Driver of a Statement of Risk Tolerance
Many, many firms struggle with developing good statements of Risk Tolerance. This is startling because a regulators and rating agencies alike say that good risk management requires a statement of Risk Tolerance.
For this post, Risk Tolerance will be used to mean the amount of risk that an organization might choose to retain after risk mitigation. The term Risk Appetite, which is often used interchangably will be used to mean the amount of risk that and organization plans to take, usually an amount less than the Risk Tolerance.
An analogy might be to the speed of a car. A particular driver in a particular car might be able to tolerate going 80 miles per hour on a highway that is well lit and that has little traffic. But tonight, they only plan to go 70 miles per hour on this trip.
Others use these terms to mean something else. Riskviews does not have an opinion about the value of these other definitions.
To form a good risk tolerance statement, the management of a company needs just two things – (1) to identify what adverse event they will base their tolerance upon and (2) the likelihood of that adverse event at their tolerance level.
Alternately, a risk tolerance statement can be built upon something that is itself tied directly to some likelihood, like a risk capital value at a 1/200 loss or the top speed of a car that is implicitly tied to an (unstated) level of likelihood of an accident.
But that unstated likelihood for the car speed is really the key to understanding why risk tolerance is so difficult for many, many managers.
You see, most people who drive a car will develop a tolerance for speed over time as they get experience with driving. They each have an internal mechanism that tells them that they have reached a speed that “feels” too dangerous. It is that roller coaster flip in the gut when the car barely holds the road on a tight turn. That adrenaline rush that comes right after the near accident. They are not calculating probabilities there, but their resulting tolerance could be seen to be calibrated to some safety margin that varies by individual.
But the problem is that some company managers are trying to form a risk tolerance for their company before they have any experience driving with a speedometer, in effect. That is because risks that a company takes are not always obvious to the management. And even when individual risks are well known, their aggregation usually is not, to any degree of precision.
So the thing that is missing for most managers is the experiential feel for their risk. Before setting a risk tolerance, they need to drive around with one eye on the speedometer of their company. That is with continual awareness of the amount of risk that the company is taking. They will need to do this for a multi year period so that they will see when their knuckles go white.
Waiting for this experience may not be the be the best approach, it would probably be better to look backwards at the risk level for the past 5 to 10 years of company history. For managers who have been there long enough, they have a good feel for when the company had much worse results than desired. The risk tolerance can be set by working from that worst year and figuring out how close to that situation that the company management is comfortable getting in the future.
Now to do this, it is much easier to simply pick a likelihood number. The number then defines the risk calculation. The risk would be the amount of loss that is expected at that likelihood value given the company plans for risk taking as well as the actual risks taken.
Then to build up that experience, managers need to look at the comparison between the risk and the capital or between the risk and the earnings of the company over their recent past and immediate future.
One thing to look for is how the actual risk taken to the plan. In some companies, a goal is set in terms of premium dollars written. But in some years, the premium goal is met, but the business written is actually much riskier than the plan. This may be the reason behind the bad experiences that the company has experienced. If that is the case, then the company needs to look to strengthen risk control practices before worrying about risk tolerance.
In the example above, the company risk number was smaller than the surplus number in all years except year 4. Company management agrees that they were too exposed to a major loss that year. So they have set their risk tolerance to their risk measure at 90% of surplus. With tolerance set at that level, every other year was within tolerance.
This is the best way for management to set a risk tolerance. Based upon experience, just like a person’s driving speed tolerance is based upon their driving experiences.Explore posts in the same categories: Enterprise Risk Management