Insurers are increasingly being asked to explain their approach to risk management and as a part of that discussion to clarify their risk appetite.
Rating agencies are all asking about risk appetite. Regulators around the world will all soon require disclosure of risk appetite as a part of their usual dialog with management.
Boards are also asking management to discuss the firm’s risk appetite. Risk appetite is seen by many as the central idea of enterprise risk management (ERM).
Risk appetite provides the major goal of ERM—that is to help the insurer to choose risks that are consistent with both the risk appetite and the other goals of the firm.
Insurers have a range of different approaches to risk appetite and risk tolerance—starting with a wide variety of definitions of those terms.
But common to all insurers is the need to weave their company strategy, risk strategy, risk preferences (both positive and negative), risk taking capacity, and risk plans into a consistent story each year.
With this integrated foundation, they can undertake a control cycle by establishing risk limits, mitigation, and controls (which will be the subject of the next blog).
Few people—and even fewer companies—actually desire risk for its own sake. What they desire is the reward that can only be achieved by taking risk; but desire for increasing reward is tempered by the accompanying increase in risk.
Risk appetite, therefore, is a slight misnomer but a useful shorthand for referring to the level of risk associated with the balance between risk and reward that is “comfortable” for the company.
The risk appetite is the level of risk that aligns with the firm’s business strategy and capitalization.
Risk tolerance, on the other hand, describes a boundary on risk-taking.
Tolerances can be quantitative or qualitative; qualitative risk tolerances may set out the company’s aversion to particular types of risk, while quantitative risk tolerances establish constraints on the amount of risk the firm is willing to take.
Companies usually have two main types of overall risk appetite and tolerance, relating to protection of capital and volatility of earnings. They may also have appetites and tolerances for particular risk categories.
- Capital: less than 20% chance that more than 10% of capital will be lost next year
- Earnings: target average combined operating ratio of 98% or lower over any 5 year period
- For individual risk categories, the capital required to support such risk in isolation is targeted at
- Insurance risk: $XI
- Operational risk: $XO
- Market Risk: $XM
- Credit risk: $XC
- Liquidity risk: $XL
- Capital: less than 5% chance of capital falling below 150% of regulatory requirement in the coming year
- Earnings: less than 10% chance of exceeding annual budget combined ratio by more than 10 points
- For individual risk categories, the capital required to support such risk in isolation shall not exceed
- Insurance risk: $YI
- Operational risk: $YO
- Market Risk: $YM
- Credit risk: $YC
- Liquidity risk: $YL
A risk appetite statement must be clear, concise and coherent. A simple statement that conforms to these basic rules is may be preferable to one that is more comprehensive but complex and difficult to apply in practice.
Creating Your Risk Appetite and Tolerance Statement
There’s usually no need to create risk appetite and tolerance statements from scratch. Existing risk management policies and the top-level objectives handed down by the board generally offer a starting point.
Reviewing the levels of risk that the organization has accepted in the recent past, as well as the resulting experience of gains or losses, also provides insight.
Discussing the degree of comfort that management had during the recent year when risk was highest may help to lead to a choice of risk appetite or tolerance.
It’s often helpful to look back on major decisions, such as changes to reinsurance retention, where risk appetite is implicit in the decision (whether explicitly stated at the time of the decision or not).
“Top-Down” or “Bottom-Up”?
Should risk appetite and tolerance statements be designed “top-down” or “bottom-up”? A paper by the UK Actuarial Profession considers this matter in some depth.
By definition, top-level risk appetite and tolerance statements must be set and monitored by the company board.
However, the procedures and the more granular limits and controls used to ensure adherence with these top-level guidelines must be implemented by appropriate levels of management throughout the organization; success requires buy-in at multiple levels.
In the end it is often a combination. The board sets the top-level appetite and tolerance with advice from senior managers.
Existing risk limits and controls can then be reviewed to see if they are consistent with the top-level guidance and also internally consistent with each other: In all likelihood some will be, but some will not.
A significant difficulty with any bottom-up approach is maintaining consistency; therefore, it’s wise to agree a template in advance.
Management experience with measuring risk, reviewing risk reports and consciously living with the consequences of different levels of risk is absolutely critical to having the confidence to accept and usefully deploy risk appetite and tolerance statements. Otherwise the process may resemble the experience of a foreign traveler negotiating the price of an unfamiliar object with an untranslatable name to be purchased with a currency that he doesn’t know the exchange rate for.
This experience with risk measurement can be “force-cultivated” by creating pro forma risk calculations for several past years to give management practical perspective.
That’s also a reason for keeping the risk appetite and risk tolerance statements clear, concise, and coherent. A brief, clear statement can more easily be understood, and can be updated to reflect new perspective as management gains in experience and as external circumstances change.
This article was authored with David Simmons and was originally published February 24, 2014.