“There is a big difference between risk and uncertainty. You are dealing with risk when you know all the alternatives, outcomes and their probabilities. You are dealing with uncertainty when you don’t”
— Gerd Gigerenzer
“Risk” means different things to different people.
- How many of your friends who play lotto talk about the “risk” that they might win the big one?
- If the “risk” of a particular course of action is that your business might achieve profits 700% higher than the previous year, do you, as a business owner, try to manage this risk or maximise it?
- If “risk” refers to bad decisions (and their consequences) do you want to make any bad decisions at all?
- Does every opportunity involve risk?
- Are some opportunities so likely (or so significant) that “risk” is, for all intents and purposes, meaningless?
“Risk” means different things to different people but financial services licensees are required to “have adequate risk management systems; and implement and maintain [these] arrangements”.
In this context, concepts like “risk appetite”, “risk management”, “downside risk”, and “risk tolerance” are commonly used; often without ever defining “risk” or the characteristics of effective arrangements. In fact, some commentators suggest that “risk appetite” is an inherently confused concept that has “illogical connotations and… a multiplicity of poor published attempts at definition”.
Other commentators define “risk” as uncertainty caused by limitations of knowledge – essentially a failure to appreciate the consequences of actions, and the impact and likelihood of any problems.
Accordingly, they consider that the purpose of risk management is to “reduce the incidence of decisions that are stupid, short term, narrow minded or selfishly motivated”. For these commentators, business should instead focus on “value” and knowledge and then draft, implement, and revise policies that manage uncertainty.
In this context, “risk” refers to the chance of a “bad” or sub-optimal outcome and a Licensee manages these uncertainties according to their likelihood, their consequence, and their proportionality to the opportunity with which they are associated.
While some consultants may argue that effective risk management considers both good and bad outcomes, we think that this argument is illogical; if the risk is good (significantly more profits) then logically a business should pursue risks and optimise their capability.
The problem with risk appetite
“Efforts to quantify risk appetite can sometimes produce an illusion of precision”
— KPMG International Advisory Report (2008) “Understanding and articulating risk appetite”
Despite confused terminology and poor definitions, there are considerable practical benefits in formally aligning decision making with an equally formalised consideration of possible outcomes. In addition to better managing uncertainty and limited knowledge, it assists Licensees to assess and acknowledge their tolerances for specific risks/outcomes.
However, a tolerance for adverse and uncertain outcomes should not be confused with an appetite for those adverse and uncertain outcomes; risks are not desirable in and of themselves.
Nor does assuming more “risk” necessarily lead to better returns.
For these reasons, “risk appetite” – although popular and widely used – should be abandoned as an “uncertain, ambiguous and unclear term in search of a definition and purpose”.
Essentially, risk appetite refers to either the “amount and type of risk that an organisation is prepared to pursue, retain or take” or take the “level of aggregate risk that an organisation can undertake and successfully manage over an extended period of time”.
Unfortunately, neither definition encompasses an organisation’s willingness to assume risks (“propensity to take risks”) or the organisation’s willingness (or capacity) to manage the consequences of the assumed risks (“propensity to exercise control”).
It also fails to acknowledge that the propensity to take risks depends on the anticipated returns and the organisation’s ability to limit the consequence and impact of the associated risks.
The balance between these propensities (and the capacity of the organisation to manage these often competing priorities through management skill, sensitivity analysis, modelling or other techniques) reflects both the sophistication of their compliance framework and the organisation’s strategic commitment to risk management.
While risk may be an inherent element of any commercial enterprise, the implicit assumption that more risk leads to better results is also illogical. More risk can mean worse returns, and no prudent board would simply assume riskier strategies on the presumption that better returns would eventuate.
In short, as compliance professionals, we prefer to focus on tolerances, propensities and impacts to differentiate between risks that are a direct result of commercial activities – commission write-backs and debtor failures – and the operational, compliance and regulatory risks that flow from being an AFS Licensee.
Operational Risk Management
“Paperwork is a necessary and inevitable part of the system, but it, too, introduces dangers. The problem is not just the burden that it places on practical operations but also the deception that it breeds.”
— Langewiesche, William (March 1998). The Lessons of Valujet 592, The Atlantic
All commercial operations – in fact all human activity – involves dealing with uncertainty, knowledge gaps and potential adverse outcomes.
Understanding and managing the potential consequences of business activity is a key element of any well-run business and a responsible Licensee should use risk management analysis to underpin their pursuit of value and their strategic objectives.
However, while we believe in the benefit of managing risks well, we also recognise that many businesses place too much value in controls that mitigate or avoid trivial or hypothetical risks.
To be effective, we believe that clear boundaries and defined limits need to be embedded in each business; in its decision-making processes, its strategic planning and its performance management framework [“Organic”].
These need to be well documented and reflective of the Licensee’s objectives, plans, and experience, as well as the skills, resources and technology that they will bring to bear to support them [“Explicable”].
They also need to be flexible (rather than absolute) and based on the understanding that while their tolerances will vary between specific risks, their risk culture is unambiguous and their Board is committed to ensuring that any exposure to potentially adverse outcomes remains within the bounds of its capital and business management capability [“Representative”].
They must also regularly monitor, measure and report our control framework – both quantitatively and qualitatively – and implement enhanced reporting where specific risk thresholds are reached [“Simple”].
We’d recommend that they start by formally considering their business, their willingness to take risks and their willingness and capacity to manage those risks through technology, management skill, regular monitoring and structured controls.
Your propensity for taking risk
“It is for the Board and senior management to determine the relative strategic importance of the organisation’s propensity to take risks and its propensity to exercise control and to influence that relative focus throughout the organisation”
— Anderson, Richard (2011) Guidance Paper Risk Appetite and Risk Tolerance, Institute of Risk Management, May 2011
Regardless of its definitional problems, the purpose of assessing your “risk appetite” is simply to determine the “nature and extent of the significant risks [you are] willing to take in achieving [your] strategic objectives”.
What is your attitude to risk and uncertainty?
What is the “amount and type of risk that [you are] willing to pursue or retain”.
Ultimately, a Risk Appetite Statement provides direction and boundaries and helps Licensees to identify (and explain) how risks and associated rewards are to be balanced.
- Business Enablement
All commercial activities involve risk but understanding our willingness to take risks, clarifying how you measure costs and benefits, and formalising your capacity to tolerate and control risks not only equips you to better understand your current capabilities but, over time, will both encourage consistent behaviour and increase your capacity to tolerate additional risks.
- Stakeholder Consideration
Involving a range of internal and external stakeholders in your risk assessment process ensures that your “risk appetite” will reflect the preferences and propensities of the business rather than simply reflecting the personal preferences and propensities of a single Executive.
- Active Management
The Board (via the Compliance Committee) should be explicitly committed to actively monitoring and managing the business’ compliance with your risk thresholds and associated policies. In addition to a focus on clear and effective measures the Board understands the importance of contextual analysis realising that strong financial performance can often mask the risks that are actually being taken to achieve the performance.
Your propensity to exercise control
Processes, policies, systems, delegations, limits and structures may be the most practical way to manage risk in a commercial enterprise, but not all risks can be identified, not all risks can be controlled and not all controls will be effective.
In fact, a control framework will only restrict excessive risk taking and it will only be effective if limits are consistently enforced and if the risk assessment was reliable.
Your controls should be based on your understanding of their value, their cost, and their limits. Rigorous controls and effective assurance processes will assist you to define permissions, sanctions quantitative statements, limits, thresholds, and key risk indicators.
In addition to outlining how to escalate risks outside our acceptance criteria, your capability or capacity control framework has to be:
- RepresentativeBy understanding your propensity for taking risks, you not only better understand your current capabilities but, over time, increase your capacity to tolerate additional risks. While the interests of stakeholders, owners and associated entities should be considered, your controls and tolerances should reflect the nature, scale and complexity of your business. It should identify, in context, the specific propensities, risks and resources of the business and its specific obligations and duties.
Effective controls cannot be imposed on a business but instead need to be a transitive, internally generated and embedded in your business and integrated into our internal performance systems.
It should be responsive to the business and inform, and be informed by our strategies and our decision-making processes.
Complex, integrated systems can deliver counter-productive outcomes, frustrate remediation and cause the “unanticipated interaction of multiple failures”.
Your control framework not only identifies the correct and specific risks (and identify circumstances which trigger escalation, review or approval) but also tries to avoid unnecessary complexity.
Effective control systems, regardless of their simplicity, need to be intuitive, invisible and subject to active management and revision. Accountability for key business risks is clearly defined. Risk information is used to support management decisions.
There are inherent limitations of any control framework. While it may reflect your preferences and your assessment of the consequences, likelihood and impact of our activities, likelihood is often based on historic data and any cost and benefit analysis (which is required for borderline or threshold issues) is often based on subjective assessments of impacts and consequences.
While some risks are directly discernible from day-to-day engagement and while others are foreseeable, others are difficult to identify without analysis while others are unlikely to be identified on the basis of prior personal or institutional knowledge.
The only effective method to manage uncertainty (and the risk it represents) is to ensure that your tolerances and controls are subject to ongoing review and amendment through an action cycle of identification, measurement, revision and communication.
For most Licensees, a key aspect of an effective governance regime, is a clearly articulated “Risk Appetite” outlining how the business deals with uncertainty and limitations of knowledge in order to “reduce the incidence of decisions that are stupid, short term, narrow minded, or selfishly motivated.”.
If you haven’t already done it, consider how you can define your risk appetite and identify how decisions are made, how you deal with uncertainty (and how you would prefer to deal with uncertainty) and what levels of processes and controls you require to manage those risks.
One of the ways we start this process is by asking key stakeholders to complete a simple survey.
before they answer the survey, we remind them that “Risk Appetite” is a matter of balancing opinions, perceptions, contexts and propensities and there are no right answers. We also position the questions by confirming that “Business uncertainty” refers to a lack of structure or controls, confusion over expectations and responsibilities and ignorance about operational and governance issues.
If you’re interested in learning more about our approach, reach out to our account managers.
 LEITCH, Matthew (2010) “Making sense of risk appetite, tolerance and acceptance (2nd edition)”, http://www.internationalcontrolsdesign.co.uk
 LEITCH, Matthew (2008) “Making sense of risk appetite, tolerance and acceptance”, http://www.internalcontrolsdesign.co.uk
 KPMG International Advisory Report (2008) “Understanding and articulating risk appetite”, p2
 LEITCH, (2010) op cit
 ISO 31000:2009 “Risk Management – Principles and Guidelines” and ISO Guide 73:2009 “Risk Management – Vocabulary”
 Society of Actuaries “Enterprise Risk Management (ERM) Fact sheet”
 Langewiesche, William (March 1998). The Lessons of Valujet 592, The Atlantic
 There is no eighth reference. Thanks for checking.
 Anderson, Richard (2011) Guidance Paper Risk Appetite and Risk Tolerance, Institute of Risk Management, May 2011
 Financial Reporting Council (2010), “The UK Corporate Governance Code”, C2, page 18
 ISO 31000:2009 op cit
 Perrow, Charles (1984). Normal Accidents: Living with High-Risk Technologies, With a New Afterword and a Postscript on the Y2K Problem, Princeton, New Jersey: Princeton University Press, ISBN 0691004129, 1984, 1999 (first published by Basic Books 1984).