Sign In

Risk Appetite and Tolerance


1.   Purpose


This document is issued as a supplement to the Public Sector Risk Management Framework (PSRMF). It provides insights on risk appetite and tolerance from the perspective of the PFMA, expanding on the limited information contained in the PSRMF currently. Please note that this document is not an implementation guide.

While risk appetite and tolerance are integral components of an effective risk management framework they are underutilized in practice. The principal reasons for this are:

  • uncertainty about their relevance in the public sector, particularly in relation to the Public Finance Management Act (PFMA);
  • the general confusion surrounding the definitions and application of risk appetite and tolerance, exacerbated by conflicting interpretations in the available frameworks and literature; and
  • doubts about the benefits of applying these concepts, given the complexities involved in their implementation.

2.   Background

 

An institution's[1] ability to completely eradicate or manage risk to a low residual level is often inhibited by various constraints, including factors beyond its control. However, even in the absence of such limitations, it is not necessarily beneficial to steadfastly pursue risk control without properly understanding the cost-benefit[2] (also called risk-reward) implications.

Risk control consumes an institution's limited resources and exhibits diminishing returns. It is therefore important for an institution to be strategic about the level of performance it can achieve with the resources at its disposal and the optimum risk portfolio that allows it to achieve that level of performance. Risk should be optimised at a level that neither creates downside effects through factors that could be adequately controlled within the cost-benefit paradigm, nor cause missed opportunities because of resource constraints created by
over-investing in risk control. An institution must take calculated risks based on cost-benefit optimisation, which will enable it to maximise its performance in an environment defined by uncertainty and resource limitations.

The level of "acceptable risk" is represented by the concepts of "risk appetite" and "risk tolerance", which establish boundaries within which decisions are made. These concepts embody calculated risk-taking, premised on the understanding that risk and progress are inextricably intertwined, and one cannot exist without the other. Many institutions already apply such boundaries in their decision-making as part of their customs and norms without necessarily recognising them as risk appetite and tolerance.

Risk appetite and risk tolerance are intended to encourage and focus management to think effectively about risk when making important decisions.  The advantage of working within clearly defined boundaries assists with avoiding over or under controlling risks, both of which impose costs on the institution. Over-control consumes scarce resources that could be used more productively, while under-control usually ends up imposing significant costs when risks that could have been managed cost effectively materialise. 


3.   Risk appetite and tolerance - the unique public sector challenge

 

Understanding and applying risk appetite and tolerance pose many challenges in the public sector. While these are fundamental concepts and tools of Enterprise Risk Management (ERM) there is no direct reference to them in our existing legislative framework. They are thus relatively unknown to many in the top management hierarchy that should be responsible for them. This is not surprising because the public sector is traditionally risk averse and is primarily concerned with mitigating downside risk. Notions of anything other than maximizing risk control do not fit well with this tradition.

Yet it should be different. It is important to recall that one of the main objectives of the PFMA is to empower public sector managers to manage, while simultaneously holding them accountable. This objective and the concepts of risk appetite and tolerance should align seamlessly and enable both efficient management and accountability. Yet, this integration has proven to be challenging in reality. One of the main reasons is that the objective that public sector managers must manage – presumably with the necessary latitude allowed to them within the parameters of the PFMA, rational decision making that places the best interests of the institution at the forefront of decisions and implementation of such decisions with due care and responsibility - has been disappointing. High levels of mismanagement and misgovernance have resulted in stricter regulatory interventions and more intrusive audit processes than would have been warranted, which have tempered management's ability to manage relatively freely as intended. Within this scenario, management appear reluctant to exercise intrapreneurship preferring a relatively risk-free approach that sticks to embedded norms, standards and practices. This hampers meaningful progress and leaves only limited scope for the application of risk appetite and tolerance, whose value is most apparent in an innovative space.

It is necessary to reinforce that managers must manage accountably. The upcoming revision of the PFMA intends to amplify this message and strengthen regulatory protection for managers who act in the best interest of the institution but who, having exercised reasonable care and diligence, fail to produce the intended results. It is hoped that this development will allow managers to be more intrapreneurial.


4.   Risk appetite and tolerance - their importance in the system of risk management

 

Responsible risk acceptance is not simple nor arbitrary. The smart way of doing this is by having predetermined and well-conceived parameters. This is where the concepts of risk appetite and tolerance come into play. They are critical in interrogating the complex cost-benefit dynamics to produce the optimal risk portfolio. This portfolio embodies the trade-offs of where and how much risk the institution needs to actively manage, as well as where and how much it should live with to maximise overall performance.

The Public Sector Risk Management Framework (PSRMF) defines risk appetite as the amount of residual risk that the institution is willing to accept. "Accept" in this instance refers to that portion of risk that the institution will not manage actively. It is the risk the institution is prepared to live with. This may be because:

  1. the risk factor(s) is/are beyond the institution's control;
  2. all possible and rational risk control measures have been exhausted (additional risk mitigation measures are no longer available); or
  3. additional risk control is not justified on cost-benefit grounds.

Risk appetite provides parameters which enable the institution to make informed decisions about finances, management time and other resources needed to actively manage risk. By setting out the risk appetite (optimal position) and the acceptable variation from the risk appetite (tolerance), in pursuit of its strategic objectives, the institution clearly sets out its expectations and the boundaries within which management may operate. 

It is appropriate to define risk appetite in various contexts rather than to have a single definition (Department of the Interior Office of Inspector General, 2022, p. 29). Thus, separate risk appetites can be set, for example, per:

  • strategic objectives;
  • risk categories;
  • programmes; or
  • other logical classification.

The benefits of clearly articulating risk appetite include:

  1. knowing the risk appetite helps management and the oversight structures to make calculated risk decisions by "forcing" them to analyse cost-benefit; 
  2. improves risk analysis, risk communication and escalation of risks;
  3. demonstrates that decisions are taken through a rational and rigorous process (supporting the notion of "let managers manage but hold them accountable"); 
  4. improves consistency in decision-making across governance mechanisms;
  5. supports performance improvement by placing focus on the priority risks, as well as influencing spending and resource allocation; and
  6. improves understanding of the do's and don'ts and the established risk boundaries, enabling decision makers to function with more confidence.

The PSRMF defines risk tolerance as the amount of residual risk that the Institution is capable of bearing (as opposed to the amount of risk it is willing to bear, i.e. risk appetite). Breaking down this definition further, risk tolerance is the accepted deviation from the risk appetite after all relevant and reasonable risk control measures have been implemented. Risk tolerance can be seen as the institution's acceptance of having to bear residual risk that may exceed the risk appetite, understanding that the risk cannot be further reduced despite the best risk management efforts. Hopefully, this is a temporary phenomenon, otherwise the risk appetite level needs to be adjusted.

Risk tolerance can also be thought of as the "risk appetite at a more granular level", such as for different parts of the institution. Risk tolerance translates risk appetite into meaningful terms at the operational level (Department of the Interior Office of Inspector General, 2022, p. 29). The institutional risk appetite sets the view at the whole-of-institution level. In a systemic way, the institutional risk appetite could be apportioned and cascaded to divisional, business unit, project or process levels as their respective risk tolerances. Each one would then manage its risks within these defined boundaries, ensuring that their risk profile aligns with the institution's overall risk appetite. This approach allows for a more nuanced and effective management of risk across the institution, as it recognizes that different parts of the institution face different types and levels of risk. It also enables the institution to ensure that risk-taking at all levels aligns with its strategic objectives.


5.   Relevance of risk appetite and tolerance in the public sector

 

All institutions, including those in the public sector, assume risks while striving to achieve their goals and objectives. It's not feasible to pursue objectives without taking on some risk, nor is it possible to cost effectively de-risk a portfolio of risks to zero. Even if it were possible, it might not be prudent due to the diminishing returns of risk control. Hence, barring legal reasons, regulatory prescriptions, or specific institutional reasons, risk control should cease at a certain point above zero-risk. The institution should then accept the residual impact of the risk and redirect the resources that would have been used to achieve a higher level of risk control to more productive use.

