Home > Audit, Compliance, COSO, Governance, GRC, ISO, Risk > My tolerance for risk appetite is fading

My tolerance for risk appetite is fading

It is amazing to me that one of my most popular blog posts every month is “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!

In that and several subsequent posts (notably “What is your risk appetite?” from September 2013, “The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?” from August 2012, “COSO Contributes to Thought Leadership on Risk Appetite” from January 2012,and “New guidance on risk appetite and tolerance” from September 2011) I have expressed my preference for the concept of “risk criteria” used by the ISO 31000:2009 global risk management standard.

I have also said, over and over again, that unless and until any statement of overall organizational risk appetite is linked to guidance that enables decision-makers across the organization to take desired levels of risk, that this idea is not working.

In fact, making people believe they have effective risk management because they discuss a point-in-time list of so-called “top risks” and set limits for those few risks is making them believe in fairies.

It is setting them up to be surprised and for a failure to deliver success.

Now PwC has published a piece, “Board oversight of risk: defining risk appetite in plain English”.

I was hoping to see new thinking that would help organizations and their boards manage risk effectively.

Instead, while PwC says that risk appetite “is not a new concept but one that can be confusing”, I don’t believe they have succeeded in removing any of that confusion.

For example, while the piece talks about understanding an organization’s “exposure” and reducing “risk to an acceptable level”, it also points out (correctly) that organizations need to take care that they don’t take too little risk! (I am not going to bring into this discussion whether risk is the effect of uncertainty, positive and/or negative, on objectives. For purposes of this post, I am going to use the term ‘risk’ the way COSO does, as a negative with opportunity as the positive effect of uncertainty.)

I am not going to dwell on the PwC piece in detail, but instead want to bring out a few major points:

  • It is important for the board, as recommended by PwC, to understand and debate which risks the management team assess as being the most important to monitor and address.
  • It is also important for the board, as expressed in the paper, to understand and agree with management how they will determine the type and level of risks they should and should not be taking. (You can call this risk appetite; I prefer to call it risk criteria.)
  • Even more important, and not mentioned as far as I can tell in the paper, is for the board to obtain assurance (from internal audit, preferably) that the management team has effective processes for identifying, assessing, evaluating, and treating risk as an integral part of running the business. Risk is not limited to what is included in a point-in-time list presented to the board. Risk is created and modified by every business decision, and the potential effects of uncertainty need to be integrated into every decision-making process, from the setting and monitoring of strategy and performance, to the decisions made by front-line employees every day. (By the way, I do not support in any way an internal audit of a point-in-time list of risks; that provides little assurance that management’s continuing processes for managing uncertainty across the organization are what they need to be for the organization to succeed.)
  • If all the board is doing is reviewing a static, point-in-time list of risks and determining what are acceptable levels for those risks, it is reviewing a small subset of risks that is most likely already out of date. Furthermore, its focus may be on the horizon just as the organization is about to step off a cliff. Relatively minor decisions, such as the outsourcing of maintenance and operations of an oil rig in the Gulf, will never rise to the level of board attention but can be sources of massive damage.
  • A risk appetite statement (some use other expressions, such as a risk appetite framework) has limited value if the people making decisions are not guided as to how much risk to take. All it does is create a target for a level of risk that can be compared (after the fact) to the levels of risk actually taken, but doesn’t stop people taking more risk (or less risk) than the board and top management desire.  A risk appetite statement will not tell a procurement manager whether to accept a bid from a vendor that has the lowest price but not the highest reputation for quality and reliability, whether to allocate purchases among several vendors (at collectively higher cost but increased reliability), whether to implement additional quality control measures (at a cost) to address potential quality issues, or take another approach. A risk appetite statement will not tell a hiring manager whether to select the highest cost but most experienced employee, or to take the inexperienced individual who will help him stay within budget.
  • Risk appetite is not a single number. Every area is different and may well need different criteria to establish what is acceptable, from employee safety to cash flow, exchange rate exposure, customer credit risk, investment risk, the loss of key employees and customer relationships, supply chain disruption, quality manufacturing issues, data center disruption, vendor price increases, theft of intellectual property, litigation, brand and corporate reputation, capital project completion, and more.
  • Risk criteria used to evaluate and determine how to respond to risk include but are not limited to values for risk appetite and tolerance. (COSO ERM says this as well.) For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept (a) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain, (b) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $500 gain, or (c) a 20% likelihood of a $50 loss with an 80% likelihood of a $5 gain?
  • Risk criteria should include not only values for risk, but other attributes. For example, COSO’s ERM Framework says “Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.” It continues with “an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.” However, in my experience managers might well be willing to accept a 2% chance that performance levels fall below 88% if there is an 80% chance that customer satisfaction might exceed 95%. Risk criteria should reflect both impact and likelihood, not just one or the other.
  • Other attributes that should be considered include the speed of onset of the adverse effect (a negative impact that hits the organization faster than it is able to respond and cushion the impact is less acceptable than one that comes at a pace that enables a considered response), the duration of the negative effect, the corporate culture and social environment, and more.
  • Risk appetite is not, or at least should not be set in stone. For example, as the economy thrives, a company may be willing to take a higher level of customer credit risk.
  • Those responsible for making decisions – and decisions are where risks are ‘taken’ – need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
  • The consideration and discussion of risk by the board has to be integrated with its discussion of strategy. The choice of strategies should be based, in part, on an understanding and appreciation of risk. Performance and the execution of strategy is only successful when those risks, and new ones that may appear, are understood and addressed. Further, the organization should be prepared to shift strategies as risks change.
  • You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.

