I have been writing about the tough topic of risk appetite for a long time! Here’s a partial list of my blog posts, which go back to 2010.
- Compliance and risk appetite – July, 2015
- A huge problem with risk appetite and risk levels – May, 2015
- Auditing risk appetite – September, 2014
- My tolerance for risk appetite is fading – June, 2014
- Just what is risk appetite and how does it differ from risk tolerance? – April, 2014
- The continuing failure of the risk appetite debate to focus on desired levels of risk – March, 2014
- What is your risk appetite? – September, 2013
- The tricky business of risk appetite: a check-the box chimera or an effective guide to risk-taking – August, 2012
- COSO contributes to thought leadership on risk appetite – January, 2012
- New guidance on risk appetite and tolerance. I like some parts, disagree with others – September, 2011
- An effective risk tolerance, appetite, criteria etc. statement – May, 2011
- A discussion of risk appetite by thought leaders – November, 2010
- Food for thought on risk appetite – February, 2010
Yet, I am still searching for examples of organizations who have done this well – and by that I mean establishing desired levels of risk for the enterprise as a whole that lead to the best business decisions at all levels of the extended enterprise.
Last week, in Chicago, Richard Anderson and I debated this point. He thinks it is being done, but I have significant doubts.
In a few weeks, we will debate this again with a group of practitioners and thought leaders at RiskReimagined London. (Spaces are still available.)
Why am I still searching?
Let me see if I can explain the predicament.
Example 1: we manage a company that grants loans to small businesses across the globe. We set a risk appetite statement that says that we want to take risk that is ‘valued’ at between $100 million and $200 million. It’s a range because if we don’t take enough risk, our profits will suffer. $100 million is the lowest we can go if we are to break even. If we take too much, we may suffer losses that cannot be sustained comfortably and we have defined ‘too much’ risk as $200 million.
We have five offices that grant loans: in Sydney, London, San Francisco, Buenos Aires, and Singapore. In each, five managers approve new loans.
In any of these five, a single manager oversees all the loan approvals and can make sure that his office stays between $20 million and $40 million. We have cascaded our enterprise range and set an allocated range of risk to each office. Some call this ‘risk tolerance’, although that is not how COSO describes risk tolerance.
As a result, the company as a whole will stay between $100 million and $200 million.
But while we are ‘safe’, we have not optimized our results.
Our ideal level of risk will typically be nearer $200 million than $100 million.
How likely is it that we will obtain an enterprise level of risk of, say, $180 million?
Even if everybody is communicating often and openly, it is unlikely.
If Buenos Aires can only sell $30 million and London $25 million, then the other three will have to sell a total of $125 million. That is more than the allocated $40 million they each have.
OK, if one person approves all loans, then it may be possible to get to $180 million. But that level of bureaucracy would slow the company down and make it highly inefficient – damaging customer satisfaction. Remember, customers want quick decisions made locally.
In this example, the risk appetite statement may prevent the company from taking an unacceptably high level of risk, but will it drive optimal performance?
Rather than driving the right decisions and proactively taking the desired level of risk, management can only see total enterprise risk levels after the fact.
Note that I set risk appetite as a range. That is not common. If a low end is not set, will this company survive? Each location could consider it is safe to be much lower than their allocated risk level.
Example 2: this time, our business operates gas stations. We are considering purchasing three more stations. We have set a risk appetite for our total level of oil spill cleanup and remediation at $25 million and our current exposure (based on the stations we already own) is $15 million.
We perform a risk assessment for each of the three potential acquisitions. The level of risk at the first is $5 million, the second is $8 million, and the third is $12 million.
The risk manager decrees that acquiring the third would take us over our risk appetite and we should, instead, focus on the other two.
The problem is that, like most risk managers, he is only considering the downside.
If we look at the potential profit to be earned at each of the three, we find the numbers are: $5 million for the first, $10 million for the second, and $20 million for the third.
Which is the wise decision?
Although the first station is within our risk appetite, an acquisition seems to make little sense from a business point of view.
The second may make sense, but only if the total of all risks relating to the acquisition would not only be lower than potential profit but would deliver an acceptable rate of return on our investment. There are probably other factors that would go into the decision.
While the risk manager wants to eliminate the third based on the risk appetite statement, the potential for reward is huge! Perhaps the risk appetite statement should be increased so we can take advantage of the significant increase in profits. In fact, the increased level of profits might well increase our ability to sustain a loss.
Making decisions based only on the potential for harm is not good business decision-making.
Decisions should be made based on the full picture of all the things that might happen.
The upside possibilities should be identified and evaluated in the same way as the downside, otherwise how can management know they are making informed and intelligent decisions that will drive the organization to success?
These are just two examples. I am sure you can come up with more.
Or, can you share how risk appetite statements enable informed and intelligent decisions that enable success? I suspect that all they do is prevent harm rather than enable decisions that lead to taking the right level of the right risks.
I welcome your comments.
How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer.
I am not one of those people.
While I agree that procedures performed by the CAE and his team to assure quality are important, and that an independent quality assurance review should be performed every so often, I am not persuaded that they do enough to assess effectiveness – and especially whether internal audit is provided all the value it should.
Who receives the value from internal audit? The answer is that the board (perhaps via the audit committee) and top management are the primary customers. Other customers include operating management, the external auditors, and (often) the regulators.
The only way that effectiveness and value should be measured is through the eyes of the primary customer.
Do we simply ask them whether internal audit is effective and providing value? Do they even know what internal audit should be delivering?
Maybe they have heard that internal audit provides assurance and value-added advisory/consulting services. But what does that mean? How much should they expect?
Some years ago, I asked the chair of the audit committee how we were doing. His answer was that we “helped him sleep through the night”. I believe that’s a clue.
Later, I asked the two presidents of our major divisions the same question. The first said that “you have yet to perform an audit that I wouldn’t gladly pay for”; he also told a visiting state governor that “internal audit gives the company a competitive advantage”. The second president told a visiting state attorney general that “internal audit helps keep the company efficient”.
These are also clues.
Others lie in work by Deloitte and Ernst & Young with respect to risk management. Deloitte asked board members and executives whether risk management “helps then set and execute on strategy”. That is a very perceptive question that strikes to the core value of risk management. Ernst & Young says that “effective risk management gives leaders the confidence to take risk”. I like that very much as well!
So what is the question that we should ask board members and executives about internal audit?
How about this?
Does internal audit provide you with the assurance you need to have confidence in the ability of the organization’s people, processes, and systems to lead the company to success? Where there are opportunities to improve, do they provide actionable information that enables you to make the appropriate changes?
Note that I didn’t mention either risk management or internal controls. Both are included, essential enablers, of effective systems, processes, and so on.
I don’t want to ask them questions about risk and controls. I want to ask whether our work helps them be more successful.
What is the question you would ask?
Do you like mine?
What do you think the typical answer would be from board members and executives?
Is there a similar question that the board should be asked about the CEO and CFO?
 For more internal audit stories and how I came to my views about internal audit effectiveness, please consider World-Class Internal Auditing: Tales from my Journey
One of the studies I have referenced for a few years has been updated. The ERM Initiative at North Carolina State University has released the 7th edition of The State of Risk Oversight: An overview of risk management practices.
The principals at the ERM Initiative, Mark Beasley in particular, have been active in the ERM area for a number of years. From what I can tell, they have been primarily associated with and involved in the COSO view of risk management rather than that of ISO (the 31000:2009 global risk management standard).
I have been using a sad statistic from the 2010 edition of this publication, which reported that only 3.4% of respondents believed their risk management program was “fully mature”. This number is essentially unchanged at 4% (the latest edition is based on responses to a survey in 2015).
However, respondents are not provided with a definition of “fully mature”- or at least one is not provided in the report.
Instead, respondents define for themselves what a “complete” risk management program entails (another survey uses this as the highest level of risk management maturity) or when it is fully mature.
COSO ERM goes further than, from what I can see, the ERM Initiative surveys. The survey asks about the frequency with which a list of top risks is reviewed and how often it is updated (very few indeed do it monthly or better). But it doesn’t talk about whether the consideration of risk is embedded into decision-making across the organization, which COSO ERM does. Nor does it address whether risk management “helps an organization gets where it wants to go” – another COSO ERM statement, which recognizes that risk management is about more than avoiding hazards and threats.
So what are we to make of this?
There seems to be growing pressure from boards and regulators to improve risk management practices, and there is every reason for them to be concerned at the current state! Yet, little progress is being made. 4% self-report that they have fully mature risk management, with larger companies (revenues greater than $1bn) at 9%.
Will this study make a difference?
I doubt it.
The emphasis has to move towards whether, as Deloitte has said, risk management is helping an organization set and then achieve its strategic goals.
Focusing on risk management as a silo, separated from the rest of effective management of the organization, is not going to persuade boards and executives (the latter are clearly reluctant to invest in what is seen as a compliance activity) to move the practice forward because it is an essential element in informed, intelligent decision-making.
Let’s start talking about effective management that includes risk management.
When will we get a survey on that?
My thanks to the 232 people who answered my short survey.
I wanted to know how many have shifted to basing their audit plan on risks to the enterprise (perhaps linked to their organization’s ERM program); how many remain with the traditional approach of addressing risks to individual processes, business units, or locations; and how many are somewhere in between.
As a reminder, in the traditional approach, an ‘audit universe’ is built, listing all the organization’s business units, divisions, locations, processes, and so on. That list is then ‘risk-ranked’ using attributes such as revenues; assets employed; number of employees; complexity; time since last audit; severity of issues in last audit; whether new systems have been deployed; whether new management is in place; and so on. The entities that rank highest are included in the audit plan. Prior to each audit, a second risk assessment is performed to identify the more significant risks to that entity.
The enterprise risk-based approach starts with understanding the risks to the organization’s objectives and strategies. The risks disclosed in regulatory filings are considered, as are major new initiatives approved by the board. If the organization has an enterprise-wide risk assessment in place that can be relied upon, it is usually a major driver. The goal is to identify the more significant risks to the successful achievement of enterprise goals, objectives, and strategies. It is more of a top-down approach. When individual risks are considered, such as privacy, cyber, or reputation risk, they are assessed based on their potential effect on the organization as a whole.
Here are the results.
- 11% Risks to the enterprise
- 15% Risks to individual auditable entities such as processes, locations, business units
- 32% A combination of the above. but more enterprise risks
- 42% A combination, but more at the process business unit, or location level
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization.
Somewhat more have weighted their plan towards the micro level than the macro level.
So what does this all mean?
My personal assessment is that this reflects solid progress from the traditional (i.e., micro level) towards the enterprise risk-based approach I advocate. But room for improvement remains .
While I agree that certain ‘micro’ risks need to be addressed in audit engagements, I believe that is because they are important to the enterprise as a whole – in other words, although the source of the risk is ‘micro’, I would actually call them ‘macro’ risks. For example, the safety of workers at a single factory might be considered a micro risk. But, I would include a related engagement in the audit plan if I believed that a failure to manage safety risk in that single factory represented a significant risk to the enterprise as a whole. I would not address it otherwise (absent other factors, such as a request from the board or CEO), because there are always more significant (to the enterprise) risks than I have resources to address.
So, I think the results are encouraging.
Hopefully, this will trigger the consideration of the enterprise risk-based approach by those with a more traditional methodology. Let’s audit the risks that matter to the leadership of the organization, what KPMG calls “critical risks”. If we don’t do that, the value gap between board and C-suite expectations (that we provide advice, insight and assurance on the issues they face as they lead the organization) and what IA delivers will persist.
I also believe that The IIA Standards Board should review its risk assessment standards. Do they support the enterprise risk-based approach, or are they only directed towards the traditional methodology. I believe that when they say that a risk assessment should be done for every engagement, focused on risks to the entity being audited, they are falling behind emerging best practices.
I welcome your comments.
I like stories and metaphors to help me convey a message. In fact, my book on internal auditing is a collection of stories.
This time, I am going to use a metaphor involving the board game of Monopoly to illustrate how I feel about risk management.
The players compete to win by either having more money when the game ends (if there is a time limit) or by being the only one left standing after all the others have gone bankrupt.
Let’s imagine our executive team is playing a game against its main competitors.
The CEO is focused on the goal – making as much money as possible and taking advantage of the opportunities that may arise as the company’s shoe (my favorite piece) lands on properties that are for sale, competitors go bankrupt and have to dispose of their assets, passing Go and so on.
But, the company has a traditional Chief Risk Officer (CRO), whose name is Cassandra. Like the lady in Greek mythology, Cassandra is always looking into the future and seeing all kinds of dire things happening.
Cassandra provides the CEO and his team a list of the “top risks”. They include:
- If you land on a property owned by a competitor, you will have to pay rent. The rent will depend on the property itself (some are far more expensive than others) and how many houses or hotels have been built by the owner.
- If you land on certain squares, you may go to jail and then have to pay a fine to be released.
- If you land on a few other squares, you will have to draw a card with payments due that could be substantial.
- If you run out of cash, you will either have to sell hotels or houses, sell or mortgage properties, or go bankrupt.