Risk appetite enables an institution to establish a threshold of impacts it is prepared and able to absorb in pursuit of its objectives. This includes, but is not limited to, financial loss. The terms "calculated risk" and "acceptable loss," which are commonly used when applying risk appetite, may be challenging to reconcile with the nature of public services and legislative frameworks. Neither the PFMA nor Treasury Regulations specifically mention these concepts, which complicates their application from a policy certainty perspective. Moreover, the abundance of unhelpful and often conflicting definitions of these concepts, originally designed for profit-motivated firms, further complicates their understanding and implementation in the rules-driven and risk-averse public sector environment.

The macro-objective of the PFMA is to: "…maximise delivery through the efficient and effective use of limited resources." An institution wanting to use its limited resources efficiently and effectively must accept a certain level of risk. As explained previously, this enables scarce resources to be deployed for managing risk and leveraging opportunities in areas with greater value potential. The application of risk appetite and tolerance supports this objective. The trade-off thus facilitated allows the institution to operate more efficiently at a lower relative cost, thereby supporting the stated macro-objective of the PFMA."


6.   Regulatory prescription and guidance

 

Section 38(1)(a)(i) of the PFMA read with Treasury Regulation 3.1.1 enjoins the Accounting Officer to ensure that the institution has and maintains an effective, efficient and transparent system of risk management. It can be argued that risk appetite and tolerance are indispensable elements of the envisaged system of risk management:

 

  1. effectiveness is achieved because the discipline, rigour and focus needed for the effective implementation of risk appetite strengthens the system of risk management and steers the institution towards the most important risks and opportunities - it forces critical thinking about what risks to take or not, how much of it and what the benefits of taking these risks are in relation to the objectives to be achieved;
  2. efficiency is achieved as risk appetite facilitates optimal resource usage through establishing the correct level of risk control;
  3. transparency is achieved through the rigorous effort involving multiple actors, including governance structures, in establishing the risk appetite parameters and being able to defend the decisions made within such parameters.

The Guide for Accounting Officers: Public Finance Management Act (Republic of South Africa. National Treasury, 2000) offers profound advice on the need for considering
cost-benefit in risk control. Essentially it talks about risk appetite and tolerance without explicitly referring to them as such. Included below are relevant excerpts from that document:

  • Risk management acknowledges that all the activities of an organisation involve some element of risk. Management must decide what is an acceptable level of risk (given the cost and other social factors) by objectively assessing the factors (risks) that may prevent a particular activity from meeting its objective (page 30).
  • Elements of risk management include:

     - Deciding on an acceptable level of loss or degree of failure (page 30).
  • The design and extent of control measures and procedures must match the risk and exposure in the particular area. Before implementing a control, management should be satisfied that the benefits outweigh the cost of operating the control (page 30).
  • It is impossible to avoid all risk through internal control measures; attempts to do so may come at a cost higher than that of the potential risk. This was often the case with the procedures implemented in previous years. Before further internal control measures are implemented, the cost of these must be assessed against the cost of the risk (page 31).

The Public Sector Risk Management Framework (Republic of South Africa. National Treasury, 2010), sets out a number of principles-based guidance for risk appetite and tolerance:

  • paragraph 16(5)(c) - …the residual risk should be benchmarked against the institution's risk appetite to determine the need for further management intervention, if any.
  • paragraph (17)(4) - Management should develop response strategies for all material risks, whether or not the management thereof is within the direct control of the institution, prioritising the risks exceeding or nearing the risk appetite level.

  •  paragraph 22(2) - High level responsibilities of the Accounting Officer/Authority should include:

(i) approving the institution's risk appetite and risk tolerance.

  •  paragraph 24(5) - In discharging its governance responsibilities relating to risk management, the Risk Management Committee should:

 (a)    review and recommend for the Approval of the Accounting Officer / Authority, the:

(i) institution's risk appetite, ensuring that limits are:

      • supported by a rigorous analysis and expert judgement;
      • expressed in the same values as the key performance indicators to which they apply;
      • set for all material risks individually, as well as in aggregate for particular categorisations of risk; and
      • consistent with the materiality and significance framework.

(ii) institution's risk tolerance, ensuring that limits are supported by a rigorous analysis and expert judgement of:

      • the institution's ability to withstand significant shocks; and
      • the institution's ability to recover financially and operationally from significant shocks.
  • paragraph 25 (2) - The high-level responsibilities of the Chief Risk Officer should include:

(b)    developing, in consultation with management, the institution's risk management framework incorporating, inter alia, the:

(i) risk appetite and tolerance.

The Public Sector Risk Management Framework (Republic of South Africa. National Treasury, 2010), sets out a number of principles-based guidance for risk appetite and tolerance:

  • paragraph 16(5)(c) - …the residual risk should be benchmarked against the institution's risk appetite to determine the need for further management intervention, if any.
  • paragraph (17)(4) - Management should develop response strategies for all material risks, whether or not the management thereof is within the direct control of the institution, prioritising the risks exceeding or nearing the risk appetite level.
  • paragraph 22(2) - High level responsibilities of the Accounting Officer/Authority should include:   

(i) approving the institution's risk appetite and risk tolerance.

  • paragraph 24(5) - In discharging its governance responsibilities relating to risk management, the Risk Management Committee should:

(a) review and recommend for the Approval of the Accounting Officer / Authority, the:

(i) institution's risk appetite, ensuring that limits are:

      • supported by a rigorous analysis and expert judgement;
      • expressed in the same values as the key performance indicators to which they apply;
      • set for all material risks individually, as well as in aggregate for particular categorisations of risk; and
      • consistent with the materiality and significance framework.

(ii) institution's risk tolerance, ensuring that limits are supported by a rigorous analysis and expert judgement of:

      • the institution's ability to withstand significant shocks; and
      • the institution's ability to recover financially and operationally from significant shocks.
  • paragraph 25 (2) - The high-level responsibilities of the Chief Risk Officer should include:

(b)    developing, in consultation with management, the institution's risk management framework incorporating, inter alia, the:

(i) risk appetite and tolerance.

 

7.   Practical implementation considerations  

 

The interplay between risk appetite and key performance targets in the public sector is quite interesting. Parliament holds the institution accountable for its published performance targets. If actual performance falls short of these published targets, it cannot be retroactively justified by the argument that performance aligns with the risk appetite. Therefore, performance targets should be risk-adjusted based on the institution's risk appetite related to the objective to which the target is linked.

Risk appetite should be determined in alignment with the institution's strategic objectives. Differentiated risk appetite may be applied on the basis of preferred anchors such as the objective itself, risk categories, program or other logical criteria. The construct of the strategic objective will influence whether risk appetite is expressed qualitatively or quantitatively. Objectives styled qualitatively tend to attract qualitative risk appetites, while those styled quantitatively are likely to have quantitative risk appetites.

The most critical aspects to consider when determining risk appetite are:

  • what the institution "must do" (i.e. cannot avoid regardless of riskiness) to accomplish its objectives;
  • legal prescriptions that dictate what risks the institution cannot take (e.g. currency hedging), or where it cannot apply discretion (e.g. workplace fatalities);
  • the institution's ability to withstand significant shocks;
  • the institution's ability to recover financially and operationally from significant shocks;
  • the institution's capacity to manage risk to the desired level (considering the current circumstances, resources, skills, technologies etc.).

Pre-conditions for establishing and managing risk appetite and tolerance are:

  • the institution should have a credible risk register with the main risks properly identified, analysed and evaluated;
  • zero-tolerance risk exposures such as fraud and corruption, regulatory compliance and health safety should be identified and excluded from the process of determining the "acceptable level", and it must be clearly stated that there is neither appetite nor tolerance for these risks;
  • prohibited mandates non-discretionary aspects must be known and cannot form part of "risk acceptance";
  • the impact of the risk appetite and tolerance parameters on performance must be well understood and factored-in to avoid setting and publishing incorrect targets;
  • choosing appropriate anchors for basing risk appetite (strategic objective, risk category, program, etc.)
  • the institution's risk appetite should be reviewed and updated at least annually based on actual experience, new circumstances, emergence of more or better information, better analysis, etc.
  • the institution must have the capacity to undertake, sustain and continually improve its handling of risk appetite, therefore it is recommended that the institution's risk management maturity should be at a minimum of level 3 of the Risk Management Capability Maturity Model published by National Treasury;

