Operational Risk Appetite

and Tolerance
Operational Risk Sound
Practice Guidance

An IRM Group Company

Foreword
The Institute of Operational Risk (IOR) was created in January 2004 and became part of
the Institute of Risk Management in 2019. The IOR’s mission is to promote the development
of operational risk as a profession and to develop and disseminate sound practice for the
management of operational risk.
The need for effective operational risk management is more acute than ever. Events such as the
global financial crisis or the COVID-19 pandemic highlight the far-reaching impacts of operational
risk and the consequences of management failure. In the light of these and numerous event
organisations must ensure that their policies, procedures, and processes for the management of
operational risk meet the needs of their stakeholders.
This guidance is designed to complement existing standards and codes for risk management
(e.g. ISO31000). The aim is to provide guidance that is both focused on the management of
operational risk and practical in its application. In so doing, this is a guide for operational risk
management professionals, to help them improve the practice of operational risk in organisations.
Readers looking for a general understanding of the fundamentals of operational risk management
should start with the IOR’s Certificate in Operational Risk Management.
Not all the guidance in this document will be relevant for every organisation or sector. However,
it has been written with the widest possible range of organisations and sectors in mind. Readers
should decide for themselves what is relevant for their current situation. What matters is gradual,
but continuous improvement.

The Institute of Operational Risk Sound Practice

Guidance
Although there is no one-size-fits-all approach to the management of operational risk, it is
important that organisations benchmark and improve their practice on a regular basis. This is one
of a series of papers, which provides practical guidance on a range of important topics that span
the discipline of operational risk management. The objectives of these papers are to:
• explain how to design and implement a ‘sound’ (robust and effective) operational risk
management framework
• demonstrate the value of operational risk management
• reflect the experiences of risk professionals, including the challenges involved in developing
operational risk management frameworks.

2
Contents
Introduction 4
Key terms and definitions 5
Risk appetite 5
Risk tolerance 5
Determining operational risk appetite and tolerance 7
Roles and responsibilities for determining operational risk appetite and tolerance 7
Expressing operational risk appetite and tolerance: Qualitative versus quantitative 8
Deciding on the appropriate level of operational risk appetite and related tolerances 10
Implementing operational risk appetite and tolerance 11
Communication 11
Monitoring 11
Aggregation and reporting 12
Management and decision making 13
Section 5 - Conclusion 14
Appendix A: The operational risk management framework 15

3
Introduction
Risk appetite is an area that attracts diverse views among operational risk practitioners.
Depending on the sector, scale and risk profile of an organisation, operational risk appetite
frameworks range in complexity and scope. Differences also exist in terminology, with some
practitioners preferring the term tolerance over appetite when referring to operational risks. For
these reasons, the following paper does not recommend a one-size-fits-all solution. Rather,
it outlines a variety of good practices, from which may be drawn a collection of appropriate,
relevant, and proportionate ideas.
Fundamentally risk appetite, whatever the risk that is focused upon, is about decision making.
Every action or decision within an organisation involves an element of risk. The organisation
must, therefore, be able to distinguish between risks that are likely to result in value-creating
outcomes (e.g. profit, reputation, improved services, etc.) versus those that may destroy value.
By determining an appropriate appetite for risk and implementing a framework to ensure that this
appetite is maintained, organisations can ensure that decision-makers do not expose them to
either too much, or too little, risk.
Whilst the focus of this paper is on operational risk, the IOR would expect that an organisation’s
appetite for operational risk is part of a broader, enterprise-wide appetite for risk. Operational
risk is important to all organisations and the Board and senior management must be engaged in
its management. Effective governance and compliance require the management of risks which
are typically operational (e.g. fraud, health and safety and conduct-related risks). Also, strategic
decisions (e.g. new product development) often require exposure to operational risk and it is
important that the Board and senior management are cognisant of these risks and satisfied that
the organisation can take them.
Organisations that implement a framework for determining and managing their operational risk
appetite can achieve several benefits:
• Enable the Board to exercise appropriate oversight and corporate governance by defining the
nature and level of operational risks it considers acceptable (and unacceptable) and thus set
appropriate boundaries for business activities and behaviours
• Provide a means of expressing senior management’s attitude to operational risk, which can
then be communicated throughout the organisation to help promote a risk-aware culture
• Establish a framework for operational risk decision making, to help determine which risks can
be accepted/retained and which risks should be prevented or mitigated
• Improve the allocation of risk management resources by bringing into focus higher
• Priority issues. Specifically, operational risk exposures or control weaknesses that are outside
of appetite or tolerance
• Ensure that the cost of operational risk management does not exceed the benefits
• Align strategic goals and operational activities through optimising the balance
• Between business development/growth/returns and the operational risks inherent in pursuing
those goals