As an experienced Monopoly player, the CEO’s reaction is dismissive. “I have been playing this game for a long time and you are not telling me anything I don’t already know.”
Meanwhile, the COO is urging the CEO to play. “Double six, and we will get a strong lead on the others.”
The CEO throws the dice and the shoe lands on an unoccupied property.
“Buy!” says the Sales EVP. “The potential is huge, especially as there is a good chance that the others, who are behind us, will land on the square.”
The CFO chimes in with assurance that there are sufficient funds to make the acquisition.
The intimidated CRO is silent. Internally, she is worrying that the team will buy all the properties it can and run out of funds. After all, there are dangers ahead.
The company buys the property and she watches as the other players roll the dice, move their pieces, and buy other properties.
It’s the CEO’s turn and he throws the dice. The COO moves the shoe to another property that is for sale.
The CEO asks for input on whether the company should make the purchase. Sales nods enthusiastically, the CFO confirms the funds are available, and the COO agrees that the company has the ability to manage both properties.
At this point, the CRO’s young deputy arrives. He sees the board and hears the conversation.
“Is there value in the purchase? It’s a different group from the other property we own and a competitor already owns a location in this group. If we save our funds, we would have more available not only for the contingencies in the top risk report, but to purchase a more attractive property in the future.”
The CEO listens and beckons the young man to sit next to him. “You are talking like a businessman. That’s helpful.”
Sometime later, the company lands on the property it needs to be the owner of a whole group of properties. The CEO looks around at the team and everybody agrees they should make the purchase, which they do. The CEO then asks for advice on whether they should build any houses and, if so, how many.
Sales jumps up and down with glee and claps his hands. “Yes, oh yes!”
The CFO looks worried. “Our cash flow is not very good, working capital is low, and our building fund is only just enough to support the purchase of a total of four houses.”
The CEO looks at the CRO: “Do you have anything to say?”
“If we buy four houses, we will not be able to survive landing on any of the properties four to six squares later. We would be exceeding the risk appetite statement approved by the board.”
Shaking his head, the CEO turns to the young man on his right. “What do you think, Fred?”
Fred is surprised to hear the CEO address him with a tone of respect, calling him by his first name – which Fred didn’t realize the CEO knew.
“Of course, Cassandra is right.”
“I would add something though.”
“I think we need to look at all the possibilities.”
“First, let evaluate the potential if we acquire one or more houses. How much would the rent increase? If we purchase between one and three, the rent increase should anybody land there is modest. If we purchased a fourth house, we could put two on one property and the rent increase would be substantial. So there is a clear value in going with four over three, if we can afford it. Having said which, what is the likelihood that one or more of our competitors will land on our properties and when would that happen? Does it make sense to buy now or later, given where they are?”
“We also need to look what might happen as we move forward at our next turn. Where could we land? If we moved between four and six spaces ahead, as Cassandra says, we would be in severe trouble. The likelihood of that happening, throwing a total of between 4 and 6 with two dice, is 42%. If we avoided that trouble, we would not only be safe but the path ahead would be clear of threats for a turn or two. In fact, we would probably pass Go and collect $200 which would replenish our funds.”
“I can’t work out all the figures quickly, but I can see the CFO has started putting the numbers into a model on his laptop.”
The CEO turns to the CFO, who takes a few minutes before informing the team that if they purchase up to three houses, given the likelihood of somebody landing on one of those sites at their next turn, the model puts a value of $300 on the purchase. They would have $250 cash remaining. He also used the model to evaluate the risk that they would land on a competitor’s property at their next turn and have to pay rent. That works out to $200, so while the risk appears to be high the potential for return justifies it. The CFO says he also evaluated the value of purchasing four houses. The value rises to $500, but cash remaining would not be sufficient to handle paying rent if they had to at their next turn.
Overall, the CFO advises purchasing three houses, not four.
Sales starts to say something, but subsides quietly.
The CEO agrees with the CFO and four houses are purchased.
The game continues, but now the CEO makes sure that the debate on strategy and tactics always includes an evaluation of all the possibilities, both negative and positive. What might happen, what are the potential impacts (there are always multiple) and what are the likelihoods of each? He constantly turns to Fred for assurance that all the right questions are being asked, while relying on the CFO to ‘crunch the numbers’.
The CRO leaves for lunch, but nobody notices.
Quietly, Fred takes the list of top risks. As each player throws the dice, moves, and actions are taken, he re-evaluates each of the top risks. When it is the company’s turn, he makes sure that the current levels of all threats – and the current levels of all opportunities – are taken into consideration.