There are various approaches to applying risk appetite and tolerance. Regardless of the approach, the paramount principle is that it should be institution-specific and fit for purpose. This requires extensive collaboration between and among Heads of Functions, Heads of Divisions, Executive Management, the Risk Management Unit, Internal Audit and the Risk Committee. Such collaboration is essential not only for harnessing the best available expertise, institutional knowledge and other critical information, but also for fostering the support and appropriate behavior required for successful implementation.

The institution-specific approach must appreciate that various frameworks and literature apply different descriptions and terminology for risk appetite and tolerance, which tends to cause confusion. While those contained in the PSRMF are recommended, it is incumbent on the institution to adopt what works best for it - even if adapting the descriptions and terminology is required.

Within the menu of different approaches as mentioned, the most common, possibly because it is the most simple relatively speaking, is the tactical combined use of risk rating scales and an integrated matrix of risk categories and scenarios, to develop a visual representation of the actual risk portfolio. From this visual display it is possible to see which risks are within and which ones are exceeding their pre-established appetite. Further analysis can then be performed to consider whether any excess risk can be tolerated or additional risk control is required.

When establishing risk appetite and tolerance parameters, institutions should use their existing metrics as far as possible. For example, certain failure rate, error rate, response time, processing time, downtime, performance ratio, financial impact etc. may already exist as part of the operational or performance management system. These same parameters can be integrated for risk appetite and tolerance purposes.  

The PSRMF highlights the following important aspects:

  • as part of the risk assessment process, residual risk should be benchmarked against the institution's risk appetite to determine the need for further risk control intervention, if any.
  • management should develop response strategies for all material risks, whether or not the management thereof is within the direct control of the institution, prioritising the risks exceeding or nearing the risk appetite level.
  • the Accounting Officer should approve the institution's risk appetite and risk tolerance and be guided by the Risk Committee in this regard. 
  • the Risk Management Committee should review and recommend risk appetite for the approval by the Accounting Officer after satisfying itself of the rigour undertaken to establish the parameters, including the critical considerations mentioned under paragraph 6 and the pre-conditions also mentioned in the same paragraph (NB: paragraph 6 refers to the PSRMF, not this document). 

 

8.   Conclusion

 

Risk appetite and tolerance are important components of risk management. They enhance the rigour in risk-reward trade-offs, which in turn shape resource allocation and, ultimately, institutional performance. The Public Finance Management Act (PFMA) advocates for effective resource utilisation, supported by an efficient, transparent system of risk management. Risk appetite and tolerance are critical features of an effective system of risk management. The Guide for Accounting Officers: Public Finance Management Act, published in 2000, recognises the necessity of assuming an acceptable level of risk, based on an objective assessment of cost and other social factors.

Despite the potential benefits, currently, there is little evidence of institutions tactically utilising risk appetite and tolerance to shape risk management and performance. This area, therefore, merits increased attention. A significant obstacle appears to be management's reluctance to adopt an intrapreneurial approach, preferring instead to stick to tried-and-tested methods due to fear of repercussions should things go wrong. The revision of the PFMA, with a renewed emphasis of the "managers must manage" mantra and increased regulatory protection for well-intentioned managers even when things go wrong, should stimulate the intrapreneurial spirit. This, in turn, should lead to an improved adoption of risk appetite and tolerance as valuable management tools.


[1] National and provincial departments and public entities reporting to these departments, including their subsidiaries and trading entities, as well as independent institutions established by the Constitution.

[2] Cost does not refer just to financial costs but to total inputs invested in managing risk. Benefits refer to the total beneficial outcomes of such investments, as reflected in service delivery, financial strength, institutional reputation, developmental outcomes and other critical indicators.

© Maintained by the National Treasury. All Rights Reserved.