Column: Risk Management

Hunger for Risk

By: | April 28, 2016

Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

We see them everywhere in our risk management world — the terms of art — “risk appetite and tolerance.” We are also seeing heightening obligations set by regulators and rating agencies guiding organizations to articulate their appetite for risk and tolerance of risk.

Research commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) urges an organization to “consider its risk appetite at the same time it decides which goals or operational tactics to pursue. To determine risk appetite, management, with board review and concurrence, should take three steps:

  • Develop risk appetite.
  • Communicate risk appetite.
  • Monitor and update risk appetite.

Three easy steps — but are they really? Things would be a lot easier if we could agree on what exactly “risk appetite and tolerance” means.

To express risk appetite, one has to truly understand strategic risks and create rules around which risks should be taken in order to achieve objectives.

Sometimes we can get overzealous with our risk taking, so it is prudent to give yourself a realistic cushion and set triggers to alert you when you are nearing unwanted risk thresholds.

To express risk appetite, one has to truly understand strategic risks and create rules around which risks should be taken in order to achieve objectives.

I call this zone “risk tolerance” — the level of excess risk you can take for a while before getting back to your normal risk-taking habits.


The subprime mortgage debacle that led to the latest financial crisis is a case in point.

In a market of ever-increasing house prices, it was tempting to grow mortgage revenue by relaxing underwriting criteria. If borrowers defaulted, the logic was, lenders could seize and resell the house. The problem was no one was accounting for total risk on the table and early warning signals went unheeded.

Relating your risk appetite and tolerance is akin to describing your consumption habits for risk. Risk appetite is about taking in healthy risk, not avoiding it. Not taking in risk when you need to could leave your organization unsatiated and unhealthy.

Consider Research in Motion (RIM), makers of the BlackBerry. According to the “Wall Street Journal,” RIM’s chiefs dismissed the iPhone after it was unveiled in 2007.

“It wasn’t a threat to RIM’s core business,” said the company founder’s top lieutenant, Larry Conlee.

“It wasn’t secure. It had rapid battery drain and a lousy [digital] keyboard.”

Clearly, the company was overlooking an important strategic risk.

COSO offered three easy steps for defining risk appetite and tolerance. Allow me to now offer mine.

Decide which risks you will eat and make sure they are good for you and not junk. Eat just enough to satisfy hunger for strategy achievement.

And make sure you continually measure your strategic objectives to ensure you are staying within bounds of your corporate stomach.

More from Risk & Insurance

More from Risk & Insurance

Risk Matrix: Presented by Liberty Mutual Insurance

9 Trends that Are Driving Rate Increases

The market was optimistically cautious entering 2020, but thanks to COVID-19, growing liability challenges and other risk factors, we’re seeing more hardening.
By: | September 1, 2020

The R&I Editorial Team can be reached at [email protected]