Home > Audit, Compliance, COSO, Cyber, Governance, GRC, IIA, ISO, Risk > Compliance and risk appetite

Compliance and risk appetite

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations $1,000,000
Loss in value of foreign currency due to exchange rate changes $1,500,000
Quality in manufacturing leading to customer issues $2,000,000
Employee safety $1,500,000
Loss of intellectual property $1,000,000
Competitor-driven price pressure affecting revenue $2,000,000
Other $1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

  • “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
  • “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

  1. susan.dallhoff@sympatico.ca
    July 18, 2015 at 5:17 PM

    Hi Norman,

    Wondered if you had published an article on risk criteria and how one established such criteria consistent with ISO30000? In the absence of being able to arrive at risk appetite (I agree that it is faulty), risk criteria would be key.


    • Norman Marks
      July 18, 2015 at 6:14 PM

      Sue, I discuss risk criteria in the book but have not written an article or post about it. The way I see it, management has to answer the question “how can help a decision-maker know what is the right level of the right risk?” That is very specific to the situation, the nature of the risk, and the combination of potential consequences. Unfortunately, ISO 31000 doesn’t give us a lot of help.

  2. Glenn Daly
    July 19, 2015 at 7:55 PM

    Risk appetite, criteria etc (ie from a practical perspective, guidelines for people to follow when making decisions) whatever people want to call it is typically reflected in the strategy blueprints, policies & procedures, KPIs, etc that an organisation has established (assuming it is reasonably well managed). In the case of ethics programs, in many cases the “real” appetite may not even be formally documented for obvious reasons. That is, no one wants an audit trail that leads back to the Board/Senior Management, thereby (in the event of some “issue”) allowing them to cite publicly what is the company’s position as per some generic COBC etc. Some general views. Unfortunately, to some extent the formal “risk management” discipline (and that is what we are talking about here not necessarily the informal risk management that is everywhere in an organisation) has over the years been hijacked by banks/financial institutions with various self-interested parties (eg consultants) pushing certain formal risk management practices onto non-financial organisations that may not be appropriate and value adding. The development and use of Risk Appetite Statements perhaps being a good example. In fact I would go so far as to suggest that it has in many cases contributed to the value of formal risk management being undermined in such organisations as many Boards/Senior Management increasingly view the formal risk management processes set up, as simply a tick the box exercise to satisfy some Corporate Governance Code or Principles without any perceived value. Evidence of this can be seen in the Annual Reports of many companies where many outline lovely narratives about their risk management practices. Is it real? Is it even close to what they really practice?. Quality of discussions in formal risk forums (eg RMCs) – meaningful or just going through the motions for governance purposes?. Many of the so called “Risk Appetite Statements” in annual reports are so generic as to be next to useless (but they can tick the box I suppose). For those of us passionate about setting up and maintaining formal risk management processes/systems because we believe they can intersect with and integrate with the informal risk management going on every day in an organisation, it is a very sorry state of affairs. Let us forget about world class risk management. I am into basic risk management and trying to convince Boards/Senior Management that if they follow some basic formal risk management practices, they can get some value from it. How to convince them when we have external auditors/consultants telling them to adopt some formal risk management practice that adds virtually zero value?. eg developing generic (no one in their right mind is going to make them specific given confidentiality considerations) Risk Appetite Statements in an Annual Report contributes to more informed reporting to stakeholders. Really?.

  3. July 20, 2015 at 2:50 AM

    I believe you have said it all in the phrase, ‘ the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk’. I think the effective risk appetite of a board is at the point where the perceived cost, should the risk occur, (likelihood X impact) is equal to the cost of reducing the risk.

  4. July 20, 2015 at 3:16 AM

    “Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.” I agree with this entirely. And while an organisation may rightly aspire to zero incidents of, say, illegal acts, internal and external statements of “zero tolerance” have the perverse effect of encouraging cover-ups and gaming of compliance processes.

  5. July 22, 2015 at 4:24 PM

    Thanks for sharing Norman, my thoughts as follows:

    Insurable risks are broadly measurable. Most other risks are un-measurable (in terms of likelihood and impact). Risk appetite therefore can only in very specific circumstances be expressed at a level of precise calculation.

    In the majority of cases it can only be understood in terms of bands; and then only as an aid to improving the quality of the decisions being made by boards and / or their executives. (Sadly the ‘risk appetite’ story doesn’t often penetrate beyond these levels).

    I prefer to use the term ‘’risk (appetite) criteria’’. The term ‘risk criteria’ is more technically sound and easier for end users to understand. I tend to include (appetite) as a fob to its common use and currency. I feel it a pity that the FSB didn’t use the opportunity in its Nov ’13 guidance to retire the term risk appetite and instead adopt the ISO term.

    The origins of the term risk appetite; and the regulatory tsunami besetting the Financial Services Sectors notwithstanding, I wonder if the term risk appetite is really helping Bank Boards communicate the desired ‘attitude’ (ISO 31000 An organization’s approach to assess and eventually pursue, retain, take or turn away from risk) to risk? Time will tell.

    I am inclined therefore to use three dimensions of expression (of risk appetite) briefly described as follows:
    1. The Risk Appetite Continuum where corporate and associated operational sub unit objectives are listed across a 5 level continuum from very high to very low ‘appetites’ for risks to stated objectives. This serves the purpose of proving and testing corporate and subsidiary objectives – risks alignments. This tends to mobilise NEDs at a practical level.

    2. The traditional qualitative risk appetite statement. Here as few words as possible (less is more) are used to articulate attitudes to certain categories risk which undermine given objectives.

    3. The Risk (Appetite) Criteria Table which presents 5 bands (or ranges) of consequence values relative to given categories of risk.

    It’s worth reminding ourselves here that Risk Criteria is defined (ISO) as the terms of reference against which the significance of a risk is evaluated (these being based on organizational objectives, and external and internal context). So it’s NOT about precise calculation. It’s about adding to the quality of discussions and the quality of the decisions made.

    The Risk (Appetite) Criteria Terms of Reference (some might prefer the term framework), records the multiple expressions (across the three dimensions above) of preferred attitudes to risk across the enterprise. One expression won’t do as it would necessarily be very high level and couldn’t therefore of itself guide decision makers in their day to day decision making.


  1. April 30, 2016 at 3:30 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: