A huge problem with risk appetite and risk levels
COSO’s ERM Framework defines risk appetite in a way that many have adopted:
“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”
The problem I want to discuss is whether there is such a thing as an “amount of risk”.
The traditional way of assessing a risk is to establish values for its potential impact (or consequences) and their likelihood. The assessment might also include qualitative attributes of the risk, such as the speed of impact and so on.
But, for many risks there is more than one possible impact, with varying levels of likelihood.
Take the example of an organization that wants to expand and sell its products in a new country. It has set a sales target of 10,000 units in the first year, but recognizes not only that the target may not be reached but that, if things work well, it might be exceeded.
If the sales target is not reached, the initiative will result in a loss of as much as 500 units of currency. The likelihood of that loss is estimated at 5% and is considered unacceptable. There is also a 10% likelihood of a 250 loss, also unacceptable.
Management decides to treat the risk through a number of actions, including advertising and the use of in-country agents, which should reduce the likelihood and extent of losses. However, the cost of these actions will reduce the profits achieved when sales reach or exceed target.
The chart below shows the distribution of possible P&L results, both before and after treating the risk.
So there is no single “amount of risk”. There are many possible outcomes.
It is not sufficient to place a value on the distribution of all possible outcomes and compare that to some other value established as the acceptable level – because some of the points may individually be unacceptable and require treatment.
In this example, management has decided that the likelihood of the greatest levels of loss is unacceptable. If they had reduced the array of possibilities to a calculated number (perhaps based on the area under the curve), they probably would not have considered whether each possibility was acceptable and would not have taken the appropriate action.
Knowing whether the possibilities are acceptable or not, and making appropriate actions to treat them, is critical. A single “amount of risk” fails that test.
We could take this discussion a lot further, but I will stop here. What do you think?