Let’s talk about risk appetite
My blog post with the highest number of all-time views (at nearly 55,000) is this 2011 piece: Just what is risk appetite and how does it differ from risk tolerance? It still gets views almost every day (1,575 last month).
Since then, my views have changed to a degree. It might be useful to search this site (using the search box above) for more recent posts that cover ‘risk appetite’. There are quite a few!
I am going to update my thoughts on risk appetite today, but first let’s revisit where I stand on risk management and share some thoughts from thought leaders on risk appetite.
- These days, I talk about the need for people to make intelligent and informed decisions, because that is where risk is taken.
- Top management and the board need a reasonable level of assurance that important decisions are both intelligent and informed – that they give due consideration to what might happen (i.e., risk).
- In fact, I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.
- The key is to make informed and intelligent decisions that take the right level of the right risk, where it is justified on business and other grounds. Decision-makers need guidance so that they know that what they are doing (taking risk) is consistent with the desires of top management and the board. You may call that risk appetite (I prefer not to) or risk criteria, but often it is covered by policies such as investment guidelines, hedging policies, delegations of authority, and stop-loss limits.
As I pointed out in my October, 2017 post, even COSO 2017 recognizes the need to take risk and not just manage it. It says that organizations may decide it is right, from time to time, to exceed their stated risk appetite:
…management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly.
Management is deciding to take the risk even though it is outside their stated appetite, because it is outweighed by the potential benefits.
Recently, I asked a group of highly respected (at least by me) risk practitioners and thought leaders a question about risk appetite.
A highly spirited debate ensued!
Now some might expect there would be a general sense of agreement that the concept and practice of establishing and using a risk appetite statement is sound – that it has value. After all, it is promoted by COSO and almost every regulator and governance code.
In fact, there was general agreement (with a few dissenting) that the concept of risk appetite is flawed and its value in practice is limited, but it cannot be ignored: the regulators and others (rightly or wrongly) insist on it – at least for financial services organizations.
Here are a few (anonymous) quotes.
**********
Despite being a request from some (US) regulators, it does not make sense to “calculate an organization’s “appetite”.
**********
In my opinion, most of the information about risk appetite is window dressing. The concept is completely unnecessary. Here is why:
- Risk appetite started in Financial Services as a funky way for the regulator to control how much liquid capital banks and insurance companies should hold. It’s a leash to control management and supposedly protect the public. If there wasn’t a regulator, the concept would never arise in the first place. Now banks and insurance companies do anything possible to create BS models to increase risk appetite and lower capital tier 1 requirements. Side concepts like risk tolerances, risk-bearing capacity, and God knows what else are total nonsense created by consultants to sell nice presentations. No practical application whatsoever. Not surprisingly, risk limits are fine, as they actually help make decisions and existed well before we ever heard about risk appetite.
- In non-financial services, there is no single regulator and no capital holding requirements, so the concept of risk appetite should not exist at all, except we have auditors and consultants… you know the rest.
**********
I continue to have severe misgivings on the idea that we can calculate an organization’s “appetite.” What is it? Given that human emotions may well be its most significant ingredient, can we even measure it? And “investment” in an organization includes not only measurable financial assets, but also immeasurable group and personal intellectual contribution, plus personal reputations.
And, as we must consider the wide range of possible outcomes, favorable, neutral, and unfavorable, I think the financial services industry focus is inherently correct. Which means, of course, that the word “risk” itself probably should be scrapped, as it connotes only on downside results. Only when we address and anticipate the probable, possible, and wholly unexpected future events, situations, and developments can we really prepare for them reasonably intelligently. An over-focus on possible “losses” is similar to wearing blinders!
**********
The whole point is that directors and the CEO need a meeting of the minds as to the boundaries within which to operate over time. My experience is the board-management risk appetite dialogue is the important thing. The statement itself can be very simple so long as it reflects the dialogue. I agree that financial institutions have been dragged into doing risk appetite statements. But progress is being made in making them useful.
**********
Whether anyone here likes it or not, the concept of risk appetite is firmly established in the arsenal of the International banking regulatory community. So we can simply poo-poo it, or we can try to make some sense of it. In the context of the Bank of England, the PRA and FMID regulators, they are particularly interested in systemic risk and the extent to which any individual player could exacerbate systemic risk for the economy as a whole. That is why they want to understand each institution’s risk appetite. So while we may dislike the phrase “risk appetite”, just as we may dislike the phrase “risk management”, it is incumbent on risk leaders to help both regulators and firms to make some sense out of this Risk Management thing that we are all grappling with, and which, despite the assertion to the contrary of some in this group, continues to evolve.
**********
Boundaries have to be established on what constitutes acceptable timebound outcomes and targets, along with incentives and points for escalation. In the finance domain, a smart operator will also attempt to identify how much downside they can tolerate as they finance their losses and where / how they have to cut their position to survive. No sensible soul should go to battle, to sea or into an investment without anticipating where they are fragile, how they should respond and where it comes to an end, yet many lucky people do, some not so lucky of course.
**********
Before turning to today’s advice, I want to recall something I said in an October 2017, post:
Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.
So, what do we do instead?
- Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.
- Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.
- Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.
What do we do?
- Recognize that if you are required by law or regulation to have a risk appetite statement, or even by boards who (perhaps on the advice of consultants) believe this is necessary, you need to put one together.
- Any risk appetite statement should first satisfy the needs of the regulators. (Sadly, they seem to be happy with fluff such as “we have no tolerance for non-compliance with laws and regulations”.)
- If at all possible, develop risk appetite statements that actually mean and do something. (Or indicate that the guidance is in other standards and policies.) They should:
- Guide decision-makers, so that they know before they take a risk whether their decision would be acceptable and in the interests of the organization as a whole as it strives to achieve its objectives
- Allow for flexibility where there is a business justification for taking what might appear to be a lower or higher level of risk – because of the opportunity that is presented. For example, require such decisions to be escalated to more senior levels of management or the board
- Enable top management and the board to have assurance after-the-fact that risk to objectives (which I define as the likelihood of failing to achieve an objective) is within desired levels
- Distinguish between different sources of risk. Don’t attempt to have a single risk appetite that encompasses market risk, compliance risk, reputation risk, and so on. That is nonsense. Develop guidance that is suitable for decisions in each area
- If you decide on ‘fluff’ risk appetite statements, you still need guidance for decision-makers (see below)
- If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership
- Provide reports to the board and top management (as described in my books) that help them see whether enterprise objectives are likely to be achieved
- Have the CEO provide assurance to the board on the quality of decision-making, risk-taking, and the achievement of enterprise objectives
- Have the CRO (if there is one) do the same
- Have the CAE provide an opinion on the above
- Include the quality of decision-making in each individual’s performance assessment
So what do you think?
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Thank you Mr. Norman for your guidances, they are very helpful.
I would appreciate to read your view on the following questions:
Can we not simply define the risk appetite statement as the prioritized list of all objectives? Long term versus short term, objectives linked with the strategy and the operational performance, those linked with growth and those resulting from the necessity of keeping the licence to operate. Of course an organisation would like to achieve all its goals, but some can be more important than the others, during a certain period of time. During a financial crisis the objectives linked with debt reduction and gearing are becoming more important, but they can move to 2nd or 3rd rank when the economy grows again.
At the end, an actionable risk appetite statement can look like the balanced scorecard of Pr. Kaplan, where you define the organisation’s targets by considering all stakeholders: the shareholders, the customers and the regulators.
Isn’t it that risk management is performance management, taking uncertainty into consideration?
Patrick, we are talking about whether we will achieve objectives. So how do we make sure we are going to achieve them? We need to ensure we are not putting them in jeopardy and we need also to ensure we are taking advantage of situations that will increase the likelihood and/or extent of success.
A list of objectives and the assessment of current state/progress plus a look forward (risk) is what I recommend in World-Class Risk Management. Please consider getting a copy.
Of course we need to put some objectives at risk (or in jeopardy) to achieve the ones that are considered as more important. Having a good alignment between the Board and Management about the objectives that matter and those 2nd rank, taking the needs and expectations of the stakeholders into consideration is an important part of the risk governance. Once it is done getting a risk appetite is easier (if you need one i.e. if the risk appetite is used by management and the board)
Here in India, its giving enough headache when multiple people talks about this in multiple ways. I wrote a post on the same.
https://www.linkedin.com/pulse/what-risk-appetite-manoj-agarwal/
Risk appetite creates more confusion than provide clarity.
Thank you for sharing. As I said in this post, it is essential to understand why you might need risk appetite in the first place. Defining it without knowing how it can be of value I don’t find very helpful.
Thanks Norman. I agree with much of what you and your colleagues have said.
When I teach risk management, there are a couple of recurring buzzwords that participants (board members, executives and staff) generally understand and seem to grasp intuitively without me having to teach a thing.
One of the most common ones is ‘appetite’.
So while some of your colleagues suggest organisations would only consider appetite because various regulators’ tell them to do so, my experience would suggest otherwise. Decision makers often appear conscious of the need to consider (and even document) appetite without such direction. What confuses them is how to use this thinking to benefit their business rather than sit on a shelf.
In our Australian state government jurisdiction, the relevant regulator doesn’t specifically require the documenting of appetite statements – just some passing mention is made of the concept.
So I think risk managers need to be skilled in the science of decision making. This is the critical capability … probably more than skill in risk assessment (which is merely a tool to strengthen confidence in decision making).