4
Key terms and definitions
There are no universal definitions of either risk appetite or risk tolerance. Agreeing a universal
definition is especially difficult in the context of operational risk, given that most operational risks
are framed as ‘downside’ risks which can only result in a loss for an organisation.
Risk appetite
Irrespective of the academic debate concerning definitions. operational risk practitioners should
ensure that their organisation has a clear definition of operational risk appetite that is accepted
and understood by its management and Board of directors. A useful starting point is the IRM’s
definition of risk appetite from an enterprise-wide context:
‘The amount and type of risk that an organisation is willing to take in order to meet their strategic
objectives’
From an operational risk perspective, organisations could replace ‘is willing to take’ with ‘is
prepared to accept’ or similar. Operational risks are inherent in organisational activities, but rarely
are they sought, because they have no material upside in terms of return/income generation.
There are, however, cost/benefit decisions involved in defining an appropriate balance between
accepting potential losses on the one hand and incurring costs of prevention and mitigation on
the other (including associated operational inefficiencies that introducing a new control could
involve). Reducing operational risk exposures to zero is usually not possible or practical. The
only way to achieve zero exposure is to cease activity, and that may prevent an organisation from
achieving its strategic objectives.
The IOR’s view is that financial services organisations, and those operating in safety or
environmentally critical sectors (e.g. nuclear, chemical processing, etc.), should adopt an
acceptability-oriented definition of operational risk appetite. This is because their operational risk
exposures have the potential to cause serious financial and physical harm to stakeholders. In
non-financial organisations, and those that do not represent a significant safety or environmental
risk, especially those operating in entrepreneurial sectors like technology, a definition that
reflects a willingness to take risk is appropriate. This is because risk-taking, including a degree
of operational risk, can be a necessary part of exploiting business opportunities, especially
concerning the development of new products, supply chains, or manufacturing processes.
Risk tolerance
As explained above, an organisation’s appetite for operational risk reflects the balance that
it is prepared to maintain between the costs of controlling operational risk exposures and the
costs of operational risk events. This is a high-level strategic decision that will influence both
the resources devoted to operational risk management and the level of risk that is inherent in
organisational activities.
In contrast, the term risk tolerance is typically used as a specific benchmark for the acceptability
of a given operational risk exposure (e.g. internal or external fraud) or metrics, such as a risk or
control effectiveness indicator. In this regard, an organisation may decide that it is prepared to
tolerate a specific number of operational errors or control weaknesses because their elimination
would not be cost-effective.

5
Tolerance can be expressed using a Red, Amber, Green (RAG) based approach:

Status Meaning Risk Culture Embedding Enablers

Green Acceptable No immediate action required, except for routine

monitoring

Amber Tolerable Investigate (to verify and understand the underlying

causes) and consider ways to mitigate/avoid within a
specified time period
Red Unacceptable Take immediate steps to mitigate or avoid

The thresholds that determine when a risk exposure or metric moves from green to amber and
then from amber to red, reflect an organisations level of tolerance. The wider these thresholds the
greater the degree of tolerance.
Occasionally an organisation may decide that it is not willing to tolerate something. Usually, this is
impossible to achieve for specific operational risk events, including highly undesirable ones like
fraud or accidents at work. However, it is possible the effects that may be associated with these
events, such as the potential for regulatory intervention and enforcement activities. For example,
an organisation can never reduce the number of workplace accidents to zero, but it can ensure
that it does not breach health and safety rules. Hence it is possible to specify a zero-tolerance for
compliance breaches, though not for accidents.
Where both tolerance and appetite are used, organisations may either:
• Set tolerance limits and thresholds below the agreed appetite for operational risk. From a RAG
perspective, this means setting the appetite at the red level and tolerance at amber
• Set tolerance limits above the agreed appetite for operational risk. Hence appetite would in
effect reflect the amber threshold and the limit of tolerance the threshold for red
The first approach is most appropriate in high control environments, such as financial services.
The primary benefit is that where a risk exposure (or related risk or control effectiveness indicator)
exceeds the amber tolerance limit, it serves as an early warning of a potential appetite breach.
The second approach is most appropriate in more entrepreneurial environments where risk-
taking, including taking certain operational risks (e.g. new product development risks), is a
necessary part of an organisation’s strategic objectives. The advantage of such an approach
in this environment is that the appetite for operational risk may be exceeded when there is a
potential business benefit from doing so. However, it would be prudent for any such decision to
receive Board-level approval, especially where corporate governance rules require Boards to
oversee their organisation’s appetite for risk.
Whichever approach is selected, two fundamental principles remain – a level of exposure to
operational risk which may be exceeded in exceptional circumstances and a level that must not
be exceeded under any circumstance. In terms of the latter all organisations must not knowingly
take operational risks that have a high probability of causing:
1. Death or injury
2. A breach of applicable laws and regulations
3. Financial distress and bankruptcy

6
Determining operational risk appetite and tolerance
Determining appropriate levels of operational risk appetite and tolerance, where necessary,
involves many considerations, including the ‘measures’ of expression that should be used and
the appropriate level of these measures. As is often the case there is no one optimal approach,
though there is sound practice. The key stages in the process are:
• agreeing who is responsible for determining operational risk appetite and tolerance
• establishing how to express this operational risk appetite and tolerance
• deciding on the appropriate levels of these methods of expression
Roles and responsibilities for determining operational risk appetite and tolerance
The Board
In many firms, the current practice is for the Board to consider risk appetite statements drafted
by the senior management. This approach often reflects the complex nature of many financial
organisations. Unfortunately, this practice can result in anchoring and is open to challenge by
supervisory authorities and during Board effectiveness reviews when it could be argued that
Boards do not have a wide enough choice of recommendation and are too guided by the work of
senior management.
The Institute feels that where possible Boards should be more involved in the process of setting
risk appetite and should be able to demonstrate a more active role in thinking about and setting
risk appetite, albeit guided by the relevant experts.
To improve Board engagement an alternative is for operational risk practitioners to limit
themselves to designing the process for determining operational risk appetite. This might include
providing a template that the Board can use (see Appendix 1) or facilitating discussions by the
Board. But it would not include providing specific recommendations about the appropriate level
of operational risk appetite.
A further advantage of this alternative approach is that directors (whether executive or
non-executive) have the broadest possible strategic perspective and should have a
clear understanding of stakeholder risk preferences. As a result, they can ensure that the
organisation’s operational risk appetite is aligned with its strategic objectives while meeting the
needs of stakeholders.
One way in which a Board can determine an organisation’s appetite for operational risk is to
present them with a template, like that provided in Appendix A. First, individual Board members
should be asked to vote on what level of appetite they feel is appropriate for each of the elements
within the template. Second, the Board should review and discuss these votes to reach a
consensus. Third, the Board should vote a second time and the results used to set the initial
appetite for operational risk. The process could be repeated if necessary, should a consensus
not be reached. It is recommended that this approach be conducted outside of a scheduled
Board meeting, for example during an away day, to allow time for discussion. Once an appetite
for operational risk has been agreed, it should take less time to review and update as necessary
(at a minimum, annually).

7
Business management
Managers across an organisation will be involved in the day-to-day management of a wide
variety of operational risks. Some may be designated risk or control owners to reflect their
responsibilities for effective risk management.
Business managers do not, normally, get involved with determining an organisations appetite for
operational risk, given that this is part of a Board’s governance responsibilities. However, they
may be involved in determining RAG tolerance thresholds for specific operational risk exposures
or risk and control metrics. Where they are involved in setting risk tolerances these should not
contradict the overarching operational risk appetite.
The operational risk function or equivalent
The operational risk function has a dual role:
• supporting the work of the Board (see above)
• overseeing the work of business managers in determining RAG tolerance thresholds
In overseeing the work of business managers, the operational risk function should balance the
activities and objectives of specific business units, departments or functions with the operational
risk appetite set by the Board. Business managers should not set RAG tolerance limits that may
facilitate decisions that are inconsistent with the Board’s appetite for operational risk (e.g. to set
thresholds which promote excessive or insufficient risk-taking and control). The operational risk
function should challenge tolerance limits where they are concerned about consistency. Where
applicable the risk or operational risk committee can be used to support this oversight.
The Iinternal audit function
Organisations that have separate risk and internal audit functions should not normally involve
internal audit in the determination of operational risk appetites or tolerance thresholds. However,
they may decide to use the internal audit function to review the process used for determining
operational risk appetite and make recommendations for improvement, where necessary.
Expressing operational risk appetite and tolerance: Qualitative versus quantitative
Operational risk appetite, and specific tolerances, may be expressed in a variety of different
ways. Broadly these can be classified into qualitative and quantitative approaches.
Qualitative
Qualitative expressions rely on written statements that do not involve any quantification. They are
useful where operational risks are difficult to quantify and to reinforce the relationship between
operational risk and strategic/business management objectives. Qualitative statements can
also be used to emphasise specific behaviours or attitudes, and in so doing help to control an
organisation’s risk culture.
Specifically, qualitative expressions of appetite or tolerance can be used to reinforce several
important messages, such as:
• To recognise that certain operational risks, however unwelcome, are unpreventable (e.g.
terrorism, natural disasters, pandemics), though the effects of these exposures may still be
mitigated through appropriate business continuity and crisis management
• It is sensible to accept operational risks where the cost of mitigation/avoidance exceeds the
expected loss provided there is no risk of bankruptcy, enforcement, or stakeholder harm
• Risks will be accepted when the estimated losses are within prescribed tolerance levels

8
 • Behaviours deemed to be unacceptable, such as: knowingly breaking the law, breaching
regulatory requirements or company policy; damaging the environment; providing poor
customer service or exposing people to physical harm
• Risks deemed unacceptable, such as: operating within specific countries or selling certain
products
• The importance of maintaining a good reputation
Quantitative
Quantitative expressions involve hard data, usually having roots in business management
information, which could be any combination of performance, risk, or control indicators.
Quantitative expressions tend to be risk or control specific and thus are primarily an indication
of operational risk tolerance, rather than overall appetite. Such measures can be accompanied
by amber and red thresholds so that it is clear when a breach has occurred or is imminent. The
concept of setting zero tolerance thresholds may seem impractical, but they can have a cultural
purpose in reinforcing the message that it is not appropriate to accept avoidable losses without
question.
Strategic level performance metrics that provide a broad expression of operational risk appetite
in isolation are rare. One potential measure is the amount of economic or regulatory capital
allocated to operational risk. Non-financial organisations do not tend to calculate or allocate
capital to specific risk categories, but it is more common in financial services. Where capital is
allocated to operational risk, an organisation could express its appetite for operational risk in
terms of a risk specific capital buffer. For example, an organisation may allocate a minimum of
£10m of capital to operational risk, plus a 10% buffer (an additional £1m), to allow for the fact
that unexpected costs may exceed the minimum allocation. The larger the buffer the higher the
organisation’s appetite for operational risk.
Risk and control specific operational risk tolerance metrics are common, examples include:
• Delegated limits of authority beyond which subordinates must escalate for approval
• Measures of system or process reliability, for example, no more than xx% chance any
business-critical system is unavailable for more than one day in any one year
• Reported loss amounts based on budgeting, the aggregate annual amount by business area/
loss type and/or sensitivity i.e. an adverse trend of 5% may be acceptable, 10% tolerable,
but 15% unacceptable. Note that thresholds may be set on a per-event basis, for specific risk
categories over an agreed period or on an aggregate basis for all operational risks. The aim
is to cover both high volume/low value and low volume/high-value types of events. Thresholds
may also be used to support reporting and escalation processes, to help identify the level of
management or executive attention
• Risk/control assessment boundaries to distinguish acceptable/tolerable/unacceptable levels
of exposure to specific risk types
• Risk and control indicator amber and red thresholds expressed in units that are appropriate
for the indicator in question, i.e. numerical count, financial value, percentage, or variance

9
Deciding on the appropriate level of operational risk appetite and related tolerances
As explained, the Board of directors is responsible for deciding the appropriate level of
operational risk appetite, while business management set operational risk tolerance for specific
risks and controls that are consistent with the overall appetite.
In deciding on the level of operational risk appetite the Board should consider three primary
factors:
1. The strategic objectives of the organisation. For example, an organisation looking to grow, or
maintain potential market share may decide to accept a greater level of operational risk
2. The risk preferences of key stakeholders. Where stakeholders are more averse to operational
risk a lower level of appetite will be appropriate, and vice-versa
3. The financial strength of the organisation. Weaker organisations should not normally have
a high appetite for any sort of risk, given the potential for their crystallisation to cause
bankruptcy. Stronger organisations have more scope to take the risk, including operational
risks, because they should have the funds necessary to finance the costs associated with risk
events
When setting tolerance levels for specific operational risks or controls business managers
should ensure that these are consistent with the Board’s appetite for operational risk. Whenever
tolerance limits are set which are inconsistent, especially if above the agreed appetite this should
be passed to the Board (or Board risk committee where present) for approval.
Techniques that may be used to set tolerance thresholds include:
• looking at historic trends in data series to understand normal versus exceptional, and
potentially less tolerable, values
• benchmarking with similar organisations or industry standards, for example, an inter-
organisation comparison of staff turnover or sickness absence or comparing systems
availability to recommended standards of availability
• benchmarking between different departments or functions within the organisation
Where trends or benchmarking information are not available thresholds should be set using
‘expert judgement’, assumptions documented and signed off and the thresholds refined as
additional information becomes available.

Practical Examples
Example 1
An organisation wishes to set red and amber tolerance thresholds for staff turnover. High levels of
turnover can be a signal of declining staff morale and new staff are more likely to make mistakes,
so the organisation is most concerned about a sudden increase. Monthly staff turnover usually
averages 3% with a normal deviation of 1% (i.e. turnover tends to range between 2% and 4%).
Once when the organisation’s turnover increased to 6% for several months a morale issue was
identified. Hence the organisation decides to set the amber threshold at 4.5% and red at 6%.
Example 2
Red and amber tolerance thresholds need to be set for the availability of a new core system.
Though extensive testing suggests that the system is very reliable, no historic data exists
regarding the stability of the system in regular daily use. Management set red and amber
limits based on their experience with other IT systems and user reactions to failures. Evidence
suggests that a non-availability rate of less than 1% is tolerable, but 2% or more can disrupt
business operations. Hence the amber threshold is set at 99% availability and red at 98%.

10
Implementing operational risk appetite and tolerance
A framework is required to ensure that operational risk management decisions across the
organisation are consistent with the Board’s appetite for operational risk and risk or control
specific tolerances. The design of such a framework will vary with nature, scale, and the
complexity of an organisation’s activities, but the basic elements of this design remain the same.
Communication
To ensure they make appropriate decisions an organisation’s operational risk appetite and
associated tolerances must be communicated to all staff involved in making operational
risk management decisions. This might include those involved in managing activities that
necessarily involve an element of operational risk (e.g. the operation of systems, processes, and
procedures), as well as those, involved in monitoring and controlling operational risk exposures
(e.g. HR and IT staff).
Organisations may communicate its overall appetite for operational risk using a range of
methods, including staff induction and training, staff meetings, intranet resources and
performance reviews. It is recommended that multiple channels are used to ensure the message
is received and understood.
Tolerance thresholds for specific operational risks and controls should be communicated to all
staff involved in the management of these risks and controls, especially risk and control owners if
used.
Monitoring
Procedures should be put in place to ensure that an organisation remains within its chosen
appetite and tolerances for operational risk. This will ensure that the organisation uses its
operational risk management resources most efficiently while preventing and mitigating its most
significant operational risk management exposures.
There are two distinct steps involved in the design and implementation of these procedures:
1. Arranging for the required data to be reported by the appropriate party at an agreed
frequency. From the outset, it is important to take all reasonable steps to ensure the integrity
of the data with respect to completeness, accuracy, and timeliness. It is recommended
that operational risk appetite and tolerance reporting is built into existing operational risk
reports to save time producing new reports and to prevent overloading management. Such
integration will also help management to understand the significance of a change in risk
exposure, for example, operational risks that increase in exposure but remain within appetite
or tolerance versus those that fall outside of the agreed operational risk appetite or tolerance
thresholds
2. The second is the crucial stage of converting data to information by adding context and
interpretation (e.g. how the data compares with business performance metrics, whether the
data is suggesting the emergence of increased or reduced risk i.e. whether the movement
is relatively positive or negative). This entails the identification and investigation of adverse
variances and trends and analysing the underlying causes. Some key considerations include,
whether:
• recurring “ambers” are reflecting a static or worsening position
• a cluster of “ambers” represents an overall “red” in aggregate
• recurring “greens” may suggest thresholds are not sufficiently sensitive and should be
reviewed

11
The monitoring of performance against qualitative statements of operational risk appetite or
tolerance is more challenging but should be attempted where possible. One solution is to have
regular conversations at the Board, risk committee and risk function level about whether staff
behaviours and organisational activities are consistent with these statements. Other relevant
functions such as internal audit, HR and IT security may also be involved to gauge their opinion.
The value of conversations about operational risk should not be underestimated. It can help to
promote risk awareness and identify potential areas of concern.
More formal mechanisms to monitor performance against qualitative statements include internal
audit reviews, information from staff performance reviews (where adherence to key qualitative
statements could be assessed), and investigations into loss events, to determine whether
they were partially the result of behaviours or actions included in qualitative statements (e.g.
regulatory breaches).
Aggregation and reporting
Some of the challenges in aggregation and reporting arise from making sense of tolerance
thresholds set in different parts of the organisation.
If a business unit adopts Group level tolerances it will, almost certainly, report a perpetual “green”
status because the scale of its operation is insufficient to breach Group thresholds – thus there
would never be any trigger for action anywhere in the organisation. On the other hand, a “red”
status at the business unit level may be of little or no significance at Group level and thus dilute
the value of the “unacceptable” flag at senior management level.
A solution adopted by some organisations involves the recalibration of thresholds at different
layers in the organisation. Figure 1 provides an example.

Figure 1

12
The risk exposure on the left of this diagram belongs to Business 1 which represents 80% of
Division A, which in turn forms 80% of the Group. In this case, the “red” status at the business
level is of similar significance in the context of the Division and Group as a whole. The risk
exposure on the right of this diagram is also a “red” risk at the business level because it is
significant to the management of Business 4. However, since that business is a small part of
Division B, which itself is a small part of the Group, the significance reduces with the escalation
up the organisation.
Recalibration, at Divisional and/or Group levels, can be achieved by applying a weighting to
the reported data according to the relative scale of the initiating business. However, weightings
cannot be so low as to remove them from top-level scrutiny:
• the implications of poorly managed operational risk in one business may have a contagious
effect on the reputation of the Group as a whole
• weaknesses in operational risk management may be systemic, meaning that problems in one
business may be a signal of issues elsewhere
Therefore, the aggregate position needs to be managed on a common-sense basis. However
good an aggregated reporting system may be, it does not remove the need for a qualitative and
evaluative approach being adopted at the Group centre.
Management and decision making
An organisation’s operational risk appetite and associated tolerances should be used to drive
action. Organisations should not accept exposures or control weaknesses that are outside of
either its overall appetite for operational risk or agreed tolerance thresholds. Key decisions
include:
• Whether it is appropriate to accept the breach for a limited period. After weighing all the
evidence, it may the case that a breach could involve a truly one-off exception. In other cases,
it may be appropriate to review and re-calibrate previous tolerance levels if they are believed
to be too sensitive. It is recommended that such acceptances should be recorded and
revisited regularly.
• Taking steps to mitigate/avoid and prevent a recurrence. This is likely to be the most
appropriate response to a breach of operational risk appetite or tolerance and will require
approval to implement some additional or alternative control measures.
• Some intermediate management action – for example, conducting extended or more intense
monitoring, undertaking additional root cause analysis, or investigating the cost/benefit of
mitigation options.

13
Conclusion
Designing and implementing an operational risk appetite and or tolerance framework is
challenging. However, the rewards can be substantial. Organisations fail either because of
excessive or insufficient risk-taking. By establishing risk appetite and tolerance frameworks they
can help ensure that an appropriate degree of risk, including operational risk, is taken in the
pursuit of their objectives.

14
Appendix A: Example operational risk appetite template

15
 www.theirm.org

Developing risk professionals