590 words. Revised 08 May 2024.
In the discourse on Enterprise Risk Management, statements of risk tolerance and risk appetite can border on the absurd, showing a slavish adoption of financial terminology where it makes no sense. Let's examine first how "tolerance" and "appetite" are used in finance, where they actually can make sense.
Risk tolerance and appetite in finance
The degree of risk tolerance, whether at the individual or organizational level, describes whether you are relatively:
1) risk-averse (risk avoiding), which means you demand certainty, whose cost (in terms of a lower reward) you accept; or
2) risk-seeking, (accepting of risk) which means you accept uncertainty, in exchange for the chance of higher gains.
These orientations towards uncertainty can be expressed qualitatively, and have a quantitative result. For example, financial advisors attempt to gauge an individual’s “investor profile” (tolerance for risk) as mental attitude towards risk using a questionnaire. This leads to a selection of corresponding financial instruments, where high returns, used as as a proxy, are equated with high risk.
Similarly, investment fund managers describe the strategy of a fund as aggressive (risk-seeking) or conservative (risk-averse); and so have internal limits (risk appetite) dictating how much capital they will risk, according to the stated mission.
The notion is that levels of investment against anticipated return are measurable and controllable; therefore statements of risk tolerance and corresponding appetite make sense.
Risk tolerance and appetite in ERM, applied generally but not thoughtfully
With the advent of Enterprise Risk Mangaement, the buzz-words "risk tolerance" and "risk appetite" were seized upon and thrust into every administrative context, whether financial or not. As I see it, people did not think through exactly why or how these terms should be used.
I believe that the notions of risk tolerance and appetite have been translated into non-financial domains literally and often inappropriately. Because of the rhetoric, health care and other public sector agencies feel pressured to define a positive number indicating, absurdly, “tolerance” for children at risk, "appetite" for wait-listed patients, or "tolerance" for a certain number of traffic deaths. Taking it to an extreme, some have even wanted to assign a dollar value to human life. Then again, declaring “zero tolerance” implies a strict attitude to abhor and punish one or another social ill, but, of course, cannot confer an unlimited capacity to prevent it.
Practical advice
It is possible during the risk assessment to state the level of tolerance for each line item simply as high, medium or low, using the organization's criteria (i.e., goals, values, ethical code, etc.). It is one of four tests that determine the response to the risk. But in hundreds of risk assessments carried out in a variety of contexts, I have never found that a client wanted to record a specific measure of "risk appetite".
Conclusion
We could say that an excessively conservative culture (extremely risk averse, needlessly overpaying for guarantees, without analysis or exploration of alternatives) becomes more reasonable, once they are introduced to a rigorous process of risk analysis. Rather than becoming more risk tolerant or having an increased risk appetite, I think such a group simply discovers that risk does not exist where they thought it did.
This was indeed the whole benefit of Enterprise Risk Management. My former Director at Risk Management Branch told me: "Edward, we used to be known as the people who say NO." By contrast, when we helped clients submit plans and proposals to risk assessment, it was liberating. It enabled them to solve business problems and identify creative solutions, without compromising their values.
Notes
Please see related post: Risk Tolerance: Non-Finance Examples