Skip to main content
main content, press tab to continue

Six questions to design a risk tolerance framework that drives resilience and growth

By Mary Catherine Stabler, CFA , Erica Herzberg and Ben Fidlow, FCAS, MAAA | September 28, 2023

A robust risk tolerance framework allows your organization to take calculated risks that drive organizational growth while maintaining resilience. What should you consider to get it right?
Corporate Risk Tools and Technology|Risk and Analytics

Clearly defined risk tolerance should be the bedrock for all business decisions. If you don’t have clarity on what you're willing to put at stake to achieve your objectives, how can you evaluate whether a business decision represents a move too far, or not far enough? An effective risk tolerance framework provides the evidence your organization needs to confidently take risks and sidestep moves that could put its financial standing in undue peril.

However, establishing a robust risk tolerance regime isn’t always straightforward. Maybe you’re not yet using the metrics liable to garner organizational buy-in; perhaps the conversation has been led by different individuals over time. These scenarios can leave the business with methodologies that aren’t repeatable or sufficiently objective, so don’t inspire the necessary confidence to call on risk tolerance considerations when there are big decisions to be made, for example, around capital investment or business model changes.

Risk managers may even struggle to communicate the value of operating within a risk tolerance framework at all, particularly if this framework isn’t directly aligned with the financial performance and strategic aims of the business, or if it’s based on incomplete data or proves unresponsive to changing economic circumstances.

So, in this insight, we suggest six questions to help you design a risk tolerance framework that’s both fit to support growth and financial resilience and communicate the contribution analytically driven risk management can make to long-term performance.

Q1: How are you defining an ‘adverse event’ for your organization?

An effective risk tolerance framework defines ‘adverse events’ in terms specific to your organization, quantifying the level of loss that would imperil your financial resilience and/or negatively impact your organization’s credit rating.

By creating explicit, numerical statements on risk tolerance and risk-bearing capacity that are customized to your organization’s financial goals, you start to make risk tolerance objective, transparent and meaningful.

If clearly-defined risk tolerance thresholds are the bedrock for all business decisions, then defining ‘adverse events’ analytically should be one of the first steps to ensuring the big calls the business makes are the right ones.

Q2: Does your risk tolerance view consider how losses might impact your credit rating?

Most risk tolerance measures are based on perceptions related to earnings, debt covenants, and cash flow, and what a given level of downside would mean to shareholder and stakeholder expectations.

However, as credit rating is a critical component to almost all companies, you should explicitly incorporate how you measure these considerations into your risk tolerance framework. Your risk tolerance approach should also be able to identify recommendations based on these perspectives to protect your organization’s credit rating.

Q3: What data and metrics are driving your risk tolerance – are these aligned with financial aims?

While both risk and treasury professionals value a well-defined risk tolerance, the process used to determine acceptable levels of risk is too often a ‘black box’ to the rest of the organization. This can result in thresholds that don’t empower informed risk decision-making by the business.

To achieve transparency and agreement on what risk and treasury mean by ‘risk tolerance’ you need to frame it using a lens that matters to the rest of your organization. This is about calling on metrics aligned to financial objectives: the thresholds that describe the profitability you’re aiming for; considering the dynamics around free cashflow, debt covenants, or earnings per share, for example.

Creating this specific and meaningful view is likely to involve a collaborative effort from risk and treasury, calling on the data access and expertise of each. This process can overcome issues such as historical communication barriers between risk and treasury, limited access to reliable data, or challenges around different business areas prioritizing divergent metrics and therefore driving misalignment across the organization.

Q4: Are the data and metrics driving your risk tolerance definition also driving business decisions?

With agreement on data and metrics and explicit risk thresholds, your organization will be empowered to apply various quantitative business and risk analyses to assess the value of each action. This means decisions can now reflect the variable outcomes, plus the implications on company resilience.

Q5: Does your risk tolerance statement demonstrate resilience in changing economic conditions?

Designing an effective approach to risk tolerance is not a one-time exercise. Effectively implementing a risk tolerance framework means continually evaluating the impact of changing financial dynamics on your organization, recognizing that a smart risk financing or business investment today may not prove as smart tomorrow.

Agile risk tolerance is about running and re-running analysis on the realities of your organization’s financial standing and financial wellbeing, stakeholder expectations, and changing business opportunities.

Q6: Does your risk tolerance framework lend itself to ERM and operational risk decisions?

With data-driven and transparent risk tolerance statements that clearly align with financial objectives, the business can look to connect enterprise risk management (ERM) and operational risk considerations within a best practice risk governance framework.

Some organizations are still incorporating impact scales that are arbitrary and qualitative into their risk governance frameworks. By moving to explicit, data-driven and transparent risk thresholds, your organization can better categorize and prioritize risks so the business can confidently make the big calls on the decisions that drive growth without impacting financial resilience.

To discover smarter ways to define risk tolerance and elevate your risk management with WTW’s expertise and Risk Tolerance Clarified, get in touch.


Director, Core Analytics
email Email

Engagement Lead, Core Analytics
email Email

Global Head of Core Analytics

Related content tags, list of links Article Corporate Risk Tools and Technology Risk & Analytics
Contact us