My bank is always trying to sell me something. Those conversations usually start with an innocuous question about my risk profile. This is something that gets updated every two or three years on the back of a series of questions — aside from the usual ones about my age, marital status and income, there are some along the lines of how upset I would be if I saw a 20% drop in my portfolio.
The responses feed into a simple algorithm which has labelled me a “moderately aggressive” investor. Keeping aside the accuracy of the conclusions, the approach makes a lot of sense.
You wouldn’t want to push equities or even mutual funds on a conservative investor. They will take their business to another bank as soon as there is a market correction. And you wouldn’t want to sell time deposits to an aggressive, well-informed investor.
While what works for personal finance can also work for businesses, the biggest difference is that a corporate entity should be a lot more financially savvy than the average investor. It is therefore appropriate that businesses go beyond vague terms like “conservative” or “aggressive” and better define their attitude toward risk. And one way to do that is with a risk tolerance statement.
My colleague Dave Ingram describes risk tolerance as the qualitative and quantitative boundaries around risk taking. He also distinguishes that from risk appetite which is more akin to a risk framework or set of principles within which the company would want to operate.
Here, we focus on the former, especially the quantitative aspect.
Our usual approach is to aim for a statement along the lines of “we can tolerate losses of $100 million annually with a 2% probability” with the actual amount and probability to be defined by you. Introducing the probability at the end seems like an unnecessary complication, but hear me out. Simply saying “we are willing to tolerate losses of up to $100 million annually” essentially puts a cap on the losses a company would be willing to experience. However, this is an impossible objective. Risk can never be completely eliminated.
Despite everything you do, there will always be a small probability that your losses will exceed $100 million. Introducing an element of probability is how you can make a risk tolerance statement realistic. The probability of losing $100 million should reflect the level you and your stakeholders are comfortable with. Everything you do subsequently is to ensure that your organization’s risk stays within those defined boundaries of $100 million and 2%.
We can start by looking at the impact of losses of different sizes through key financial metrics. For example, a $100 million loss might lead to a 5% impact on earnings per share (EPS). Is this something we can accept? How will shareholders and the board respond? Will it breach any debt covenants?
The average CEO might have a tenure of five years. Would she be comfortable with a 5% impact on EPS once in those five years, or with 20% probability each year? Is the concern about an absolute drop in EPS or relative to peers? Asking these questions and discussing the answers with key stakeholders can help identify the organizational risk boundaries within which you would want to operate.
It is important to remember that your latest financials already account for the losses incurred over the previous year. To make this a forward-looking exercise, it is therefore best to use your budgeted financials for next year when setting your risk tolerance.
While the example statement above is based on financials, there is no reason this cannot be applied to other aspects of your operations, using other metrics. For example, attrition should not be more than 10% with a 5% probability each year. Or the probability of losing a million hectares of forests to wildfires should be less than 10% each year.
Once the risk tolerance is set, the next step is to ensure that risk stays within those boundaries. This ideally requires an analytical approach to quantification of risk. Not just insurable risk but all risk.
Many experienced finance professionals would already have an instinctive understanding of the risk their organizations face. “In my experience, we will likely see a 20% drop in share price once every 10 years” or “I have experienced two large scale accidents over the last 20 years that stopped operations for a month” are some of the ways their organizations’ risks are articulated and connected to risk tolerance. For many organizations, this would be sufficient and perfectly valid. It shows thought is being given to risk and ensuring operations are carried out within certain risk thresholds.
At the other end of the spectrum, we have organizations that will take a data and expert-driven approach to risk and connect it explicitly to their defined risk tolerance. They will look to build probabilistic models for their risks and estimate the likelihood that their losses would exceed the thresholds they have set. And if it does, figure out what can be done to reduce that likelihood for example by:
When the risks in the portfolio are not the ones we have experienced in our lifetimes, a pandemic for example, or when the risks are changing fast, say, climate-related risks, the latter is the approach we should go with.
It is possible we won’t want to analyze all the risks in their portfolio, that we would focus on just their biggest risks, or just the insurable risks. The risk tolerance statement can then be amended to reflect that so they it can be aligned with the risks being considered.
Usually, we see clients allocating 20% of their risk tolerance to insurable risks. So our earlier example could be amended to say, “we can tolerate insurable losses of $20 million annually with a 2% probability” and then look to ensure that the losses within deductible and above the limits exceed $20 million only two years out of 100.
What we have described above is not very different from the prescribed regulatory capital requirement for insurers, like under Solvency II. Of course, most corporations would not want to hold enough capital to cover all but the 1-in-200 losses, but the principles are broadly similar.
If you are estimating your risk tolerance on the back of your group’s financials, it is likely that you are underestimating or overestimating it. This is because the group is a collection of entities each having its own set of risks.
The group-level risk can be allocated down to subsidiaries or business units that can then allocate the risk further down to departments and individual risks. We can then account for the diversification or correlation between risks. This would mean that the sum of the tolerances allocated thus is more, or less than the group-wide risk tolerance.
An enterprise risk management function can usually support this process of allocating group-wide risk tolerance down to individual units and identifying the split between insurable and uninsurable risks.
Risk tolerance will change over time. Just like a person’s tolerance to risk will change depending on their circumstances — changes in income, marital status, having kids — a company's risk tolerance will also change over time, maybe because of a private equity acquisition, new shareholders and board members, or new regulations. To account for these changes, it is essential this exercise is carried out regularly, every other year at least if not annually — in other words a little more frequently than the bank asks me.