Answering questions like: “what are the range of likely decisions we face?”, “what are the attributes of the decision – is it complex or simple?” and “what room do we have to move anyway?” are ones risk managers need to be skilled at understanding and coaching their colleagues at.
Not plotting dots on a pretty chart!
Well said!
Hi Norman, thank you for firing up this discussion again. Maybe, you will be able to push it a bit more in the right direction, even though you have to stand up against a whole world of regulators, standard setters, and “experts” who are mindlessly employing this convoluted concept and – worse – imposing it on others!
In my earlier blog “What Is Your Appetite for Risk Appetite?” I notice that “many risk management professionals are also not so sure [about the meaning of the term “Risk Appetite] —or should not be so sure—as many different definitions or explanations of terms exist. If you look up the term in various regulations, standards, or guidelines, or ask several experts, you will end up with a plethora of meanings. This creates unnecessary confusion and is not good, even dangerous, for the management of risk!” More bluntly: if you ask 3 different regulators you get 3 different answers. And if you ask 3 people within the same regulator, you still get 3 different answers!
The bottom line is that nobody and no any organization has any appetite for risk (read: “uncertainty”). On the contrary, we hate it and we will do everything reasonably possible to reduce the risk (read: “uncertainty”) around our decisions or subsequent execution. Look, for example, at stock traders, in many eyes the epitomes of risk takers. The truth is that they hate risk (read: “uncertainty”) and will do everything in their power (from rigorous analysis to insider trading) to reduce their risk (read: “uncertainty”), ideally to zero, before they make an investment decision.
Unfortunately, however, many of us are not so lucky and, as a consequence we have to take decisions without perfect foresight or complete information, in which case risk (read: “uncertainty”) comes about… Then it is all about the trade-off between what we want to achieve and how much we are willing to sacrifice for that, and many factors go into that decision. In fact, so many that it is impossible to speak about “one” risk appetite for an organization.
For example, an army in peace time is not willing to sustain casualties, but in times of a conflict the risk – reward balance may shift dramatically. More closer to home: if I put an apple on the other side of the Hudson River (which is very cold at this time of year), small chance that you will jump. However, if I would replace it with a golden apple…
Point is that, when making a decision, you should do everything that is reasonably possible (from a cost-benefit point of view) to get as much information as possible, then assess the residual risk, consider any safeguards, etc., and then come to a decision.
So, my recommendation is to completely do away with this confusing term.
Instead, we should have a discussion what often goes wrong in this area (organizations taking on too much or too little risk) and how risk management may be able to help. For example, by ensuring that decisions which involve a greater degree of risk are properly managed (like being scaled up to a higher echelon), but then explained in a straightforward language that people can actually understand:
• In our IFAC publication on Evaluating and Improving Internal Control in Organizations, we wrote that “the governing body [among other things] should define [the organization’s] (risk management) strategy, APPROVE THE LIMITS FOR RISK TAKING and criteria for internal control, and make sure that management has effectively undertaken its responsibilities relating to management of risk and corresponding internal controls.
• And in our thought paper, From Bolt-on to Built-in—Managing Risk as an Integral Part of Managing an Organization (IFAC, 2015) we argued that “line managers should be aware that they are managing risk as part of their everyday roles and responsibilities, in line with the organization’s intentions as expressed in its policies, goals, and objectives. This problem is exacerbated when line managers are not responsible for maintaining risk within established limits for risk taking and are allowed to choose their own limits for risk taking over those of the organization.”
Norman, all the best on your quest, and you have my support!
Thanks, Vincent.
I remain concerned that we think about the harm without understanding that multiple effects flow from an event, situation, or decision. Its the smart manager who is able to weigh all of them, both positive and negative, to make an informed decision. Focusing only on harms is not going to either connect with real managers in real life or help them and the organization succeed.
Thanks Norman for insight, I too find risk appetite an elusive concept. Right now I have quite an appetite for lunch but this interesting discussion has managed to keep it at bay.
It is telling that 31000 does not include the concept of Appetite but does articulate Risk criteria – see below.
“6.3.4 Defining risk criteria
The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision making processes. Risk criteria should be aligned with the risk management framework and customized to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the organization’s values, objectives and resources and be consistent with policies and statements about risk management. The criteria should be defined taking into consideration the organization’s
obligations and the views of stakeholders.”
I think regulators boards etc should have an interest in limits and tolerances but appetite is almost a cultural concept and therefore difficult to measure .
I think you have defined whats needed in point 5 of your summary i.e.
If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership .
Now for lunch.
Norman, as usual you have raised an important topic. Today (28 Mar) in the UK a report has been published which illustrates the importance of the points you have raised but unfortunately as a result of a terrible attack which could occur anywhere.
On May 22, 2017 22 people were killed by a suicide bomber at a Manchester, UK, concert. A review was carried out by Lord Kerslake into the events and aftermath of this attack. For example It contains the paragraph (5.101):
‘It is the Panel’s opinion that the response of NWAS [North West Ambulance Service] personnel, and of other responders who moved into the station and foyer, illustrated that the success of the operation was based on a willingness to be risk-accepting, rather than being dogmatically risk-averse, even if that meant operating outside normal organisational safety protocols.’
The link to the panel’s website is: https://www.kerslakearenareview.co.uk/
The link to the report is the report (pdf) is https://www.kerslakearenareview.co.uk/media/1022/kerslake_arena_review_printed_final.pdf
We are a time where any organisation could find itself affected by an attack or major disaster of some sort. If you are responsible for risk and/or control, do the employees of your organisation know how to react to emergencies? Are the instructions rigid, or do they allow for personal decisions? Is the information available to make those personal decisions?
Norman, some further thoughts:
An unacceptable risk is like an elephant, difficult to describe but you know one when you see one. It is therefore difficult to define and document a risk appetite. The best approach is probably to calculate the worst possible loss arising and then define the level of management which has to make/approve the decision.
The notions of risk management and risk appetite are interesting. All creatures employ them, for example:
Objective: I’m a hungry wolf and want to eat bison
Risk: I’m mauled by the bison, who is considerably bigger than me.
Risk Management: I’ll get a few mates and hunt in a pack
We consider that the residual risk, being mauled by the bison, is now less than our risk appetite (!)’ So we continue
Objective: We will attack and eat that big bison
Risk; bison attacks us and beats us back because it’s bigger and meaner than we thought
Risk management: run away
So having carried out the attack on the bison, we realise our initial assumptions were incorrect and that the residual risk (before we run away) is greater than our risk appetite.
So we killed a deer – not so much meat but less dangerous.
I would argue that a creature’s survival depends on its ability to ‘maximise’ its risk appetite without being eaten. In other words its ability to understand the risk it can take, and survive. If its risk appetite is too low, or risks increase to a level it can’t manage (e.g. climate change), it will become extinct. Bit like business really.
David, if you are not hungry and there is little benefit for going after the bison, you will avoid it. But if you are starving, you will take the risk.
Too often we think about the risk (harm) without consideration of the context – what we stand to gain.
But I am arguing that we (and other animals) do think about the context. We weigh up the gain (nice bison) against the risk (bad horns). In practice, it is much more subtle, for example if the bison is weak that might lower the residual risk below our appetite and the pack will attack. If the pack is starving, that might lower their risk appetite and they will attack a strong bison. However, if there is other food available (deer) not as satisfying but lower residual risk, they will take it.
In other words, the natural world is constantly balancing potential harm against potential benefit. So I am agreeing with your assertion, ‘The key is to make informed and intelligent decisions that take the right level of the right risk’ while arguing that this involves determining risks and benefits, managing them and then deciding on whether the net benefit exceeds our accepted level.
Absolutely!
Very good article, Norman, and a good discussion. My concern is focused on one statement you made: “I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.”
This is a false dichotomy, as the options are not to take or not take risk. Risk exists whether we take it or not, and adverse events happen whether we plan for them or not. Risk management standards tell us that there are 4 things we can do with risk: avoid it, transfer it, accept it, or mitigate it. There are no other options, and I’m pretty sure you are not suggesting we just accept risk for every decision we make.
We, whether as individuals or organizations, need to first be aware of what risks exist. Once we have some ideas of what could happen to keep us from our objectives, only then we can decide how to address the risk. But we shouldn’t ignore risk management – it needs to continue being an important part of the decision making process.
David, one minor quibble – we can also elect to take more! If you believe the odds are favorable, buy not one but a dozen lottery tickets. If you seek to impress, spend more at a charity auction. If you can handle it, extend a higher level of credit to a potential large customer.
I’m not sure that I agree with you that risk exists whether you take it or not: consider whether you take the risk of going to market with a new product earlier than planned. The risks that flow from that decision do not exist if you defer.
Also, I think we need to consider not only what “could happen to keep us from our objectives” but what could happen to help us exceed our objectives.
Richard, couldn’t agree more, we decide to pursue objectives, which come with risks and benefits. But we talk in shorthand for example, about wolves taking the risk of attacking a bison with large horns. In practice we mean that the wolves can decide to attack the bison (optional) which has the threat of large horns (not optional!).
So we can’t elect to take more risks. We can elect to pursue a new objective which has more potential benefits and risks but with the possible net benefit being higher. The risk of going to market with a new product, is not a risk it’s an objective (launch a new product) which has risks and benefits. If you ditch the product the risks automatically disappear. No objective – no risks, or benefits.