Risk Appetite, Tolerances and Limits —
Tying the Pieces Together
A Cohesive Approach Adds Value
By Manolis Bardis and Martha Winslow
Risk appetite frameworks that connect risk strategy with an insurer’s mission
and effectively link risk tolerances and risk limits will add value by aligning
risk-based decisions at all levels of the organization.
“A
“ company’s ERM
framework should focus
on adding value to the
business.”
Enterprise risk management (ERM) and risk appetite
have risen to the level of buzzwords in recent times.
Their prominence is driven by well-publicized riskcontrol failures as well as emerging and recently
enacted regulatory programs in many countries. It is
axiomatic that managing risk is the core business of
insurance companies. However, there is a growing
spotlight on all aspects of risk management, including
those routinely and effectively performed by insurers
as well as some newer practices being advocated by
regulators and other external parties.
While regulatory changes have been an important
stimulus for ERM activity, a company’s ERM
framework should focus on adding value to the
business. One way to do this is to implement an
ERM framework that enables better business
This article synthesizes the concepts presented in Towers Watson’s
three-part series of papers that revisits the concept of risk appetite and
how insurers can extract greater value from their efforts and investments
in this area. The first in the series, “Another Bite at the Apple,” was
recognized as the best paper in the Financial and Enterprise Risk
category at the 30th International Congress of Actuaries in April 2014.
A companion article in an upcoming issue of Emphasis will illustrate with
a case study how an insurance company can benefit from applying these
concepts.
Those readers wishing to read the series in its entirety can find the
papers on Towers Watson’s website, at towerswatson.com/riskappetite.
2 towerswatson.com
decisions that more fully reflect consideration of
risks associated with the company’s risk strategy.
Risk appetite, which requires companies to
articulate the type and magnitude of risks they are
and are not willing to accept, is one pillar of an
effective ERM framework and an important means to
enhance business decisions.
Over the course of the last year, Towers Watson
published three papers under the banner Risk
Appetite Revisited, which address several related
aspects of how to develop and apply a risk appetite
framework. The first paper, “Another Bite at the
Apple,” describes the foundational elements of
a risk appetite framework. The second paper,
“Achieving Near-Real-Time Risk Monitoring,” explores
the concept of an enterprise risk measurement
model to monitor risk tolerances and risk limits on a
timely basis. The final paper, “Setting Coherent Risk
Limits,” describes a practical method of tying risk
limits to risk tolerances.
The Risk Appetite Revisited series acknowledges
the current interest in risk appetite as well as the
frustration we hear from insurance executives, many
of whom describe their companies’ risk appetites as
insufficiently linked to their business strategies and
impractical to apply. The intent of the papers is to
help insurance companies make their risk appetite
frameworks more effective and useful in supporting
real-world decision making.
Figure 1. Risk appetite framework
Risk appetite
Risk Appetite Revisited
The papers introduce an updated risk appetite
framework and suggested vocabulary (Figure 1)
that reflect an evolution in our thinking and that
of the market about the essential features and
characteristics of risk appetite.
Risk appetite is the manner in which a company
expresses an identified set of risk-trading
opportunities (and sets boundaries on these) aligned
with successful delivery of its mission. While risk
generically refers to the uncertainty of outcomes,
in this context, risk should be defined by those events
and circumstances that may result from an insurer
failing to realize its mission. Risk to a mission is not
a singular but rather a multifaceted concept.
The risk appetite framework should explicitly state
which risks the organization needs to take and
separate those risks from ones not fundamental to
or compatible with its mission. There are several key
components:
•• Risk strategy articulates how risk is tied directly
to the insurance company’s mission and business
strategy. It is an expression (largely qualitative) of
the company’s overall philosophy toward risk trading.
•• Risk preferences view risks as opportunities,
ensuring the risk appetite statement balances the
risks’ expected returns (and risk-assumption needs
to achieve the mission) against the likelihood of
mission impairment.
•• Risk tolerances are quantitative expressions of the
aggregate amount of risk the company is willing to
accept, usually expressed in probabilistic terms,
time horizons and unacceptable mission-impairment
impacts. Risk tolerances are set at the overall
enterprise level across the full spectrum of risks
contemplated by the business strategy. Actual
levels of risk undertaken should be monitored and
compared against the stated tolerances.
Risk strategy
Strategic expression of an overall philosophy toward risk trading necessary to
achieve the mission, so that from the board on down there is alignment
What risks to take
How much risk to take
Risk preferences
Articulating risk as opportunity,
identifying risks that need to be taken
deliberately in the expectation of
creating the value needed to achieve
the mission
Risk tolerances
Quantitative expression of the amount
of aggregate risk the organization will
tolerate over varying time horizons as
a means to achieve its mission
Risk attractiveness
Tactical assessment of the risks
within the preference set, reflecting
current circumstances
Risk limits
Granular operational controls on
specific risks, expressed in metrics
that are locally relevant and practical
to monitor
•• While risk preferences are strategic, expressed as
the extension of the risk strategy, risk attractiveness
is more tactical, reflecting how current conditions
affect the relative attractiveness of different risks
as an element of the current business plan.
•• Risk limits are more granular tolerance levels
expressed for specific risk sources, business units
or products used to implement risk tolerances.
Risk limits are used to ensure the actual levels of
risk will stay within the agreed-upon risk tolerances.
Emphasis 2014/3 | 3
Another Bite at the Apple
Manolis Bardis
Specializes in P&C
risk consulting and
software.
Towers Watson,
Boston
Martha Winslow
Specializes in P&C
risk consulting and
software.
Towers Watson,
Minneapolis
In order to be useful, a company’s risk appetite must
be rooted in its mission and vision. Risk should be
defined by those events and circumstances that may
result in mission failure. When risks are articulated
in such a way, risk appetite and the accompanying
risk tolerances become actionable, helping to
improve business decisions. Linking risk appetite
to mission impairment leads to a broader view of
risk appetite and the need to recognize a broader
spectrum of risk types and sources that could cause
impairment of the company’s mission. As such, the
company’s risk appetite should address key risks
beyond just capital preservation, the traditional
focus of many companies’ initial risk appetite
statements. We suggest four risk quadrants:
•• Achieving targeted performance reflects the risks
associated with nonperformance.
•• Preserving capital adequacy includes the risks of
substantial loss in tangible value, to the extent
that it would threaten solvency, or trigger
regulatory or other external party actions.
•• Maintaining liquidity that is sufficient to meet
obligations is critical to the mission.
•• Protecting franchise value guards against risks
that cause losses in a franchise’s value.
Figure 2. Capital buffer
Excess capital
Normal
buffer
Increasing level of
management actions
to release capital
Target
Buffer capital
Sufficient to protect
against most short-term
fluctuations
Core capital
Required to meet:
• Regulatory minimums
• Rating agency
minimums
• Any other minimums
4 towerswatson.com
Increasing level of
management actions
to de-risk and
strengthen capital
Since risk tolerances set the boundaries for the
aggregate allowable risk, corrective (or adaptive)
actions must be taken when these boundaries are
approached. The company has resources that can
be deployed to provide management with a cushion
to adapt its plans without modifying its strategy or
mission. We call these resources “adaptive buffers.”
One example is capital held above the core capital
required to continue normal operations, as illustrated
in Figure 2. The company should identify a normal
buffer operating range. At the top of that range,
management increases activities to release capital,
and at the bottom of that range, management will
want to de-risk and strengthen capital. A buffer for
nonperformance might be an extended track record
of exceeding performance targets.
Adaptive buffers should exist for each of the four
risk quadrants. Buffers are costly, so their size must
be cost effective. Buffers are linked to tolerances
since the tolerance states the company’s willingness
to expose the buffer to potential exhaustion above a
predetermined threshold.
Achieving Near-Real-Time Risk
Monitoring
A key step in making the risk appetite framework
useful is implementing an enterprise risk
measurement model to monitor risk levels against
established risk tolerances and limits. By “risk
measurement model” we mean a tool or system
that measures the financial impact of one or more
risk drivers (e.g., catastrophe models for property
insurance portfolios or credit risk models for fixedincome portfolios). In the case of an enterprise risk
measurement model, the business portfolio is the
entire organization, such that the model calculates
enterprise-level financial impacts. These models
aggregate risks across all business units.
Enterprise risk measurement models can be designed
and used to monitor actual risk levels at a point in
time (e.g., quarterly or annually) or to model a defined
set of stress-test scenarios (e.g., the impact of
interest rate increases on both invested assets
and long-duration liabilities). In order to be useful
to the business, the models need to produce timely
results. We refer to this timeliness as “near real time.”
Many companies face the challenge of existing risk
measurement models that are large and complex.
They were not specifically designed for enterprise
risk monitoring, and consequently, the original
applications of the existing models were more
tolerant of extended run times. Among the typical
shortcomings of these first-generation models are
the substantial efforts, resources and time needed
to produce updated results. Some specialized
models can produce more timely results, but they
are usually unable to capture the net risk position
necessary for an enterprise view of the company’s
aggregate risk profile. Without the ability to monitor
the enterprise risk profile on a timely basis, risk
tolerances are largely an academic exercise.
Depending on the complexity of its existing firstgeneration models, a company may need to move
to a second-generation risk aggregation model among
the various risk drivers that is better designed
to support business decisions. The business
requirements for such a model include a laser-like
focus on producing near-real-time results that
are usable by business leaders throughout the
organization.
A case study in our second paper describes how
one company was able to restructure its enterprise
capital model. The redesigned model relied on loss
functions as a substitute for the complex valuation
of the financial impacts of risk drivers calculated
more precisely (and directly) by the first-generation
model. Essentially, the loss functions are equations
that capture the impact of the risk drivers on the
business portfolio without the need to revert to
complex first-generation business models. As an
illustration, a simple loss function might describe
the overall financial impact of a shift in the risk-free
yield curve on an existing asset portfolio without
the need to measure the direct impact on each
security within the portfolio. Loss functions need
to be updated only when there are substantial or
fundamental shifts in the underlying risk drivers. In
the absence of these changes, scenarios or stress
tests can be modeled by changing the inputs to the
loss functions. This loss-function approach provides
a reliable proxy for the information historically
generated by the company’s first-generation risk
models, but it requires considerably less effort to
run, and provides much more timely and, therefore,
more useful results.
Setting Coherent Risk Limits
Risk tolerances are set at the overall enterprise level,
across the full spectrum of risks expressed by the
four risk quadrants. These high-level statements are
not always easily actionable. Hence, risk tolerances
must be operationalized by establishing processes
and controls that help to manage the enterprise risk
portfolio so that if effectively executed, actual levels
of risk stay within the specified tolerances. These
operational processes and controls generally take
the form of local risk limits.
“Risk
“
strategy articulates
how risk is tied directly
to the insurance
company’s mission and
business strategy.”
The first step in creating the link between the
company’s risk tolerances and its more operational
risk limits is a risk allocation process. The adaptive
buffers are allocated to risk drivers in proportion
to the drivers’ propensity to consume buffers. As
a result, risk drivers with a higher propensity to
consume a buffer receive a greater allocation. For
example, a company with a large property exposure
naturally has a larger portion of its required capital
allocated to catastrophe risk. The result is a risk
budget (e.g., not more than 40% of the company’s
total capital can be allocated to catastrophes).
The risk budget deploys the total risk-taking capacity
of the enterprise to the various risk drivers and
business portfolios. In essence, risk budgets are the
highest-level risk limits imposed on each business
portfolio. They can focus on specific risk drivers or
on the total risk budget for a business unit, without
specifying budgets by risk factor.
Emphasis 2014/3 | 5
Figure 3. Risk budgets link tolerances to limits
Risk tolerances
Risk limits
•• Enterprise level
•• Cover all risk drivers
•• Express in
probabilistic terms
the mission
impairment impact
related to
consumption of
buffers
•• Local level
•• Related to specific
risk drivers or
specific business
portfolios
•• Express in practical
metrics relevant to
local managers
Risk budgets
•• Allocation of
required buffer to
risk drivers and
business portfolios
•• Allocation based on
relative propensity
to consume buffer
As illustrated in Figure 3, the risk budget helps create
linkages between enterprise risk tolerances and risk
limits set at the local level. They relate to specific
risk drivers or specific business portfolios and are
expressed using practical metrics relevant to local
managers.
Operationalizing the risk budget requires that it be
linked to local risk limits in a form that is actionable
by the managers of the respective risk portfolios.
Examples of actionable risk limits include total
insured property value, reinsurer credit rating and
investment mix by asset type.
Local risk limits must be linked to the business
portfolio’s specific risk drivers to be quantified and,
in turn, the impact of changes in the relationship
of risk limits to risk tolerances assessed (e.g.,
the required buffer against capital loss). These
quantifications can be determined using risk
measurement models for specific risk drivers and
the enterprise risk model. When first-generation
models are too cumbersome to support the
analysis, it is sensible to use loss functions that
first link the local risk limits to the risk drivers and
then link the risk drivers to the required capital.
6 towerswatson.com
Make Better Business Decisions
An improved articulation of risk appetite and timely
monitoring of the company’s actual risk profile
against risk tolerances are necessary to make
risk appetite a more valuable element of risk
management. However, these are not sufficient
to achieve that goal. Risk appetite must also be
operationalized through coherent linkages between
enterprise risk tolerances and local risk limits.
All insurance companies have one fundamental
commonality: They are in the business of taking
on risk to create value for their owners. Business
decisions made with the benefit of greater risk
awareness will be better, where “better” is defined
as maximizing reward without taking on more risk
than the insurance company is willing to tolerate.
The concepts presented in the Risk Appetite
Revisited series describe the basis for building a
strong risk appetite framework as a foundation for
better risk-based decision making.
For comments or questions, call or email
Manolis Bardis at +1 617 638 3807,
[email protected]; or
Martha Winslow at +1 952 842 6527,
[email protected].
“Risk
“
appetite must be
operationalized through
coherent linkages between
enterprise risk tolerances
and local risk limits.”