Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>The</strong> original BS31100<br />
109 contained more detail. It<br />
defined risk appetite as the<br />
“amount and type <strong>of</strong> risk that<br />
an organisation is prepared to seek, accept<br />
or tolerate” – very similar to Guide 73. <strong>The</strong><br />
standard went on to define risk tolerance<br />
(bearing in mind that the definition <strong>of</strong> risk<br />
appetite includes reference to tolerating<br />
risk) as an “organisation’s readiness to<br />
bear the risk after risk treatments in order<br />
to achieve its objectives”. <strong>The</strong> definition<br />
then includes a rider which states: “NOTE:<br />
risk tolerance can be limited by legal or<br />
regulatory requirements”.<br />
Notwithstanding the regular<br />
110 appearance <strong>of</strong> risk appetite and<br />
risk tolerance in the same<br />
sentence (or definition in the<br />
case <strong>of</strong> BS31100) it is our belief that risk<br />
tolerance is a much simpler concept in that<br />
it tends to suggest a series <strong>of</strong> limits which,<br />
depending on the organisation, may either<br />
be:<br />
• In the nature <strong>of</strong> absolute lines drawn<br />
in the sand, beyond which the<br />
organisation does not wish to proceed;<br />
or<br />
• More in the nature <strong>of</strong> tripwires, that<br />
alert the organisation to an impending<br />
breach <strong>of</strong> tolerable risks.<br />
We are concerned that this<br />
111 focus treats risk in an unduly<br />
negative way, something<br />
which we are challenging in<br />
this booklet in the sense that there should<br />
be a maximum tolerance for risk taking as<br />
well as risk avoidance.<br />
While neither standard is very<br />
112 informative, it is instructive to<br />
see how the “appetite” word<br />
or similar words were used in<br />
the original BS31100:<br />
Paragraph 3.1 Governance includes<br />
a bullet to the effect that the risk<br />
management framework should have<br />
“defined parameters around the level <strong>of</strong><br />
risk that is acceptable to the organisation,<br />
and thresholds which trigger escalation,<br />
review and approval by an authorised<br />
person/body.”<br />
Paragraph 3.3.2 Content <strong>of</strong> the risk<br />
management policy has the first explicit<br />
reference to risk appetite saying that<br />
this should be included in the policy<br />
and should outline “the organisation’s<br />
risk appetite, thresholds and escalation<br />
procedures”<br />
Paragraph 3.8 <strong>Risk</strong> appetite and<br />
risk pr<strong>of</strong>ile provides a much more<br />
comprehensive commentary on risk<br />
appetite, which is set out below:<br />
1. “Considering and setting a risk<br />
appetite enables an organisation to<br />
increase its rewards by optimizing<br />
risk taking and accepting calculated<br />
risks within an appropriate level <strong>of</strong><br />
authority<br />
2. “<strong>The</strong> organisation’s risk appetite<br />
should be established and/or approved<br />
by the board (or equivalent) and<br />
effectively communicated throughout<br />
the organisation<br />
113<br />
In conclusion, BS31100<br />
provides some guidance on<br />
how to use risk appetite, but it<br />
does not (nor did it ever set out to)<br />
provide guidance on how to calculate or<br />
measure risk appetite, although the<br />
standard does suggest the use <strong>of</strong><br />
“quantitative statements”, without<br />
further elaborating. It is interesting to<br />
note that the revised version <strong>of</strong> BS31100<br />
has substantially removed references to<br />
risk appetite to bring it in line with<br />
ISO31000. This leaves something <strong>of</strong> a<br />
vacuum on the subject, which this<br />
guidance seeks to fill.<br />
13