#LOCKDOWN DAY 10: RISK MANAGEMENT NOTES ABMI ? Practice Guideline A5: Risk Tolerance
ABMI Research Institute
Risk maturity & sector benchmarks | Risk governance | Learning & development
In my last article we discussed risk appetite on Day 8. I hope after a restful weekend, you are ready to resume on Day 10 with our discussion on risk tolerance.
The term risk tolerance is hardly ever used individually without relational reference to risk appetite. What is more common is to hear reference to “risk appetite and tolerance” and the reasons for this lie in the fact that we have wallowed so much in the confusion, that we are now accustomed and comfortable with it. In my previous paper I provided a clear definition of risk appetite and elaborated upon the context within which it is applied.
Risk tolerance reflects upon the degree of variability in performance arising because of risk which the organisation is willing to withstand. As a key element of risk appetite monitoring, risk tolerance provides an early warning and escalation protocol in which such variances are tracked and monitored within set threshold limits. (ABMI Reference Library, 2018 edition, p49). It is important to note that such variances can be on the negative or positive side as shall be illustrated further on in this report.
A NOTE ON RISK TOLERANCE
The implications of risk tolerance are wide, but one of the key benefits is that risk tolerance brings alignment between organisational performance and how this is impacted by risk. By reflecting upon potential variations in performance that may result from risk and the relative acceptability and thresholds thereof, risk tolerance requires us to re-consider how we look at organisational performance target-setting. Traditional strategic plan targets are required to be specific and for that reason, whether misapplied or not, organisations generally set definitive and non-negotiable targets. Such targets for example may sound like, “Revenue Growth %” where the specific target is then set as “8%” for example. In organisations that have not implemented the prescripts of risk tolerance, revenue growth of 7% would be reflected as a “FAIL” whilst revenue growth of 16% would be determined to be “EXCELLENT”. However, where effective risk tolerance targets and monitoring are in place, the organisation may actually find that the 7% is reasonable and the 16% problematic. How, you may ask? If one doesn’t know how they achieved a specific outcome, it may actually be that the very performance outcome will be the greatest sustainability problem that the organisation will deal with in the future.
We have heard of several organisations that, before a cataclysmic fall had been doing very well, and hindsight wisdom shows us that the reason for their eventual failure lay in the very aspects that looked like success. An example of a likely indicator of downstream challenges like this would be a growth in sales, yet on the other hand achieving this through widespread bribery and corruption. So, risk tolerance is asking us to reflect on the degrees of variability in our performance that may be caused by risk and then ask ourselves to consider which levels of variation (whether positive or negative) are acceptable/ reasonable, cautionary, and unacceptable (examples).
Separate Performance Monitoring View
Going with an example:
· Target Sales [2020] - R25,000,000
· Actual Sales [2020] - R87,500,000
· Conclusion - Positive performance
Separate Risk Tolerance Monitoring View
In the realms of separate risk tolerance monitoring:
· Risk appetite theme - Fraud, corruption & other unethical conduct
· Risk appetite stance - Low appetite for such risk
· Risk tolerance indicator - Number of instances of bribery
· Acceptable measure - 0
· Cautionary measure - 0
· Unacceptable measure - 1 & more
Integrated Performance Monitoring View
When we integrate performance monitoring with risk tolerance monitoring, and we will see this again when dealing with practice guideline C2 under risk and performance integration (ABMI) this is what the picture looks like:
· Target Sales [2020] - R25,000,000
· Actual Sales [2020] - R87,500,000
· # of instances of bribery - 17 (75% of sales were through bribery)
· Tolerance to variance - Zero (Dependent on risk type, tolerance could change)
· Conclusion - Unacceptable performance, Investigate & Resolve
RISK MATURITY ATTRIBUTE STATEMENT:
The organisation is expected to have risk tolerance thresholds that are defined and measured as well as reported upon on a periodic basis. This is in terms of the competence standards of the attribute-based maturity index (ABMI Reference Library, 2018 edition, p7).
In determining the risk tolerance thresholds, the practice is different within organisations but in terms of preceding discussions and in line with both the approach followed by Nedbank Group South Africa and suggested by the Barfield report, there is need to consider both quantitative and qualitative measures that support each of the risk appetite themes in promoting measurability and entrenchment of early warning triggers. (Nedbank Group Limited and Nedbank Limited, 2015). In addition to these risk tolerance thresholds of a qualitative and quantitative nature, and possibly as a sub-set of these, there is also the need to consider those areas typically referred to as zero-tolerance areas. R.I.M.S. also advocates for a clear identification of those areas in which zero-tolerance positions are taken as these do not always signify a decision for which a calculated risk return analysis has been performed. It is the view here that although the cost of such losses or risks e.g. theft may be low, if such are ignored there may be downside implications in other areas of the organisation wherein risk may then become exponential in its multiplier effect. (**Extracted from the ABMI Reference Library, 2018)
KEY SUB-ATTRIBUTES OF A5: RISK TOLERANCE
Please note that in terms of the attribute-based maturity index there are 7 core components of risk management that comprise 26 primary attributes. These primary attributes are in turn split up into 93 sub-attributes. Below I analyse the sub-attributes of one of the 26 primary attributes. Keep coming back for more articles that unpack the other elements.
Some elements aren’t explained in full save for the focus item. All elements, however, are explained in detail in the ABMI Reference Library which can be obtained directly using a self-registered user profile on www.abmi.co.za
A:5-1 Risk tolerance threshold determination
The organisation formally determines and documents its risk tolerance thresholds as aligned to the risk appetite statement of the organisation at least on an annual basis.
The organisation must formally determine its risk tolerance limits and thresholds at least annually. The risk tolerance thresholds must promote a system of escalation where a limit has been breached as well as informing the next escalation channel even where the matter is not yet due for escalation.
A:5-2 Communication of risk tolerance limits
The risk tolerance thresholds are communicated and cascaded to operational divisions and affected individuals.
The organisation should ensure that the established risk tolerance thresholds are communicated to the affected operational divisions or individuals who are tasked with the duty to manage and ensure that the organisation remains within set tolerance limits. Such implementation would include the development of operational matrices that are aligned to the risk tolerance limits and are used for monitoring and reporting within the operational units/ divisions.
A:5-3 Risk tolerance monitoring and reporting
The organisation periodically assesses its actual performance against the set risk tolerance thresholds and implements relevant corrective action where needed.
CONCLUSION:
For additional context, register a free user profile via www.abmi.co.za and download our free ABMI Reference Library Preview document or explore additional value-added offerings. Good luck and feel free to share your views. We are all here to learn and no idea is unwelcome!!!