Home > Audit, COSO, GRC, IIA, ISO, Risk > A huge problem with risk appetite and risk levels

A huge problem with risk appetite and risk levels

COSO’s ERM Framework defines risk appetite in a way that many have adopted:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”

The problem I want to discuss is whether there is such a thing as an “amount of risk”.

The traditional way of assessing a risk is to establish values for its potential impact (or consequences) and their likelihood. The assessment might also include qualitative attributes of the risk, such as the speed of impact and so on.

But, for many risks there is more than one possible impact, with varying levels of likelihood.

Take the example of an organization that wants to expand and sell its products in a new country. It has set a sales target of 10,000 units in the first year, but recognizes not only that the target may not be reached but that, if things work well, it might be exceeded.

If the sales target is not reached, the initiative will result in a loss of as much as 500 units of currency. The likelihood of that loss is estimated at 5% and is considered unacceptable. There is also a 10% likelihood of a 250 loss, also unacceptable.

Management decides to treat the risk through a number of actions, including advertising and the use of in-country agents, which should reduce the likelihood and extent of losses. However, the cost of these actions will reduce the profits achieved when sales reach or exceed target.

The chart below shows the distribution of possible P&L results, both before and after treating the risk.

Chart for book

So there is no single “amount of risk”. There are many possible outcomes.

It is not sufficient to place a value on the distribution of all possible outcomes and compare that to some other value established as the acceptable level – because some of the points may individually be unacceptable and require treatment.

In this example, management has decided that the likelihood of the greatest levels of loss is unacceptable. If they had reduced the array of possibilities to a calculated number (perhaps based on the area under the curve), they probably would not have considered whether each possibility was acceptable and would not have taken the appropriate action.

Knowing whether the possibilities are acceptable or not, and making appropriate actions to treat them, is critical. A single “amount of risk” fails that test.

We could take this discussion a lot further, but I will stop here. What do you think?

  1. May 17, 2015 at 7:09 AM

    Hi Norman, I am glad you decided to write on the topic. I think you are spot on. Here is my take on a risk appetite in a recent podcast: http://www.slideshare.net/AlexSidorenko/alex-sidorenko-talks-about-risk-appetite-to-riskpoint

  2. May 17, 2015 at 9:02 AM

    Hi Norman. You raise some very interesting points. As you say, many risks have a range. With some, there is a trade-off between impact and likelihood. For example, if you have a fleet of 200 buses, the likelihood that one will break down is high but the impact is low. On the other hand, the likelihood that all will break down is low but the impact is very high. If you are using impact multiplied by likelihood as a guiding figure against risk appetite, there is some compensating effect.
    However, in the example you have used, the analysis of risk is much more complex. I have known @RISK , which uses Monte Carlo simulation used as a modelling tool by my auditors, (when I was an IA manager) for checking the viability of a new business. We did recommend its use in proposals for major projects just as we also recommended that all possible scenarios were considered (for example hit budget, fall short or exceed).
    I think the moral of your story is, ‘don’t do anything until you have evaluated all the possibilities’.

    • Norman Marks
      May 17, 2015 at 4:31 PM

      David, you make some very good points. Thanks for the comment.

      If we take your example of a single bus breaking down, the impact is not always low. What if it breaks down in the middle of a tunnel? What if the failure leads to an accident with injuries or worse?

      Also, does it make sense to consider a 10% likelihood of a $10,000,000 loss as the same as a 50% likelihood of a $2,000,000 loss? What if you only have assets of $10,000,000?

      The P X I calculation also doesn’t take into account the potential for reward – why you are considering taking the risk.

      As an aside…….

      I can remember driving along Brighton Road in Streatham one very wintry day. I looked over at Streatham Common and saw a red double-decker bus in the middle of the Common, nowhere near a road, and surrounded by snow. It made a huge impact on me – but probably not huge in terms of the effect on London Transport, whether cost or reputation.

      • May 18, 2015 at 2:45 AM

        Norman, you make a very good point about the single bus breaking down. The impact on reputation considerably magnifies any risk. (Although in the case of the bus on Streatham Common, I’m surprised it was only one. As you probably remember, they usually travel in convoys.)
        The P X I calculation is certainly simplistic and I would never advocate it for complex business decisions. I think you can distinguish between system risks (invoice paid without goods being received) where it can be used as a guide.Even with these risks I think you have to ask:
         Am I convinced the control, as specified by management is working?
         Am I able to inform the board/audit committee that the control is sufficient to bring the risk threat to below their risk appetite? (Or my best guess as to what they will accept!)
         Will management know if the control fails in the future?

        I wouldn’t consider your new business example as a single risk. I would consider it as a process which has many risks.

        There is certainly no simple answer to the problem. Indeed I believe that the difference between a successful entrepreneur and an an unsuccessful one is the ability to take the maximum amount of risk without tipping over the edge into failure.

  3. Anand Varma
    May 17, 2015 at 9:44 AM

    In my humble view, in the example given the management will have to decide either a single number or a range of currency loss that it is willing to accept as potential loss in pursuit of its objective to achieve its sales target of 10,000 units. Simply taking a negative position that potential loss between CU250-CU500 isn’t acceptable to the entity, can’t be enough to resolve determining the risk appetite amount (single or in a range). I have seen Risk Appetite Statements of international entities that have both a single amount and a range of amount. Therefore, there isn’t an issue on COSO’ definition of Risk Appetite. RA statements can additionally include on qualitative aspects but amount(s) are a must as a minimum.

  4. Diana Borgmeyer
    May 17, 2015 at 5:51 PM

    This is an issue for not for profits and community sector organisations as the majority of risks relate to values and present many challenges in measurement and gaining agreement across the various stakeholders. The concept of setting risk appetite and tolerance doesn’t translate that easily outside of financial and capital markets. I’m not convinced that the effort in trying to establish these thresholds outside of existing financial measures really adds value.

  5. Gary Lim
    May 17, 2015 at 7:33 PM

    Hi Norman, I would like to express my views on the example quoted. I would view it as a CALCULATED risk, meaning the BOD has agreed to the venture to an overseas country and what I know most large corporation would do is to treat it as a project, expected loss if the strategic risk of expanding overseas failed. Then there are 3 elements to consider:
    – duration of say 3 years
    – expected losses and breakeven point
    – exit point
    Therefore the amount of risk is how much financial losses say USD10million over 3 years period, this in my opinion is KEY others are incidental.

  6. May 18, 2015 at 12:28 AM

    I agree that there is a very fundamental point here – highlighting the need for a discussion about average risk levels but also “point” risk levels over a range.
    It gets us into the need to understand our risk modelling techniques in order to understand whether we are managing the risks in the way we hope for.. And of course we know risk modelling failed in the financial crisis..
    So its another angle in to your point is that the models chosen to look at risk (and the underpinning assumptions about risk) are themselves a risk !
    Luckily I have see a few HIA leads getting more into auditing models – but this is by no means mainstream in IA yet – and it needs to be!
    Finally it highlights the difficulty of the risk professionals being both advocates of risk models and able to step back and critique the weaknesses in what they are advocating.. Its part of a wider story of professionalising risk in a way that detaches risk from business management rather than joining alongside it..
    Look forward to seeing how this one evolves..

  7. Sitti
    May 18, 2015 at 7:38 AM


    I would like to share my view. I think risk appetite can be explained as Expected Loss under Operational risk. The way they do is to draw the Probability Distribution and find out the expected loss which I think it can be ‘Risk Appetite’ in the single amount form. (I assume that total probability profit is $100 and you accept profit at $90 so your ‘Risk Appetite’ is $10)

    During the time, the risk amount maybe over ‘Risk Appetite’ or expected loss but it’s still acceptable due to it’s still in ‘Risk Tolerance’. For example, about the bus, as you said it breakdown in a tunnel but at Mid-night or holiday, maybe it’s still acceptable. That’s why ‘Risk Appetite’ can be in the range form also. (I assume that you can loss over $10 during some period of time but at the end you may gain profit over $90)

    Based on your story, I think we should ask the management that what is your target (e.g. loss under 250-500 units) and what is the period to measure the target (e.g. month or year)? I add the time in the risk statement due to our perception over risk during time is difference. If we heavily focus continuously during T to T+1 on a expected loss, maybe time T+0.01 you face loss over 250-500 units due to we paid to treat the risk (e.g. marketing cost) and lead to project termination.
    However, if we measure 1 year later, the result may be change.

    Also, to ensure that we will meet the ‘Risk Appetite’, we may establish milestone to monitor the performance and find out the root cause that we cannot reach the target on regularly basis until the deadline.

    If you said this type of ‘Risk Appetite’ as I explained is not help to prevent loss. I would like to tell you that during business operation we take both opportunity and threat. If you just look at threat, you maybe loss your opportunity also.

  8. Oyinlola
    May 18, 2015 at 11:14 AM

    I agree with you Norman. The issue of a perfect risk analysis of impact and likely to appropriate a unified risk level may never exist . Although some form of measurement and calculation may be done, the judgement is still subjective based on the angles considered.

  9. Joseph Iyofor
    May 18, 2015 at 3:37 PM

    For sure there is no perfect risk analysis. as it relates to appetite, likelihood & consequence. However i think there is a good chance of having an appetite, that serves it purpose when we do see it as dynamic as every other thine including likelihood & consequence.

    So if for every likelihood & consequence , we have a commensurate risk appetite i think we will be close to having a risk appetite that we be fit for purpose & serving as a proper guide.

  10. May 19, 2015 at 11:41 PM

    I agree that it is difficult to determine a specific amount or a single figure in terms of appetite. However, the definition states that “on a broad level”, so there is a good chance of working out an approximate amount. After all risk management is not an “exact science”.

  11. michel rochette
    May 21, 2015 at 9:26 AM

    Hello, using the expression of “amount of risk” is a circular statement in the first place. Risk, by definition, involves some type amount – financial, emotional…etc..usually calculated with some estimates of probability and impact/damage, even effect if you want to go further..

    so, this COSO ERM requirement should probably be simply stated as ” Risk Appetite refers to the risk – in general – that…….using the word risk forces an entity to “calculate/evaluate it” to an extent and your idea of analysing ranges of values – pre/post controls – is better than reducing the analysis to a single number – Ex. Average don’t mean much, live VAR statements –

    If the extent of COSO ERM was not to encourage firms to quantify their risk appetite, they should have stated this way. Ex. Risk appetite refers to the uncertainty that….

    That might make board members and their auditors more comfortable when they have to express a view on reasonable assurance

  1. April 30, 2016 at 3:30 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: