The IRM has been inspired to issue guidance on risk appetite and risk tolerance. It’s very questionable though whether this helps us make much progress on organisational risk taking. Like many articles on risk matters it gets bogged down in a morass of vaguely relevant ideas so illiterately and unrigorously described that many sections are devoid of any discernible meaning.
Clouds of Vagueness discusses elsewhere why use of the term ‘risk appetite’ is a bad idea, but the IRM has insisted on using the term despite explicitly noting its abandonment by wiser souls. The reason for this is that the term – useful or not – is reasonably well embedded in the financial services sector where the authors come from. But this is not of itself a good reason to inflict it on the rest of the world as it struggles to think about its organisational risk profile and what it should be.
What’s more, use of the term leads the guidance to make many unhelpful remarks. For instance in several places it characterises risk appetite in terms of risk seeking or risk aversion and equates these two attitudes to ignoring risk control and focussing on risk control, respectively, despite noting elsewhere that this is wrong.
As is evident from the full title, the guidance distinguishes risk appetite and risk tolerance, in this case identifying tolerance as absolute limits and appetite as working levels. This is supported by some graph-like diagrams which treat upside and downside risk as equivalent and fail to distinguish adequately between risk levels (ie what you have now) and outcome levels (ie what you might have in the future). The idea that there is some level of upside or opportunity that is so attractive that you would not seek it is particularly inane.
At the centre of the guidance is a so-called framework – actually just a picture with some blobs which contain words and phrases, not even an influence diagram. The phrases within this framework include:
- risk capability – the idea that in thinking about your risk taking you need to bear in mind your capacity to bear risk and your risk management maturity
- propensity to take risk and to exercise control – which I don’t really understand but relate in some way either to our preferences or to our responses to specific types of risk, or maybe both
- organisational levels (strategic, tactical and operational) – which, apart from the mundane insight that risk management exists at all levels, seems to reflect an idea that at the strategic level there is a greater propensity to take risk and at the operational level there is a greater propensity to exercise control; whether this is descriptive or normative is unclear and again I really don’t know what the guidance is getting at
- metrics – to support the observation that we do not create enough objective risk measures in risk management as though this were merely an indolent oversight rather than a reflection of the difficulty in doing it (well).
And so on: flight or fight, multiple risk appetites, balanced risk, clockspeed, ‘implementing a risk appetite’, ‘governing a risk appetite’… (In both the last two cases I think this means implementing and governing a risk appetite statement.) A few examples of good practice would have helped to clarify the intent.
The overall impression is that there is much useful material hidden here. What is needed is a tutor figure who insists on rigour and clarity to bring some meaning to an undergraduate essay. It is a shame no such figure existed when the guidance was prepared. Even making changes so as to get a clear English Crystal mark would have been a major improvement. Perhaps the IRM should improve its own governance processes.