This is, indeed, a complex topic and boards must be extremely careful not to oversimplify.

Believing that you have effective risk management because you agree with management’s point-in-time list of so-called “top risks” and have agreed on the organization’s appetite for those risks is believing in fairy tales.

My advice is for the board to understand and become comfortable with management’s ongoing process rather than spend much time reviewing a point-in-time list of risks.

Challenge management on the points I list above. Are you satisfied, not just with the list of risks that management chooses to share with you, but that management addresses the potential effects of uncertainty as it manages the business – at all levels – every day?

Will it step off a cliff as it looks only at the horizon, the few risks on that list?

Separately, I understand that COSO is considering a project to update its COSO ERM Framework, now that it has updated the Internal Control – Integrated Framework. I support such an endeavor and suggest that they consider:

  • How managers can be guided to make risk-intelligent decisions every day.
  • Moving from risk appetite to risk criteria, so that other issues (such as speed of onset, duration of effect, and so on) are considered when evaluating risks
  • Moving towards convergence with the ISO 31000:2009 global risk management standard. One step would be to redefine risk and uncertainty as the potential effects of uncertainty on objectives – a compromise definition I propose between that in ISO and that in COSO today.

I welcome your comments. My tolerance for risk appetite statements without guidance to enable risk-intelligent decisions is fading to black. How is yours?

  1. Graham
    June 2, 2014 at 8:23 AM

    I agree with almost everything you say. However implementing the fact that every manager ( and probably people below managers ) in the organisation has to evaluate the risk impact of a multitude of decisions that they take frequently would be extremely difficult in most organisations and ‘risks’ paralysing the activity for fear of transgressing the risk criteria that have been laid down – and there are probably a lot of decisions being made which are not ‘covered’ by the criteria ( or at least the person making the decision thinks this).

  2. Linda DiPaola, CPA CISA CGEIT
    June 2, 2014 at 10:11 AM

    I agree with Graham. In addition, in the ” 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain” example, the 20% & 80% are usually/more easily measured after the fact; prior to, an educated guess is still just a guess. How much time/effort is management willing to spend on a guess? Unless there’s something I’m not seeing, I don’t get spending a whole lot of time on the subject. It’s too dynamic/unquantifiable/blurry for me to think of it as a science – like a blurry moving target (or a UFO!)

  3. June 14, 2014 at 1:07 PM

    Insightful comments and useful guidance (again!). Thank you, Norman.

  4. January 6, 2015 at 2:00 AM

    Interesting points. In my humble opinion risk is culturally relative bound by concensus (similar to ‘truth’). It has dependencies from changing circumstances making risk tolerance and risk appetite a moving feast. Risk is in the imagination of the imaginer canvassing / soliciting such consensus (collecting minds) with the aim to reach a complete understanding.

  5. May 12, 2015 at 2:30 AM

    Hi Norman

    ‘Risk appetite’ is a buzz phrase looking for a meaning and a purpose. Not only is it easy to think of phrases that are clearer, and more self-explanatory for all the meanings that people (like PwC) have tried to put on it, but the idea isn’t even popular in practice.

    A while back I did a survey of people’s views on programmes to improve risk management within core management activities. One of the questions asked people which of a list of objectives they thought were helpful for such a programme. The LEAST popular objective, with only 19% of respondents supporting it (which was very low compared to the other objectives), was managing risk down below specified limits.

    The biggest danger with the phrase ‘risk appetite’ is that it encourages people to think that decision making under risk/uncertainty is something you should do by searching your feelings rather than by looking at the objective circumstances of your company/organization. A CEO’s personal preference for high living or fame should NEVER be a factor in decision making about what is best for the company.

    Matthew Leitch

  6. Simon King
    May 8, 2016 at 4:15 AM

    Great points Norman, I look forward to the discussion next week.

  1. June 2, 2014 at 2:37 AM
  2. June 2, 2014 at 2:38 AM
  3. June 14, 2014 at 9:59 AM
  4. June 14, 2014 at 9:59 AM
  5. April 30, 2016 at 3:31 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: