Risk Appetite and Risk Tolerance - Making sense of it in the public sector
An Institution's ability to completely eradicate or manage risk to a low residual level is often inhibited by various constraints, including factors beyond its control. However, even in the absence of such limitations, it is not necessarily a good thing to steadfastly pursue risk control without properly understanding the cost/benefit (also called risk/reward) implications.
Risk control consumes an Institution's limited resources while producing diminishing returns after a certain point. It is therefore important for an Institution to make informed decisions about the amount of risk it is capable of bearing whilst maintaining the desired level of performance. That level of risk should be optimised where it neither allows for downside effects caused by factors that can otherwise be adequately controlled within the cost/benefit paradigm, nor compromise upside effects (opportunities) by over-investing in risk control. In other words, an Institution must find the optimal cost/benefit position for the risks it faces, that which enables it to function at its highest potential within a setting characterized by the presence of various constraints and resource limitations.
The level of acceptable risk is represented by the concepts of "risk appetite" and "risk tolerance", which establish boundaries within which decisions are made. Many Institutions already apply such boundaries in their decision-making without necessarily referring to them as risk appetite and tolerance. Risk appetite and risk tolerance are intended to get management to think effectively about risk when they make important decisions. Like performance systems encourage management to think about targets and how to achieve them, risk appetite and risk tolerance have a similar effect on the Institution's thinking around risk and risk control. The advantage of working within clearly defined boundaries assists with avoiding over or under controlling risks, both of which impose costs on the Institution. Over-control consumes scarce resources that could be redeployed more productively while under-control usually ends up imposing significant cost later on.
Risk appetite and tolerance - the Public Sector mindset challenge
The understanding of risk appetite and risk tolerance and their application pose many challenges in the public sector. While these are fundamental concepts and tools of Enterprise Risk Management (ERM) there is no direct reference to them in our existing legislative framework. They are thus relatively unknown to many in the top management hierarchy that should be responsible for them. This is hardly surprising because traditionally the public sector is primarily conditioned to mitigate downside risk. Notions of anything other than maximizing risk control, such as having appetite for, tolerating or accepting risk do not fit well with this tradition. Management's fear of violating the PFMA and incurring audit findings when embracing these concepts amplify the problem and present significant challenges to effectively applying risk appetite and tolerance in the public sector.
Risk appetite and tolerance and their importance in the system of risk management
The smart way of accepting risk is by having predetermined and well-conceived parameters. It's not an easy nor arbitrary decision. This is where the concepts of risk appetite and tolerance come in. They play a crucial part in the interrogation of the complex cost/benefit dynamics that determines how much risk the Institution needs to actively manage and how much of risk it should live with in order to maximise overall Institutional performance.
The Public Sector Risk Management Framework (PSRMF) defines risk appetite as the
amount of residual risk that the Institution is willing to accept. "Accept" in this instance refers to that portion of risk which will not be actively managed. Using the reference made previously, it is the amount of risk the Institution is prepared to live with. This may be because:
i. the risk is beyond the Institution's control;
ii. all possible and rational risk control measures have been exhausted (additional risk mitigation measures are no longer available); or
iii. further investment of resources to mitigate risk are not justified on cost/benefit grounds.
Risk appetite provides parameters which enables the Institution to make informed decisions about finances, management time and other resources that should be directed at actively managing risk. By setting out the risk appetite (optimal position) and the acceptable variation from the risk appetite (tolerance), in pursuit of its strategic objectives, the Institution clearly sets out its expectations and the boundaries within which management may navigate. The resultant benefits include:
i. Knowing the risk appetite helps management and the oversight structures to make informed risk decisions by "forcing" them to weigh-up cost/benefit;
ii. Improves risk analysis, risk recommunication and escalation of risks;
iii. Demonstrates to stakeholders that decisions are taken through a rational and rigorous process;
iv. Improves consistency in decision-making and across governance mechanisms;
v. Supports performance improvement by placing focus on priority risks, as well as informing spending and resource allocation;
vi. Improves understanding of the do's and don'ts and the established risk boundaries, enabling decision makers to know what actions they need to take to accomplish objectives.
The PSRMF defines risk tolerance as the amount of residual risk that the Institution is capable of bearing (as opposed to the amount of risk it is willing to bear). Breaking down this definition further, risk tolerance is the accepted deviation from the risk appetite after all relevant and reasonable risk control measures have been implemented.
Relevance of risk appetite and tolerance in the public sector
Institutions, even public sector ones, take risks in achieving their goals and objectives. It is impossible to manage every risk to zero effect. Even when possible it is not always astute to do so given the diminishing returns characteristic of risk control. Therefore, barring legal and regulatory prescription or specific Institutional reasons, at some point further management of risk should cease and the Institution should accept the impact of the risk to enable the resources that would have been utilised to be deployed to more productive use.
Risk appetite helps an Institution to establish a threshold of impacts it is prepared and able to absorb in pursuit of objectives, which may include but is not limited to financial loss. This concept of calculated risk and acceptable loss may be difficult to reconcile with the nature of many public services, and indeed the legislative frameworks.
Neither the PFMA nor Treasury Regulations specifically mention the concepts, which makes it difficult to deal with from a policy certainty perspective. Furthermore, unhelpful and often conflicting definitions of these concepts designed primarily for the private sector abound adding to the difficulty of properly understanding them it, let alone how to implement them and leverage value in the rules driven and risk averse public sector environment.
The macro objective of the PFMA is to:
"…maximise delivery through the efficient and effective use of limited resources." The application of risk appetite and tolerance supports this objective. If properly applied and maintained risk appetite results in overall improved Institutional performance, as trade-offs are made allowing resources to be prioritised and allocated where they are most needed to manage risks enhance performance.
To use its limited pool of resources efficiently and effectively requires an Institution to accept a certain amount of risk above zero-level, so that scarce resources that would otherwise be utilised to manage risk down to low levels can be redirected to managing risk and performance in other areas. When seen from an overall Institutional perspective, this approach enables an overall better managed Institution at a lower relative cost, thus fulfilling the objective to maximise delivery through the efficient and effective use of limited resources.
Regulatory prescription and guidance
Section 38(1)(a)(i) of the PFMA and Treasury Regulation 9.1.1 enjoin the Accounting Officer to ensure that the Institution has and maintains an effective, efficient and transparent system of risk management. It can be argued that applying risk appetite is indispensable if the required features of the system of risk management are to be met:
i. effectiveness is achieved because risk appetite directs focus on the important risks – it forces thinking about what risks to take or not, how much of it and what are the benefits of taking these risks in relation to the objectives to be achieved, thus bringing rigour and focus to the system of risk management;
ii. efficiency is achieved as risk appetite facilitates the correct level of risk control with optimal resource usage;
iii. transparency is achieved through the rigorous effort expended to establish the risk appetite parameters and being able to defend the decisions made within such parameters.
Implementing risk appetite
Parliament and the public expect the published performance targets to be met. It cannot be argued later when actual performance falls short of published targets that performance is within the risk appetite. Thus, planning and target setting must be executed with a full understanding of the Institution's risk appetite. The process of setting risk appetite thresholds should be done in conjunction with the strategic planning process.
Risk appetite should be set relative to the Institution's mandate, values and strategic objectives. considering. Critical considerations are:
· what the Institution "must do" (i.e. cannot avoid) to accomplish its objectives;
· legal prescriptions that dictate what risk the Institution cannot take (e.g. currency hedging), or where it cannot apply discretionary risk appetite values (e.g. health and safety rules around workplace fatalities);
· the Institution's ability to withstand significant shocks;
· the Institution's ability to recover financially and operationally from significant shocks;
· the Institution's capacity to manage risk to the desired level (considering the current circumstances, resources, skills, technologies etc.).
Establishing risk appetite requires considerable engagements between and amongst Heads of Functions, Heads of Divisions, Executive, the Risk Management Unit and the Risk Committee. These engagements are needed not only to harness the best available expertise, institutional knowledge and other critical information but also to leverage support and appropriate behavior needed for successful implementation.
Pre-conditions for tackling the difficult task of establishing risk appetite and tolerance are:
· the Institution should have a credible risk register with the main risks properly identified, analysed and evaluated;
· the Institution must have the capacity to undertake and sustain the process, therefore it is recommended that the risk management maturity of the Institution should be at a minimum of level 3 of the Risk Management Capability Maturity Model published by National Treasury;
· Zero tolerance risk exposures such as fraud and corruption, regulatory compliance and health safety should be identified and addressed appropriately;
· Prohibited mandates must be known and cannot form part of "risk taking";
· the Institution's risk appetite should be reviewed and updated at least annually based on actual experience, new circumstances, emergence of more or better information, better analysis etc.
The risk rating table and the risk matrix represent useful tools for applying risk appetite and tolerance. The risk rating table should set out the various criteria for rating a risk at level 1, 2, 3 etc., also incorporating what is acceptable/not acceptable at that level of rating. This applies to both the likelihood and impact aspects. When the final ratings are mapped out on the risk matrix it will visually display which risks are within and which ones are exceeding their appetite. Further analysis can then be done for risks exceeding their appetite to consider whether the excess risk can be tolerated or additional control actions are required.
Important guidance from the Public Sector Risk Management Framework
The PSRMF highlights the following important aspects of risk appetite and tolerance:
· As part of the risk assessment process, residual risk should be benchmarked against the Institution's risk appetite to determine the need for further risk control intervention, if any.
· Management should develop response strategies for all material risks, whether or not the management thereof is within the direct control of the Institution, prioritising the risks exceeding or nearing the risk appetite level.
· The Accounting Officer should approve the Institution's risk appetite and risk tolerance and be guided by the Risk Committee in this regard.
· The Risk Management Committee should review and recommend risk appetite for the approval by the Accounting Officer after satisfying itself of the rigour undertaken to establish the parameters, including the
critical considerations mentioned under paragraph 6 and the
pre-conditions also mentioned in the same paragraph.
 Cost does not refer just to financial aspects but to total inputs invested in managing risk. Benefits refer to the total beneficial outcomes of the inputs invested as reflected in service delivery, financial strength, institutional reputation, governance and other critical indicators.