It is not always efficient or possible to manage risks to zero residual risk or a very low residual risk threshold because of the time, cost and effort that will be required. On the other hand it is also poor management practice to accept risks which create unnecessary exposure for the Institution.
Given the aforementioned dynamics it is important for the Institution to make an informed decision on the amount of risk the Institution is capable of bearing as part of normal management practice. This level of acceptable risk is known as a "tolerated risk or tolerance level" and establishes the benchmark for the Institution's risk tolerance. This differs from risk appetite which is the amount of residual risk that an Institution is willing accept. Risk appetite differs from Institution to Institution and can equally differ in terms of various categories of risk an Institution may face at a point in time.
The aim of defining risk tolerance is to get people to think effectively about risk when they make important decisions. Performance management systems encourage officials to think about targets and rewards for meeting them. However the systems should equally tell officials about the amount of risk the institution can take. In essence, effective risk taking that is aligned to overall Institutional strategy should be a core skill and competency.
Tolerance levels may vary by context and are influenced by the following:
· ability and willingness of the Accounting Officer / Authority to take and manage risks;
· size and type of Institution;
· skills and experience of officials;
· maturity and sophistication of risk management processes and control environments;
· the current level of an Institution’s performance; and
· financial strength of the Institution and its ability to withstand shocks.
An Institution’s risk appetite should be reviewed annually to align it to new circumstances. The risk tolerance levels should also be reviewed annually together with the Institution’s targets and available resources to determine the Institution’s risk bearing capacity.
It is advisable to determine and communicate the level of unexpected losses that the Institution is willing to accept in the event the risk materializes. Zero tolerance risk exposures such as fraud and corruption, regulatory compliance and health safety should be communicated to all officials.
As management decisions are informed by targets being pursued, there should be a mechanism in place that enables tracking of numbers involved to ensure that tolerance guidelines are complied with or applied as specified. This may require management to determine key risk indicators that will be utilised to monitor the risks' occurrence.
There is no "one-size fits all" approach to establishing the right risk tolerance levels. Practices will differ amongst Institutions based on the maturity of the risk management practice, available data, management expertise, sector specific dynamics and other pertinent factors. Thus it is advisable to rather follow certain guiding principle rather than "hard and fast" rules.
The typical steps involved in establishing and implementing risk tolerance are:
· Complete an analysis of the Institution's ability to physically and financially recover from a significant event (e.g. risk such as human influenza pandemic, inability to supply, credit crunch etc).
· The above analysis will highlight the need and importance of contingency plans, financial, physical and human resources and the importance of controls. From the analysis, determine the tolerance the Institution can bear or accept.
· Management determines the level of tolerance which should then be endorsed by the Accounting Officer / Authority.
· The risk tolerance levels set by the Institution will be reflected in the risk rating scales used to assess the risks:
o An upper band where adverse risks are intolerable, whatever benefits the activity may bring, and risk reduction measures are essential whatever their cost.
o A middle band (or 'grey' area) where costs and benefits are taken into account and opportunities balanced against potential adverse consequences.
o A lower band where positive or negative risks are negligible, or the costs associated with implementing treatment actions outweigh the costs of the impact of the risk should it occur.
These levels of risk tolerance will help determine the type and extent of actions required to treat risks, and the level of management attention required in managing and monitoring the risks.
Risk tolerance levels can be practically defined through colour coding of a risk likelihood/consequence matrix. The principle applied in this instance is that if a risk is placed on the high risk colour coding (red) then additional controls have to be implemented to address the risk or rather the risk treatment plan has to be revised. On the contrary if the risk is placed on low risk colour coding (green) there is no need to effect any changes to how the risk is treated. Threshold limits may be set for individual risks or per risk category.
General guiding principles for development of risk tolerance:
· Risk tolerance should be expressed in the same indicators as its related objectives;
· In setting the risk tolerance management should consider the relative importance of the related objective;
· Tolerance levels should not be out of line with the materiality framework of the Institution;
· Without exception, all tolerance levels should be supported by rigorous analysis and expert management judgement;
· Tolerances may be established for individual material risks, as well as aggregate tolerance for particular categories of risk;
· Tolerances may also be established per individual business activity;
· Risk tolerance levels should be revised as more reliable information becomes available;
· Setting risk tolerance should be a collective senior management responsibility; and
· Risk appetite is developed at the Institutional level by senior management and proposed to the Accounting Officer / Authority for approval. Once approved, it is communicated to all within the Institution, including staff and key stakeholders.
The output is a clearly defined tolerable level of risk established through a rigorous process of analysis and expert management judgement. Depending on the nature of risk, the tolerance may be expressed either in qualitative or quantitative terms.
In some instances, risks as assessed would exceed the tolerance level, but cannot be avoided (e.g. matter of national priority). In this case, these risks will have to be approved by Accounting Officer / Authority and regularly monitored.
The advantage of working within clearly defined risk tolerance levels assists with avoiding the danger of over controlling risks.