Operational Risk Management is continuing to evolve as a key component of an Enterprise Risk Management ("ERM") program. However, it continues to be an area of great debate as a formal discipline due to its broad focus and impact across the business. One area that confuses and frustrates many businesspeople when confronted with operational risk is the notion of risk appetite vs. risk tolerance. In some cases, the two terms are used interchangeably. However, in other cases, risk appetite refers to the total amount of risk to be taken to achieve a given business objective and risk tolerance refers to specific risk limits associated with a given business activity. The Institute of Operational Risk has
developed guidance that is practical and useful for risk practitioners in dealing with these terms. Here's their view.
In simple terms, expressing Operational Risk Appetite is a question of defining what is acceptable to an organisation and what is not. This could be achieved by deciding, for each type of risk, what is acceptable, what is unacceptable, and the parameters of the area between those two (i.e. what is tolerable).
Regardless of the way these terms are used, the key for operational risk managers is to help businesspeople understand risk in their own terms rather than in risk management vernacular. Otherwise, the focus will remain on terminology rather than what is really important - creating value for the business.
I enjoyed the publication. It is brief and to the point. In fact in financial institutions, the reason for the uncontrolled risks are that organization culture is risk happy ( they like risks for want of better word).
ReplyDeleteSenior management does not perceive benefits from risk management, hence, the focus is not there in organization culture to build a risk culture.