nd edition)

by Matthew Leitch, original version published 17 July 2007, second edition published 9 August 2010.

A new edition of this article – why?

Welcome to a new edition of this article on ‘risk appetite’, ‘risk tolerance’, and related ideas and practices. The first edition focused on resolving the confusion created by the chaotic and misleading terminology used in this area of risk management. That article received considerable praise and has even been described as a ‘classic’. However, things have moved on and three events have been particularly important in prompting this major update:

• The terminology problem and its solution were clearly established. The survey research reported here has confirmed the findings from reviewing published definitions, reported here, showing that the terminology really is a problem but it can be solved by simply preferring to use plainer, more self explanatory language than ‘risk appetite’.

• The new UK Corporate Governance Code introduced a relevant new requirement. This applies to companies listed in the UK and the revised edition in 2010 contains a new sentence stating that ‘The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.’ This wording replaced the wording in the draft, which referred to ‘risk appetite and tolerance’ (a small but welcome victory for clear thinking). However, it also created a new challenge for companies, which is to comply in a way that is beneficial to them. The new edition of my article provides specific suggestions on how to do that.

• A route to value from these initiatives has emerged. From the many discussions on this topic and from studying attempts by companies, public sector organizations, and their various advisors to do something worthwhile in this area it has become clear to me that there is something much more important and potentially valuable going on than putting some kind of limit on overall risk taking. The new edition explains this exciting opportunity.

Introduction and key points

While the terminology and theory around ‘risk appetite’ may have been a mess, some of the practical initiatives attempted around it contain the seeds of greatness. The common factor in these initiatives is the attempt to influence directly by policies and their implementation important decisions taken inside organizations, in such a way that the limitations of knowledge are better handled. In other words, the aim is to get people to think effectively about ‘risk’ in some sense when they make important decisions. One option is to impose some overall limits on risk and overlay those on top of existing business planning and monitoring decisions, but this is only one option and not necessarily the easiest or most useful.

The decisions involved, the style of policy, and the approach to limited knowledge vary. Some techniques are better than others. However, the general desire is to reduce the incidence of decisions that are stupid, short term, narrow minded, or selfishly motivated. There is also a desire to give leaders new levers they can pull to influence people in their organizations. The general approach is to lay down some rules, or at least guidelines, focusing on ‘risk’ in some sense, and try to get people to follow those rules.

There is no one technique for making decisions, still less making them under uncertainty, that is theoretically perfect and practical in all situations in organizations. Nor is there one way to take ‘risk’ into account that is theoretically perfect and universally practical. However, there are several good approaches that can be used, ranging from computational to conversational, and it is not hard to see that circumstances should at least influence which are used. (See here for an overview and some practical suggestions.)

Furthermore, the technique for taking ‘risk’ into account needs to work with the overall approach to taking a decision. For example, if a decision is primarily based on finding ways to stay on budget then asking for Net Present Value calculations using risk adjusted discount rates reflecting the betas of alternative courses of action is not appropriate! In most cases it is too much work, but more importantly the Net Present Value criterion is philosophically incompatible with trying to stay on a fixed budget.

With these fundamental insights in mind it is obvious that crucial steps in any initiative in this area will include the following:

• Identify the sets of decisions to be controlled, who makes them, and on what occasions. (This may be driven in part by how important those decisions are for risks of interest.)

• Identify how decisions are made in each case, and perhaps consider improvements or clarifications.

• Decide how to deal with ‘risk’ (or, more generally, limited knowledge) in each type of decision.

• Draft or revise policies covering decision making, including handling limited knowledge. (These may include parameters such as the value of limits, targets, or weights, that can be varied while keeping the form of the policy otherwise the same.)

• Implement the policies.

• Revise the policies (or at least the parameters within them) at appropriate times.

Through following this approach there is an opportunity for many organizations to refresh their management methods, improve their decision making, and get more from their investment in risk management.

In the remainder of this article I will illustrate the above ideas by describing some typical projects (pointing out some common problems), and then go into more detail on project planning and on different types of decision, techniques for decision making, and techniques for dealing with limited knowledge.

But before that, to deliver on the promise of the title of this article, here is a brief explanation of relevant terminology.

Terminology

The phrase ‘risk appetite’ does not have a single, established meaning. For most people with an opinion on it the meaning is something to do with willingness to take risk, or an extent to which a person or organization will take risk, or do something risky. There is a misleading suggestion that it has some kind of psychological basis and that people actually like risk to some extent. ‘Risk appetite’ is often seen as synonymous with ‘risk attitude’ though most experts disagree. ‘Risk attitude’ is a phrase whose meaning depends on the psychological theory and definition of ‘risk’ involved.

The phrase ‘risk tolerance’ also means different things to different people. Often it means the same as ‘risk appetite’ but is used in situations where it is harder to see the positive reward associated with the risk. Others use this phrase to refer to tolerable deviations from a target.

The phrase ‘risk capacity’ is seen as having more to do with objective circumstances and less to do with choices and preferences. Risk capacity is usually viewed as the ability to withstand losses. In this sense it is not a capacity for risk per se, but for actual events.

I refer to ‘limited knowledge’ because that is the objective situation we humans face most of the time. ‘Risk’ and ‘uncertainty’ are concepts we can use to gain an understanding of the limitations of our knowledge. The practical point is that some of the best ways to make decisions under limited knowledge do not involve using a concept called ‘risk’. They use ‘probability’ and ‘value’ instead. Therefore, talking always about ‘risk’ tends to exclude those methods.

Control of decison making illustrated by typical ‘risk appetite’ approaches

The most important point in this article is that the common factor in ‘risk appetite’ initiatives is the attempt to influence directly by policies and their implementation important decisions taken inside organizations, in such a way that the limitations of knowledge are better handled.

This may not have been the thought uppermost in the minds of people who have worked on projects so far, but in hindsight it is clear that, where anything worthwhile has been achieved at all, it is through affecting decision making.

As this article will make clear, there are many alternatives when formulating policies to guide decision making under limited knowledge. The current state of the art has not explored every combination and there is huge scope for further exploration and improvement. Many projects could have achieved more with clearer thinking about different types of decision and how they are made. Furthermore, many have been undermined by choosing decision making techniques that are seriously flawed.

Certain techniques have appeared often in the past. Here they are, with notes on current strengths and weaknesses.

Risk control systems in UK banks

Although there are wide variations, the typical approach followed by UK banks has been to put in place a system of numerical limits and similar policies. These are often set annually along with targets and budgets. There are mechanisms in place to track the numbers involved so that compliance with the rules can be monitored.

• Decisions involved: Annual planning, periodic reviews of progress against annual plans and decisions about changes to plans, decisions on new products and projects, day to day investment and lending decisions.

• Decision techniques involved: Typically, for annual planning and progress reviews against the plan a variety of methods appear to be used with the limits overlaying constraints. For example, the initial plan might be the best the bank can come up with, judged by whatever critieria it wants to apply, provided the risk related limits are not exceeded. Computer systems are used to enforce more detailed limits from day to day.

• Techniques for handling uncertainty: Various calculations, including modelling, Monte Carlo simulation, sensitivity analysis, efficient frontiers, simple comparisons with limits.

• Types of policy used: Calculation methods, limits on risk measures, limits on risk related drivers (e.g. amounts lent or invested in various ways), and thresholds determining authority and escalation.

The strengths of this approach include its high profile, close integration with key decision making methods (especially where they are quantitative), and enforcement using computer systems.

Its weaknesses include a heavy reliance on limits. The problem with this is that it limits risk taking without helping people get closer to optimising it. However, the next type of project is also used often in banks and, where it is used, provides more guidance than limits.

Risk adjusted performance measurement in financial institutions

This involves calculating the cost of the capital required to cover risk generated by business activities. If this cost is subtracted from the financial contribution of a business activity this gives a better picture of its true impact on the business. For example, if a business unit pursues a highly risky strategy but is lucky enough to escape without serious problems for a period of time its reported performance will still be penalised for the risks involved.

• Decisions involved: High level annual planning, assessment of performance feeding into decisions about rewards and future strategy, and decisions on corrective action.

• Decision techniques involved: Running models to explore the implications of alternative strategies.

• Techniques for handling uncertainty: The models attribute cost to risk for inclusion in financial decisions.

• Types of policy used: Calculation methods, probability of ruin in a period of time.

The strengths of this approach include its smooth link between level of risk and cost, which is more informative and safer than using limits, and its discouragement of short termism.

Its weaknesses include the rare skills needed to do it, which tend to mean it is only done at a high organizational level.

High level risk appetite statements

By this I mean statements of policies on risk taking that are rather vague, usually expressed without numbers, or using numbers on poorly defined risk measures that divide levels of risk into just a few buckets e.g. ‘high’, ‘medium’, and ‘low’.

• Decisions involved: Either no specific decisions are identified or this is a step towards setting some more specific policies.

• Decision techniques involved: Not clear.

• Techniques for handling uncertainty: Not clear.

• Types of policy used: Bans on particular behaviours, vaguely expressed attitudes and limits or targets.

In themselves these statements seem to have little value, due to lack of clear meaning and failure to link them to specific decision making.

Risk appetite lines on Probability Impact grids

One of the most widespread approaches is to place ‘risks’ on a matrix that has ‘probability’ on one axis and ‘impact’ on the other – or similar words. A line is then drawn across the matrix and called the ‘risk appetite’ or something similar. The idea is that if a risk is placed on the ‘too risky’ high side of the line then something has to be done differently, but if the risk is placed on the low side of the line then no change is needed. The picture might look something like this:

• Decisions involved: Decisions related to choosing controls to implement, reviewing such decisions.

• Decision techniques involved: There are alternatives. Naturally people are inclined to consider the costs of controls against the benefits from managing risk, but the risk appetite line over-rides this and in some procedures costs are ignored and benefits are purely in terms of what side of the line the risk ends up on.

• Techniques for handling uncertainty: Based on comparing a risk measure with a threshold.

• Types of policy used: Method of decision making, threshold lines set either for each risk individually or set the same for all risks in a group.

This approach has been promoted by HM Treasury and others, and is seen often in the UK's public sector. However, despite this backing it is based on some serious misconceptions and leads to illogical decisions if applied rigorously, except in some rare situations.

There are four problems, and if an organization's approach has any one of these problems then it needs to be changed as soon as possible:

• The aggregation problem: Whether a risk falls on the high side or the low side of the line depends to a large extent on how widely the risk has been defined. Virtually all risks in risk registers can be split into subsidiary risks, or aggregated with similar risks to form a new, larger risk. For example, ‘Fire at our warehouse’ might be split into ‘Fire at our warehouse started deliberately’ and ‘Fire at our warehouse started accidentally’, or might be split in other ways. Alternatively, it could be aggregated into ‘Fire or flood at storage facilities’. It does not make sense for, say, a risk that requires action to be equivalent to two risks, neither of which require action.

  The aggregation problem is a fundamental weakness where the line is the same for all risks unless the risks are all comparable. Risks may be comparable either because some method of controlling aggregation is used or because they are the same type of risk in lots of cases, such as credit risk for each of a set of borrowers. In the usual case, where the risks are mixed and little can be done to control aggregation, the fixed risk limit idea fails and should never be used. At the very least, individual thresholds for each risk are needed.

• The lost tails problem: When people select a level of impact from the bands provided they usually select a level that is ‘typical’ or ‘representative’ in their minds, or perhaps some kind of average. This means that other levels of impact are ignored. It may be that the most likely level of impact is ‘low’ but there is still a 20% chance of the impact being ‘high’. In this situation the selection will most likely be ‘low’ impact. This means that information about the possibility of severe impacts is not captured or considered further.

• Failure to properly consider costs and benefits: Some procedures, including those promoted by authoritative sources, specify that a decision should be made on whether to treat a risk without considering the cost and effectiveness of possible controls. In principle, if a control is needed to move a risk from the high to the low side of the line and a control can be thought of to do it, then that control should be used regardless of its cost. It is also common to find that a risk that is on the low side of the line is then ignored, even if there are controls that would reduce it further and would be highly worthwhile on a cost-benefit basis.

• Confusion over the decisions involved: There are a number of decisions involved in choosing controls because the effort of designing controls is itself potentially significant. For example, if no worthwhile control is currently under consideration then the risk has to be accepted as it is for now, but we can still decide to do some more work to think of better controls. Getting this wrong could mean that insufficient work is put into devising good controls.

Project approval criteria that cover risk

Although the phrase ‘risk appetite’ is rarely used, approval of projects in organizations often has elaborate written procedures to govern it, and these frequently involve some kind of risk assessment. This assessment may mean that the project has to be redesigned if it involves too much risk of certain kinds, or its benefits have to be higher to compensate for a high risk score.

• Decisions involved: Approval of projects of various kinds.

• Decision techniques involved: Assessment of various factors, often according to a procedure that involves appropriate people at each stage, and using document templates and financial models.

• Techniques for handling uncertainty: Often some kind of search for serious worries, or a score that is compared with thresholds for some reason.

• Types of policy used: Checklists, scoring methods, thresholds with associated actions or penalties.

Strengths of this approach include its (typically) detailed guidance, while weaknesses tend to be due to rather subjective assessments and difficulties deciding on meaningful thresholds.

The scope for improvements to decision making under limited knowledge

How much improvement is possible? How valuable could it be?

The credit crunch of 2007 – 2009 provided a number of reasons for trying to improve decision making under uncertainty. Mortgage lenders in the USA took decisions that were based on short term, selfish motives, under-estimated risk, and continued to drive risks up beyond the point where it made sense for their organizations. It is not clear that inappropriate propensity to take risk played a particularly significant role, or even any role at all, but it is clear that decisions were faulty.

A part of the problem is management methods. Suppose Alan is Bob's boss and wants to ask Bob to make a special effort to sell a new product next month. They see each other daily and have a good working relationship. Alan wants to give Bob room to be creative in how he achieves the things Alan wants, so he says:

‘Bob, next month it's very important that you and your team make an effort to sell the new product. The plan is for sales of £120k in the first month, with £150k being at the top of expectations and less than £50k being a serious problem. Having said that, don't put existing sales at risk by ignoring them. Also, can you make sure everyone knows that we can't claim this product has health benefits. I realise that the branding sails close to the wind.’

In this conversation Alan expresses a form of target for sales of the new product but also warns about two risks (i.e. letting other sales slide and mis-selling). This is a natural thing to do and in conversations it is easy.

However, management control systems today often put a huge emphasis on numerical targets. If Alan's instructions were put through the usual system Bob would be left in no doubt as to the sales target and might realise the risk of ignoring other sales, but the point about mis-selling would be left out, or soon fade from memory, overwhelmed by the relentless pressure to hit targets.

This gap is one that ‘risk appetite’ methods try to fill. Instead of the board just telling people what it wants, it also tells them about what it does not want. Indeed, the board can go further and say how confident they want to be that those bad things will not happen.

More generally, it is human nature to see the future narrowly. We tend to be overconfident in our forecasts and believe we have more control than we really do. This problem is worse when we are with other people and subject to management systems that relentlessly push us to think about targets and offer rewards for meeting them.

The exciting opportunity here is to take off those mental blinkers and institutionalise open mindedness in important decisions. The technique of writing and implementing policies related to risk can help with this, provided we consider the specific decisions and decision making techniques, and make sure the risk related policies are compatible with the decision making techniques. Just determining some top level risk limits or targets will have little effect if they are not translated into specific decision making practices.

The main improvements will come from understanding decision making realistically and getting people to (a) think about risk/uncertainty at all, and (b) do it effectively. This is because individual differences in decision making tend to be driven more by differing assessments of the situation than by differing attitudes towards risk.

Planning new projects to improve decision making under limited knowledge

Incremental delivery

If an organization is planning a ‘risk appetite’ project then it should prefer incremental delivery.

What it should not do is plan a comprehensive project and move through a logical sequence of stages, such as identifying all the decisions, then analysing how all are made, then developing all the policies, and so on. This ‘waterfall’ style project will ensure that it gains no direct experience of changing decisions until the very end of the project. Instead, it will go through weeks, perhaps months, of laborious analysis, making mistakes that it will not detect until the policies are implemented.

It is much better with a project like this to progress just one type of decision through to implementation quickly, without doing the analysis on others, and so gain experience as early as possible. This experience will reveal mistakes and make other analyses more usable.

The ideal place to start may well not be with the board and annual planning because (1) it only happens annually so there are few chances to learn from experience, (2) board members may have less time available for problem solving and working through inefficient procedures, (3) it is better not to make early mistakes in front of the board, and (4) these are big, important decisions so mistakes could be big too.

Therefore, even if the initial intention is to restrict the project to just annual planning and quarterly monitoring at board level it may be better to include some other decision making to gain experience first.

Teamwork

One of the most appealing aspects of this sort of project is the opportunity to integrate risk management further into management generally. However, this also brings the challenge of working with others, often with a prior claim on those decision making processes. In addition to the people who actually make the decisions of interest there could be others from specialist teams who focus on, for example:

• performance measurement and management;

• finance (e.g. for budgeting and financial planning);

• human resources (e.g. for personal performance appraisal processes);

• IT; and

• legal issues.

All of these people will tend to believe that they already ensure that uncertainty is considered. What they will not necessarily have done is to:

• document how;

• obtain recognition that risk management is happening (if it really is);

• provide an opportunity for key parameters in those decisions to be altered by policies, such as by revising limits or weights; and

• make links to other risk management work.

Decisions and ways to make them

The value of a project to improve decision making to manage risk better depends largely on being able to identify worthwhile improvements. The more people know about decision making and thinking under limited knowledge the more likely it is that improvements will emerge. Here is a discussion of some of the behaviours likely to be considered.

Types of decision

The search for decisions to include for consideration will tend to focus on those that are:

• perceived as important for some reason, either individually or because they are taken very often (e.g. giving credit);

• perceived to involve limited knowledge; and

• taken ‘formally’, meaning that there are specific meetings or agenda items for them, perhaps even special committees, or are part of a high volume business process and so taken in a repetitive way.

Typical candidates will be:

• long range planning, annual planning, budgeting, target setting, and rolling alternatives;

• monitoring of progress against targets and/or budgets, which involves some decision making about how to change plans, targets, or budgets;

• decisions about what controls to implement, or to approve decisions already made;

• decisions to approve projects and other project decisions such as choice of main contractor and go-live approval;

• decisions to approve bids; and

• hiring and firing decisions.

Decision methods and policy ideas

My analysis of actual and suggested ‘risk appetite statements’ (i.e. collections of risk policies) shows that they are extraordinarily varied. I suspect this is a result of the variety of risks and decisions involved. This is a huge subject and in this section I will just give some suggestions and a flavour of what is possible.

Typical and special decision making

Most decisions, even many quite important ones, are not made after careful consideration of all the alternatives and weighing of all pros and cons. We use shortcuts – rules of thumb that do a good enough job and take less effort. Indeed, because most decisions are taken under such great uncertainty that a good rule of thumb can perform as well as more detailed consideration, as well as being quicker to apply.

A deeper analysis may be reserved for new situations and where the stakes are higher than usual. A policy might capture the rule of thumb normally used and set thresholds for triggering more detailed study, use of experts, or escalation to a higher level of management.

People and conduct of meetings

The number of people involved in a decision, and their various roles, can be important and covered by policies.

The way meetings are conducted can also be important. Is there a genuine chairperson? A chairperson can help to control some group biases that interfere with group decision making. For example, there is evidence to suggest that groups tend to be overconfident in their judgements because they take the confidence level of the most confident person in the group, believing confidence to be a sign of competence. A chairperson can ask people to explain the basis of their views and so deter or expose baseless confidence.

Anchoring is another effect that can cause problems in a group. Suppose a group is trying to estimate a number (e.g. first year sales for a new product) and guesstimates are being made. The first estimate tends to influence all others, bringing them nearer to the first estimate than they would have been otherwise. A sensible precaution is to get people to write down their personal views before any are expressed. Variation between people is important information about the level of uncertainty involved.

With these and other biases in mind, why not have a code for chairing meetings and a policy that it will be applied in meetings that justify that level of attention?

Targets

In theory a lot of decisions are supposed to be driven by targets and this approach has reached bewildering levels of complexity in the UK's public sector. Getting risk on the agenda may be a matter of setting some additional targets, this time concerning levels of risk drivers, risk, or actual risk event occurrences. It is important to be clear if the targets are aspirations, numbers to plan for, or bare minimum levels of performance. The same potential confusion occurs with cost budgets, where a budget figure can be taken as a firm limit, as an amount to be spent or lost, or as a gentle suggestion unlikely to be taken seriously.

If the problem is approached in this way, using targets, then there will be (a) decisions about the levels to use as targets/limits and (b) decisions using the targets/limits.

Quantitative methods

Many decisions in organizations are influenced by calculations, often done on electronic spreadsheets.

• Are they purely financial or are other factors considered?

• How far ahead do they look?

• Do they show the effect of decisions we might make in future or assume that all choices are made up front?

• Do they explicitly show alternative possible outcomes?

• Is some kind of sensitivity analysis used? Or Monte Carlo simulation?

• If a discount rate is applied to cash flows, is that rate linked to the level of risk/uncertainty involved?

• Are dependencies between variables properly considered?

• How are resource limitations taken into account?

• Are decisions on possible activities (e.g. potential projects) made one at a time, perhaps using some kind of hurdle return rate for acceptance, or by comparing possible activities against others, or are the decisions made by comparing possible portfolios of activities taken together?

• Are risk measures used, or are calculations done using probabilities and outcomes in the traditional way? If a risk measure is used what is it?

• Is total cost of risk used in some way?

• Are the assessments of alternative courses of action reduced to summary numbers for comparison (e.g. expected values) or are decision makers presented with full probability distributions?

It is very important that people understand that making calculations on a ‘best guess’ basis is highly misleading and the outputs are not necessarily appropriate for the guesses put in as inputs. Crucially, calculations on this basis usually understate the value of risk management. For example, in real life a flexible plan is more valuable than an otherwise similar but rigid plan. However, a ‘best guess’ calculation will not show any difference.

In addition to stipulating methods, policies can provide a variety of limits, but the more informative ones provide a way to value outcomes, financial and non-financial, over a wide range, and also value uncertainty.

Common problems with risk related policies

My preliminary analysis of actual ‘risk appetite statements’ and proposals by researchers also shows that some serious problems are common. Many are vague, with metrics under-specified. Most lack crucial information. Some use metrics that are impractical or would lead to bizarre behaviour in some potential scenarios.

Perhaps the most important weakness is the failure to say clearly when each policy will be applied. For example, if the board wants to maintain a particular credit rating, when will this policy by applied? Who will apply it? Specifically, how will it affect decision making? Following the approach suggested in this article should at least solve this problem.

Summary of key points

From an unpromising mess of misleading terminology and pseudo-psychological theorising some solid practical ideas are emerging. The key is to understand that a ‘risk appetite statement’ is really a collection of risk related policies designed to control risk taking by affecting the way decisions are taken and, in particular, the way people handle their problem of limited knowledge.

Useful projects will involve identifying the decisions involved, understanding how they are taken, and choosing policies that work with those decision making methods, or improve them.

There is an opportunity here to institutionalise open mindedness about the future, something we usually need more of, and to give boards a new set of levers they can pull to influence behaviour.

Further reading

‘Risk appetite definitions: Issues and answers’ surveys published definitions of the term ‘risk appetite’ and examples of disclosures on it by companies.

‘Results of a survey of alternative risk phrases’ reports the findings of a survey exploring alternative concepts and phrases. The survey confirms that most people find other phrases clearer and more self-explanatory than ‘risk appetite’.

‘The real reasons we avoid risk: A fresh and practical perspective on fundamental theoretical questions’ explores the rational reasons for behaving as if averse to risk.

‘What circumstances are relevant to decision making under uncertainty?’ reports the results of survey that explored the extent to which people think personality is important in rational decision making under uncertainty. This provides support for the observations in ‘The real reasons we avoid risk.’

‘Straighten out your thinking on “risk aversion”, “risk appetite”, “risk tolerance”, “risk limits”, and all that’ challenges readers to think clearly about these topics, revealing a number of common misconceptions.

‘How to be positive about risk’ explains some pitfalls in trying to portray risk in a more positive light, and suggests tactics for doing it more successfully.

Be notified of new publications
and get access to more materials -
register your interest in WIU

Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.

Made in England