He emphasised that the issue is complex and said that they were determined to develop something that could be measurable. “Risk management can often be a data-free, or data-light, zone in many organisations, and it shouldn’t be. Data should be sourced externally and internally, and it doesn’t all have to be hard financial numbers,” he added.

Risk appetite is also not a single fixed concept. It varies over time depending on circumstance, he explained, stressing the need to pull together the strategic, the tactical and the operational.

He said that simply saying that an organisation was risk averse, or risk hungry, meant very little. He preferred to talk about the propensity to take risk and the capacity to exercise control. He said that we should be thinking of risk appetite as much more of a ‘fight or flight’ response to risk.

The issue of setting and applying limits was raised during the panel debate. Mr Anderson said that the exercise of control was important and that is where limits can come in, but he also wanted risk appetite and risk tolerance to be seen as a willingness and desire to take risk as well as avoid it.

“The risk appetite that is defined to be just about control and about avoiding risk is an overly narrow interpretation of the subject,” he said.

John Summers, Chief Advisor of Risk at Rio Tinto, said that whether or not a board or organisation can actually enunciate its risk appetite, it still has one. “The decisions that it makes are based on an intuitive risk appetite. And so the first thing that organisations need to do is find a way to analyse what they do, and determine what their current risk appetite is. This is the starting point,” he said.

The panel was asked whether organisations should and could imagine things that could go wrong and change them or, as Anthony Hilton, Financial Editor of the London Evening Standard and the chair of the panel, put it, manage the ‘known unknowns or unknown unknowns.”

Simon Evans, Associate Director—Risk Advisory Services, RSM Tenon, said that it was fair to assume that the board were not looking in a crystal ball all the time. “However, I would argue that the board need to spend more time looking in that crystal ball, every time they sit down. Risk is absolutely fundamental to everything that the board does,” he said.

Mr Anderson said that he didn’t think that boards should be ‘totally fixated on unknown unknowns’, but organisations need to be looking at things that are beginning to emerge over the horizon, or what some people describe as ‘weak signals’.

“How do you identify those weak signals, amplify them and cut out the chaff? Also, some will gradually come across the horizon while others will come flying across. We need to build a degree of resilience to what I would call ‘fast clock speed risks’,” he said.

Mr Anderson said that the risk appetite and risk tolerance framework starts at the strategic level and has to challenge the organisation. “If as a consequence of developing your risk appetite and risk tolerance framework there are no new tensions in the boardroom, then you have probably wasted your time,” he said.

“I think there is the potential that this could be a fundamental change in the ways that we begin to manage our organisations. Let’s stop looking at what happened five minutes ago, and let’s start looking at what is going to happen over the next five or ten years.”

Chris Hodge, Head of Corporate Governance, FRC, was asked whether it was the intention of the FRC, when it put the code in place, to increase the tension between board members and if it works, encourage the organisation to take more risks. “I don’t think we were specifically looking for more tension, what we were looking for was for boards themselves to take a more active role.”

He explained that there was a recognition in the light of the financial crisis that boards had probably been too passive and had delegated risk management to management and were not taking enough concern themselves.

The panel was asked about whether the issue of risk appetite and risk tolerance simply added another level of complexity when discussing risk management with the board. Rio Tinto’s Mr Summers suggested that after the board has examined the risks that might be ahead of them, one should ask of them how much risk is too much?

He said that this can help them to define their risk appetite and risk tolerance, adding that a difficult area to be tackled was how the risk appetite, once defined and agreed, could be communicated down through the organisation.

“Can the board be sure that the decisions made by line management are in line with the board’s view as to what is too much risk, or perhaps what is not enough risk? We have to guard against undue complexity and if we make it too complex then it will be seen as a pseudo-compliance exercise,” he said.

Hans Læssøe, Senior Director, Strategic Risk Management, Lego Group, said it was important to remember that boards are not risk professionals. “It has to be simple,” he said. “It has to be like a smartphone. It is simple and intuitive and it has some complicated stuff inside it that we don’t need to know about in order to work it well. We can have risk management processes that may be highly complex, but the board should have confidence that once they use it they can get what they want out of it.”

Mr Anderson talked of his horror when people talk about risk management being simple, a four-step process. “There is a lot of complexity that underpins what needs to then be distilled into simple messages to the board. If you think that you can do risk management, risk appetite, all of these things, just by doing a four-step process, then you are deluding yourself,” he said.

The IRM paper Risk Appetite and Tolerance is available to download for free at http://www.theirm.org/publications/risk_appetite.html

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Risk Management News