This way, the CEO and his team continually make decisions that are informed by an understanding of the current level of risk, the potential effects of what might happen, good and bad, as they slowly but steadily win the race.
Now this is simplified (and I am not an expert Monopoly player).
Life is far more complex.
But the principles still apply:
- Risk is changing dynamically.
- Every situation and every event presents multiple potential effects, some of which may be positive and some negative. In fact most situations and events have multiple effects that can occur at different times.
- Both the positive and negative effects have to be assessed based on their potential effects and the likelihood of that effect.
- To win, whether in life or a board game, you need to make intelligent, informed decisions.
- Every decision changes the state of the game, including the level and nature of risk.
- You need to keep your eye on the goal, not focused on the threats to the extent that you are paralyzed with fear and unable to decide to take a risk when it is necessary.
- To be effective, a CRO must play on the team, helping the CEO and others make intelligent and informed decisions. The goal is NOT to minimize or mitigate risk. It is to WIN by taking the right level of the right risk.
- It’s not enough to play on the team. You have to be seen as playing on the team, with the same goal.
- Don’t be Cassandra, who may be ‘correct’ but is not seen as essential to success.
Join us for a discussion on effective risk management later this month or in May. Details here.
I need your help.
A couple of weeks ago, I chatted with representatives from the IIA Standards Board and IIA staff about their proposed changes to the Standards.
Unfortunately, they feel that few internal audit departments have moved to what I call enterprise risk-based internal auditing – auditing the risks that are critical to the success of the organization as a whole, rather than micro risks at the process or location level. So, no change in risk assessment guidance is planned at this time.
Please take a couple of minutes and answer the single-question survey at this link. I am hopeful that it will help us move the profession forward and close the value gap between what IA does and what stakeholders need. (See here for more on that topic.)
This week, I was privileged to speak at the 2nd Caribbean Risk Management Conference in Trinidad and Tobago. It was attended by decision-makers from all sectors of the economy, from large public companies to entrepreneurs in the local fashion industry to the heads of government agencies.
My ego was stroked nicely when the opening speaker, the Minister of Trade and Industry, talked about effective risk management enabling her agency to set the right policy and take the right steps – in other words, making informed, intelligent decisions rather than simply avoiding threats and other harms. She stunned me when she quoted from my book, World-Class Risk Management.
Later, I was on a panel when an attendee asked how she should rate risks. One of my co-panelists, a highly-respected practitioner with more than 20 years’ experience, responded by recommending a red-yellow-green set of ‘traffic lights’ to illustrate which are high, medium, and low risks. He agreed with the concept of rating risks based on their level (qualitative and quantitative).
My answer was different. I pointed out that risk is the effect of uncertainty on objectives, and that we need to assess risks not on their level alone, but whether that level is acceptable. Unfortunately, there was insufficient time to expand on this thought.
So, let’s do so now.
Why do people take risks?
I think there are two aspects to this. One is the culture of the organization and the inclination of the individual making the decision whether or not to ‘take’ the risk. Richard Anderson will expand on this point at Risk Reimagined in April and May. (Seats are still available at both the Chicago and London venues.)
The other involves understanding that people take risks because they believe there is more ‘upside’ than ‘downside’.
- We drive to work, which is taking a risk, because we need to earn a living.
- We invest in a mutual fund, which is taking a risk, because we anticipate a positive return on that investment.
- We hire a new staff member, which is taking a risk, because we need work to be completed.
We decide whether or not to take a risk based on more than the level of risk involved.
- Would you buy a lottery ticket for $10 when there is a 5% chance of winning $100? Probably not – unless you are an inveterate gambler.
- Would you buy that lottery ticket for $10 if there was a 5% chance of winning $1 million? Probably yes, unless you are violently opposed to gambling.
In the first instance, we might say that the level of risk ($10 * 95%) is not acceptable. But in the second, while the level of risk is exactly the same, it would be acceptable to most people.
Rather than report risks based on their level, we should report based on whether their level is acceptable.
This is why, in my book, I recommend that boards and top management receive risk management reports that help them understand the aggregate level of risk to each objective. That way, they know whether they need to act, such as changing strategies or even the objectives themselves.
Now, I agree that the level of risk can be useful in deciding how to allocate funds to their mitigation. But, assessing risks without the context of enterprise objectives may well lead you to (a) take the wrong risks, and (b) mitigate the wrong risks.
I welcome your thoughts.