Home > Audit, Compliance, Cyber, Governance, GRC, IT, Risk > The continuing failure of the risk appetite debate to focus on desired levels of risk

The continuing failure of the risk appetite debate to focus on desired levels of risk

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

  1. Jim DeLoach
    March 24, 2014 at 8:00 AM

    Norman, thanks for referencing my CCI article. I agree completely that failure to cascade downward the risk appetite statement into the organization in the form of risk tolerances that can be operationalized day to day is not the intended result. I believe it is important to differentiate between risk appetite and risk tolerances, because the former is a strategic conversation at the highest levels of the organization and the latter is the more tactical application in managing performance. Risk tolerances are a separate conversation from the risk appetite dialogue in the board room.

    Regarding floors and ceilings, that is an interesting observation. My view has always been that the strategy sets the implicit floor for taking risk and risk appetite sets the ceiling. To me, that is a real world view. If we can make floors (as well as ceilings) more explicit in a risk appetite statement, fine. But I think the ceiling is the more critical issue. I view the combination of the strategy and risk appetite statement as an effort to define what I call the “strategic sand box” within which the CEO operates. Therefore, through the risk appetite statement, the board doesn’t tell the CEO what to do, but what not to do. David Koenig described this concept as a “constructive ring fence” around corporate behavior, and that metaphor captures what I’m getting at. The recent COSO-sponsored paper I co-authored focuses on this important point.

    Risk appetite must be defined in the context of the strategy. It is the only way it will be relevant to executive management and the board. Risk appetite serves as a tool for balancing the strategic pursuit for creating enterprise value with the need to protect enterprise value. Considering risk appetite in a strategic context clarifies its purpose in strategy setting. If one accepts the view that the risks inherent in the strategy are already pushing out the risk-taking boundaries, this is not accentuating the negative.

    BTW, the issue of taking or avoiding risk will not be solved via a risk appetite statement. That issue must be addressed through the strategy and is cultural in nature.

  2. Norman Marks
    March 24, 2014 at 8:36 AM

    Jim, we could spend a lot of time debating this. I agree with the idea that boards need to set “a “constructive ring fence” around corporate behavior”, but that ring fence needs to do more that provide a lid against excess causing the pot to boil over. It needs to ensure there is sufficient heat to cook the meal.

    The COSO definition of risk tolerance is a strange one. How can you have an acceptable variation from objectives – doesn’t that mean that your risk tolerance is your true target?

    I much prefer the concept of risk criteria and a desired level of risk.

    On the topic of strategy setting the floor, I don’t think executives see it that way in the real world (although it appears as if my real world is different from yours). In my experience, when executives set strategy they are focused on a target in the (blue) sky; they are not checking to see that the heat is high enough.

    As I mentioned in an earlier blog post (referenced above), I look for a definition of desired risk that satisfies the board’s need for overall, organization-wide control, as well as guidance to the managers taking risk every day.

    You won’t control risk-taking if the procurement manager doesn’t know whether he should allocate sourcing of a critical component among three or five vendors. or a credit manager doesn’t know whether he should extend a customer a credit limit of $50k or $100k.

  3. Jim DeLoach
    March 24, 2014 at 1:45 PM

    Agree this topic bears further discussion. Part of the issue I see is agreeing on the problem(s) we’re trying to solve and that is framework neutral. As I have said before, other than the different nomenclature, I don’t see much difference between COSO and ISO 31000 (or BS 31100) frameworks when viewing them through the lens of a CEO or director. Whatever works best for a particular individual is fine with me.

    Regardless of the framework used, the following issues present themselves.
    (1) What is the nature of the risk appetite dialogue a CEO and his/her executive team should have with the board to support the board’s risk oversight process?
    (2) How do you drive that discussion down into and across the organization so that it impacts the desired behavior?

    These two problems are interrelated, so as you pointed out in your blog it is frustrating when progress on (1) leads to no results with respect to (2). They relate to (in your words) the “desired risk that satisfies the board’s need for overall, organization-wide control” as well as providing “guidance to managers taking risk every day.” My CCI article discussed (1) and not (2). While I like the ISO 31000 concepts of risk criteria and a desired level of risk and have used them in practice, I have found that if you use them you still are faced with the above two issues. Neither framework spells out exactly how this done.

    FWIW, I associate the extent to which the procurement manager allocates sourcing of a critical component among alternative vendors or the limit structure a credit manager uses to extend customer credit as illustrations of solving (2) (the second problem). I would think the dialogue at the board would be more strategic, e.g., do we want to squeeze out costs in our supply chain to the maximum extent to increase our profit margins or do we want to hedge our bets with inventory buffers, alternative vendors and other “costs?” Whether it’s three of five vendors is a more tactical operational decision. The strategic question is what appetite do we have for exposure to business continuity risk versus performance gap risks with competitors? Since the Japanese tsunami, more companies are asking that question. The number of vendor alternatives may find its way into the color commentary, but won’t be the focus as it would in providing guidance to procurement. The specifics on limit structures are a management discretion. The strategic issue is the quality of underwriting standards versus the company’s market share and revenue objectives. Again, the specific limits could find their way into the discussion among other things like quality attributes and concentration limits. All COSO tried to observe is that strategic conversions are different from tactical ones; therefore, the emphasis on risk appetite and risk tolerance as two separate concepts (just as the two problems above are separate but interrelated issues). I don’t know why that is “strange.”

    To your question, risk tolerance is not your true target. There are two examples of risk tolerance IMV – your tolerance for losses (loss exposure) and tolerance for performance variability. Regarding performance variability, when you target an expected goal around an objective – whether it’s a budget, time of delivery, customer satisfaction, etc. – you also can set a target for upside (a “stretch goal”) as well as for downside (acceptable performance that falls short of the expected target) providing an acceptable range of performance variability. You manage to the upside, formalize an internal plan based on the expected target and provide external guidance considering the downside. If there is no range of acceptable performance, that means that management has in essence chosen to manage toward a single point estimate – a fool’s errand in today’s environment. Performance variability simply recognizes the range of acceptable performance. Stretch goals are a useful tool for driving higher levels of performance so long as they aren’t abused. If you exceed them, management should understand why in the context of understanding “how we are making money.” Discounted guidance takes into account the downside reflecting the uncertainty inherent in the business plan.

    With respect to “strategy setting the floor,” I didn’t intend to suggest that was the focus of strategy setting. When you raised the floor concept above, I thought that was already implicit in the strategy. We’re talking about risk, right? I agree with you that strategy focuses on aspirational targets, and that is why we need a discipline around “are we taking on too much risk?”

    I wrote this out on a plane, so I am sorry for the length. I’m signing off on this exchange, so I’ll let you have the last word. This would be a great topic for our next dinner.

  4. Norman Marks
    March 24, 2014 at 2:56 PM

    Jim, I will just make one additional comment and then leave the field for others to weigh in.

    I don’t think this should be considered as a “risk appetite” discussion. When we separate the management of risk into a silo that is separate from effective strategy-setting, performance management, decision-making, and everyday running of the business we are creating a problem.

    I would prefer to frame the discussion around how individuals across the organization can be guided to make the decisions, with due consideration of uncertainty, that the board and executive management want them to take.

    I look forward to our next dinner!

  5. Jim DeLoach
    March 24, 2014 at 3:29 PM

    Again, as I pointed out in my article and in everything else I’ve written, the strategy is the context for the risk appetite dialogue. I do not want anyone to think I support isolating the discussion into a silo. And to provide guidance to everyone else in the organization, the board and executive management must first come to a meeting of the minds as to what that guidance is. The trick is how granular can you make that conversation. If this is a single question to address in your view, I better understand where we differ in our respective views.

  6. Norman Marks
    March 25, 2014 at 8:04 AM


    Please consider re-reading my earlier post on “Just what is risk appetite and how does it differ from risk tolerance” at https://normanmarks.wordpress.com/2011/04/14/just-what-is-risk-appetite-and-how-does-it-differ-from-risk-tolerance/.

    As Jim referenced, COSO describes risk tolerance as follows: “Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”

    It continues with: ““So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”

    The flaw (IMHO) is that something that might “put its performance levels below 88%” is the effect of an uncertainty, but we don’t know what likelihood of such an effect is acceptable.

    Is it acceptable to take a risk that presents a 2% likelihood that performance might drop below 88% but would cost an inordinate amount of capital to mitigate its effect?

    Is it acceptable to take a risk that presents a 2% likelihood that performance might drop below 88% but has a 20% likelihood of delivering an outcome at the 97% level?

    As COSO defines it, risk tolerance is effect only and not the likelihood of such an effect.

    My primary point, though, is that if we don’t provide guidance that helps decision-makers take the right risks every day, where they understand how their decisions affect organization-wide risk levels, there is no assurance that the organization as a whole is taking the risks the board and top management want taken.

    So where are the commentators?

  7. John Fraser
    March 25, 2014 at 10:15 AM

    “Fools rush in where Angels fear to tread”. I sometimes worry that after ten years these discussions seem like “…angels dancing on the head of a pin..”. Anyone who is new to ERM would read the above and walk away totally confused and frustrated. Not that some statements are not correct or helpful, but at the end of the day the vast majority of people struggling to implement ERM, which seems conceptually to make sense, have difficulty translating the notions above into practical reality. This is why ISO 31000 threw these convoluted terms (T&A) away and settled on ‘risk criteria’ to help make RM more practical and doable. The financial regulators are carving their own vision of RM creating ‘risk appetite frameworks’ and ‘risk appetite statements’ that immediately then plunge into “limits”. I am thankful I started my ERM journey when the ERM world was a simpler place.

  8. Norman Marks
    March 28, 2014 at 9:53 AM

    Please see this article on a new study of risk management at banks: http://www.futuresmag.com/2014/03/27/banks-developing-new-best-practices-in-risk-manage

    It includes this statement:

    “Banks think their risk appetite statements are adequately defined, but concede that these statements are neither well-integrated with core planning processes, nor fully cascaded throughout the organization with actionable key performance indicators (KPIs). For example, more than half of the banks still do not cascade credit and/or market risk metrics beyond the business-unit level.”

  9. Jim DeLoach
    March 28, 2014 at 9:59 AM

    The results of the study should garner attention. If risk appetite statements are an appendage to strategy setting and are not driven downward into the organization in the form of actionable tolerances and limit structures, the whole exercise is misguided. I think everyone agrees on that point. Regulators have been saying for some time time much improvement is needed in FSI. This presents an opportunity.

  1. March 23, 2014 at 8:01 PM
  2. March 24, 2014 at 5:10 AM
  3. April 30, 2016 at 3:31 PM
  4. March 12, 2023 at 2:07 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: