Home > Risk > COSO ERM explains the flaw in risk appetite statements

COSO ERM explains the flaw in risk appetite statements

October 21, 2017 Leave a comment Go to comments


I really mean that.

Of course, COSO ERM 2017 pushes organizations to establish “risk profiles” (a.k.a., lists of risks or risk registers) and their risk appetite.

But if you look carefully you will see one paragraph in the COSO update that explains why devotion to compliance with a risk appetite statement can lead an organization to fail to take the right risks.

“Organizations may … choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”

In other words, stay within risk appetite if it is the right thing to do. Don’t stay if that is the right thing to do.

It’s all about weighing all the potential consequences before acting – not just the potential for harm.

Of course, that is what all effective decision-makers do.

Of course, that is what risk practitioners should advocate!

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.



What do you think?

  1. October 21, 2017 at 12:27 PM

    The COSO statement seems to be making the sensible point that when an objective has to be achieved by making a decision, that decision is made by balancing the probability of a profit against the probability of a loss over a variety of scenarios. The only additional factor to consider is the maximum that could be lost. We’re likely to be able to take a decision which, at worst would result in a 5% loss of profits (say) but not one where the maximum loss would be losing the family farm. That’s probably the only risk appetite we need to decide: whatever the potential profits, what’s the maximum potential loss we’re prepared to take? In other words we’re looking at the cross-over point at which calculated risk-taking becomes reckless gambling.
    Successful companies are not those which take risks but those who successfully predict when the probability of profits exceed the probability of losses for the decisions they make.

  2. Jonathon from Australia
    October 22, 2017 at 8:21 PM

    Hi Norman and thanks for your post.

    Firstly – I am an appetite skeptic (I am also a heat map skeptic – but that’s tolerance which is a little off topic!)

    I’m not convinced appetite statements add a great deal of value: especially for public sector organisations whose purposes and decision rights are often defined (and confined) within laws and regulations.

    Most government organisations are risk averse…do we need an appetite statement to tell us that?

    Anyway. Your last comment interested me: “worry about whether there is reasonable assurance that good decisions are made”. In my experience (as you have pointed out in previous posts on the topic) many organisations operate outside appetite as there is a net benefit, or little choice. This may leave them feeling nervous, but with resource constraints, that’s the operating reality.

    So am I right in understanding – the key is for organisations to design great systems for decision making? With that, the senior cohort of an organisation needs assurance systems that risk-taking is done prudently, not recklessly? If so, we don’t need risk, quality, stakeholder or compliance frameworks. We just need a great decision-making framework that also deals with the varied complexity of decisions (I’m thinking of Cynefin here).

    Lastly – I think a discussion about appetite does have value, and has potential to reveal different attitudes between people in an organisation to harm and good. Appetite can also narrow the divergence between directors, senior executives and the workforce (I’m not sure this is ever evaluated though!)

  3. Karen Avery
    October 23, 2017 at 8:33 AM

    Thanks for the post, Norman. My two cents appear below. I too am a skeptic when it comes to appetite and tolerance as I fell like I have seen more of the bad than the good in terms of how it has been applied. At a minimum, I agree that the discussion can be helpful. To enable better decision making, requires a shift in the mindset of a risk executive. Instead of programs, mitigation and controls, it requires situational thinking, predictive analytics and a framework that supports this. Its a strategy risk framework applied to the big changes an organization is making as part of their strategy or that which is imposed upon them. In many organizations, risk is misaligned and as such, even with a framework, it would be difficult to enable true decision making from an opportunistic point of view. If you think about the focus for business strategists, its growth, profit and balancing profit and cost while operations is often focused on performance, inventory mgt, capacity planning, etc. Risk management is focused on internal programs, assets, controls and mitigation. Difficult to connect the three when they have a different focus and are leveraging frameworks that support their individual agendas. I do see business execs (growth leaders) applying strategy risk sometimes without the aid of risk management, focusing on specific strategic changes.

  4. Ross Liston
    October 24, 2017 at 12:55 PM

    Hi Norman.
    Thank you for your post. I support some of your argument, with the following caveat: Most organisations I engage with on ERM have a complete lack of appreciation for the ‘formalities’ of risk management. For such organisations discussions regarding ‘risk appetite’ help to raise their awareness of how they intend to respond to a risk they might face.
    Two key themes emerge when talking to ‘appetite’ with such organisations:
    1) Articulation of appetite typically differs between the opinion of individual board members/executives and that of the board/executive group as a collective. This may lead to a potentially diluted average measure, but it does create shared understanding and a degree of alignment which they can work to.
    2) Appetite is useful as a ranking measure, particularly when a group of risks is being considered, i.e. it helps to show which risks the organization has a greater or lesser appetite for.
    I will say, there are some risk appetite applications that I am uncomfortable with, namely its application for health and safety risk, and the follow-on representation thereof on a heat map as a ‘target’ risk level. Since certain safety risks will always have a potentially high consequence level (viz. a fatal outcome) it is near impossible to have ‘zero’ as the safety risk appetite. As a result it is improbable that this target will be achieved; thereby undermining the ‘value’ of the risk appetite concept (or at least the mapping thereof in a traditional heat map).
    Thank you again for your insightful and thought provoking opinions on risk.

  5. GSosbee
    October 26, 2017 at 9:21 AM

    While I agree with and support Norman’s last three paragraphs, I am afraid they do not survive the “in reality” check. The Board is the group that sets the standards (such as risk appetite). Otherwise management will go along applying a risk appetite that fits the outcome they desire. Inevitability this will lead to a decision that backfires resulting in the Board asking, “Why did you risk the company on that?”. That is not a fruitful discussion for anyone.

  6. John Fraser
    October 31, 2017 at 7:26 AM

    I had hoped from your title that COSO had pointed out that risk appetite statements were generally a waste of time. They were introduced by the Financial Stability Board following the 2008 credit crisis as an attempt to show they were taking action. Almost all I have seen are of little value, e.g. “We will not accept any risk that harms our reputation.” The only benefit I can see is if they generate meaningful ‘conversations’ about risk criteria (see ISO 31000). My belief is that they probably give the board a false sense of having done something meaningful but do little to actually help manage risk.

  7. November 7, 2017 at 2:31 AM

    Appetite is a difficult concept to explain at the best of times. I think the key is having well defined and understood risk criteria so that the decision makers have consistent measures to aid judgment.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: