The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?
Whether you are one of those who like the term ‘risk appetite’, prefer ‘risk tolerance’, or advocate (as I do) the ISO 31000:2009 term ‘risk criteria’, this is a tough area. While regulators frequently (including Basel III and multiple nations’ corporate governance codes) require organizations to establish one, I have yet to see something that really works.
While it may be possible to establish acceptable risk levels or criteria for aggregated financial risks, how do you set such standards for reputation, strategic, compliance, political, or IT-related risks? How do you establish and then measure aggregate reputation or compliance risk across the organization? I have seen some companies set a single number, say 3% of capital, as their “risk appetite”, but how can that make sense when you are considering compliance risk? How does it help a procurement manager decide whether to use a sole source vendor of essential components, to use two and allocate each 50% of the supply, or take another approach? Surely, (a) no organization can rely on a single “risk appetite” number: you need several, each covering a different category of risk; and, (b) what counts is the ability to direct risk-takers (frontline managers) in their daily decisions as they run the business.
Attempts to solve the problem have come from:
- COSO, in a paper by Dr. Larry Rittenberg and Frank Martens
- The Institute of Risk Management, in guidance authored by Richard Anderson
- RIMS, in a paper offered for $59
- Ernst & Young
- And more
Although each has value, none have so far met my test, which I have summarized below.
To be effective, an organization needs measures (whatever you want to call them) that allow:
- The board and top management to ensure that the risks taken across the organization, individually and in aggregate, are the risks they want taken. This is extraordinarily difficult when you consider the risk decisions that are taken every day as part of running the business and how they interact, with a decision in one area affecting risks and opportunities in a distant part of the organization, plus how they need to be aggregated to provide risk vision across the entire enterprise.
- Managers making decisions to understand not only the risks they are taking (and modifying), but whether they are the risks top management and the board want them to take. The issue here is applying top-level “risk appetite statements” to individual decisions. If this bridge cannot be crossed, then the entire exercise has limited value – other than cosmetically.
That’s the key for me. If there is no practical guidance for the frontline manager, this is all a chimera: a look-good, check-the-box practice that does not have any real effect on how risk is being managed across the organization.
What do you think?
Leave a Reply Cancel reply
- Excellent Advice on Risk Oversight May 20, 2013
- Deloitte Takes a Highly Intelligent Approach to Risk Management May 3, 2013
- Gartner Points to Failures to Obtain Value From Technology April 29, 2013
- The Important Risks That Are Overlooked but Should Come First April 23, 2013
- Technology is Too Important to Leave to IT April 23, 2013
- Does It Make Sense to Discuss GRC? April 23, 2013
- Risk-Based Audit Opinions That Matter April 8, 2013
- Deloitte Discusses Disruptive Technology April 1, 2013
- The Path to Excellence for Internal Audit March 26, 2013
- PwC Issues State of the Internal Audit Profession 2013 March 26, 2013
Recent Posts on this Blog
- Reflections on the updated COSO Internal Control Framework
- SAP’s Secret Recipe for GRC
- Why it makes sense to consider GRC
- John Fraser talks sense about risk management
- Is serving on an audit committee a job to love or fear?
- EY gets a “B-” for their IT audit guidance
- Boards should be concerned about their CEOs
- The Barriers to Effective Risk Management
- Financial services firms confused about risk management
- Deloitte Provides Advice on Risk Assessment
- Audit reports should be written in the language of the business
- Aligning the board, risk management, and internal audit
- Advice on scoping SOX work on segregation of duties (SOD) and restricted access (RA)
- Why I worry First about Uncertainty and then about Risk
- Is the audit committee to blame for defects in internal audit?