The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?
Whether you are one of those who like the term ‘risk appetite’, prefer ‘risk tolerance’, or advocate (as I do) the ISO 31000:2009 term ‘risk criteria’, this is a tough area. While regulators frequently (including Basel III and multiple nations’ corporate governance codes) require organizations to establish one, I have yet to see something that really works.
While it may be possible to establish acceptable risk levels or criteria for aggregated financial risks, how do you set such standards for reputation, strategic, compliance, political, or IT-related risks? How do you establish and then measure aggregate reputation or compliance risk across the organization? I have seen some companies set a single number, say 3% of capital, as their “risk appetite”, but how can that make sense when you are considering compliance risk? How does it help a procurement manager decide whether to use a sole source vendor of essential components, to use two and allocate each 50% of the supply, or take another approach? Surely, (a) no organization can rely on a single “risk appetite” number: you need several, each covering a different category of risk; and, (b) what counts is the ability to direct risk-takers (frontline managers) in their daily decisions as they run the business.
Attempts to solve the problem have come from:
- COSO, in a paper by Dr. Larry Rittenberg and Frank Martens
- The Institute of Risk Management, in guidance authored by Richard Anderson
- RIMS, in a paper offered for $59
- Ernst & Young
- And more
Although each has value, none have so far met my test, which I have summarized below.
To be effective, an organization needs measures (whatever you want to call them) that allow:
- The board and top management to ensure that the risks taken across the organization, individually and in aggregate, are the risks they want taken. This is extraordinarily difficult when you consider the risk decisions that are taken every day as part of running the business and how they interact, with a decision in one area affecting risks and opportunities in a distant part of the organization, plus how they need to be aggregated to provide risk vision across the entire enterprise.
- Managers making decisions to understand not only the risks they are taking (and modifying), but whether they are the risks top management and the board want them to take. The issue here is applying top-level “risk appetite statements” to individual decisions. If this bridge cannot be crossed, then the entire exercise has limited value – other than cosmetically.
That’s the key for me. If there is no practical guidance for the frontline manager, this is all a chimera: a look-good, check-the-box practice that does not have any real effect on how risk is being managed across the organization.
What do you think?
Recent Posts on this Blog
- The risk of material errors in the quarterly financial statements March 10, 2017
- Is your compliance program strong enough? March 4, 2017
- Embedding risk into strategic planning and more February 25, 2017
- Cyber and reputation risk are dominoes February 18, 2017
- The current state of risk management February 11, 2017
- When an acceptable level of risk is not acceptable February 4, 2017
- How to mess up your risk management program January 28, 2017
- The value of a risk register January 21, 2017
- Risk in the Fourth Dimension January 15, 2017
- How much cyber risk should an organization take? January 7, 2017
- The real risks: the ones not in the typical list of top risks December 31, 2016
- An expert shares his views on the future of risk management December 18, 2016
- Selecting software to help manage user access risk December 17, 2016
- User access risk and SOX compliance December 12, 2016
- Risk and Culture December 9, 2016
- The Idea of a Unified Risk Oversight Council March 10, 2017
- The Integration of Governance, Risk, Compliance, and Related Activities March 6, 2017
- Cybersecurity Effectiveness February 27, 2017
- Cyber Root Cause Alarm Bells Are Ringing February 20, 2017
- Reports That Provide Actionable Information February 14, 2017
- What Is Holding the Company Back? February 6, 2017
- Do Internal Audit Reports Matter? February 1, 2017
- Monitoring Laws and Regulations and Their Effect on Your Organization January 24, 2017
- An Important Cyberrisk Framework January 16, 2017
- Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond January 9, 2017