COSO still believes in risk appetite statements
My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.
He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).
Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!
Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.
Personally, I see the growing chorus as progress!
We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the informed and intelligent decisions necessary for success.
This is what the COSO announcement on May 20th said:
In an effort to help boards, executives, and managers recognize how a better understanding and communication of risk appetite will help their organizations succeed, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is releasing new guidance, “Risk Appetite–Critical to Success,” focusing on how organizations can promote risk appetite as an integral part of decision-making.
I have written extensively about the concept of risk appetite here and in my books. My most recent discussion was Do risk appetite statements add value? You should also consider “Should we tear up the risk appetite” statement? and Let’s talk about risk appetite.
The authors of the new COSO guidance are the same people who have written about risk appetite for COSO before. So it may be difficult for them to step back and challenge their own (and COSO’s) established thinking.
I have a few questions for them and anybody else who likes risk appetite statements.
- Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?
- What is your personal “amount of risk”? Do you have an amount of risk that includes the possibilities of family illness, job loss, auto accidents, problems with your home, serious family disputes, and so on?
- If you don’t need a risk appetite statement in your personal life, why do you need one in your professional life?
- How do you explain the act that an “amount of risk” is a concept that is wrong both logically and mathematically? Are you using the discredited formula of likelihood times effect? How do you come up with an “amount” when there are actually ranges of potential effects (not a single number) each with its own likelihood, as well as multiple sources of risk (such as compliance, cyber, human resources, treasury, and more)?
- Why are there no examples of how you calculate risk appetite and then use it to compare it against the potential for reward and make quality decisions? Is it because that is not as easy (or practicable) in practice as it sounds in theory?
- While COSO seems to recognize that what might happen includes not only harms (which they call risks) but also positive things (they call opportunities), the discussion of risk appetite only talks about the negative. How do you make intelligent and informed decisions without comparable information on both the positive and the negative? How can you weigh them against each other to see if the risk (negative) should be taken?
- Isn’t it far better to use techniques like Monte Carlo Simulation that considers all the possibilities, not just harms?
- Where is the guidance on how to measure the possibility of reward and then compare it to the possibility of harm, and do that for each option or scenario? Why only provide guidance on half of the equation? How do you ensure that the right risks are being taken and opportunities seized?
- The guidance talks about operationalizing the risk appetite using risk tolerance. How are they any different from the limits and standards that have been in place for many decades? In other words, why can’t I simply retain my existing standards and polices and forget about risk appetite?
- How do risk appetite statements help you ensure that you have an acceptable likelihood of success, whether that is measured by the achievement of objectives, strategy, purpose, or something else?
If you are still enamored with risk appetite, I hope you enjoy and benefit from this new guidance. Unfortunately, I find it of little use.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
My understanding of the genesis of risk appetite statements is that they were an invention of the Financial Stability Board in an attempt to pretend they had a solution to the credit crisis of 2008. I have seen little evidence that they are of any real benefit, BUT I believe that they could be helpful if they generate constructive conversations throughout the organization as to the objectives, risk sources and mitigants in light of the established risk criteria. However, I do not believe that the conversations are happening. My friends in large organizations say that these RAS are either too vague to be helpful or are in a vault somewhere and not available to staff as they are considered too confidential.
Norman, let me take your first question, ‘Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?’. The answer is yes. For example, I wouldn’t live near a river with a history of flooding, currently I won’t use public transport, there are areas of my city that I wouldn’t go into at night. I think most people have a risk appetite, even if not formally recorded. I have written in the past that all living things have a risk appetite, otherwise they would have been eaten. I would also argue that the most successful animals and businesses are the ones that seize those opportunities which keep them just below the point at which they get eaten, as opposed to those which reduce their risks by sitting in a cave and refusing to come out.
How you measure this point is a separate matter. I could include in my choice of where to live that it was 50 feet above the nearest river. The wolf may set a risk appetite that it will not attack prey without the assistance of a pack. These are not single risk appetite statements though, and so I agree with your point 8 – it is not possible to make decisions with reference to a single figure, for example my choice of house not solely going to depend on its height above the nearest river especially if that meant a house in a forest with a history of fires.
The only time I think a risk appetite has value is when trying to plan which risks require their controls to be checked by an audit. Even then, this is a very arbitrary process designed to eliminate unnecessary audit work.
Interesting. You have a desire to take or not to take risk. But does that mean you have a risk appetite statement? Have you calculated some number that you use in decision-making?
No, a desire to take risk doesn’t mean I have a risk appetite statement. This illustrates the problem you have raised. If I want to have a risk appetite statement, it has to be simple to be meaningful and measurable (‘I don’t want to buy a house which might flood, so it has to be 50ft above the nearest river’). However, a simple risk appetite statement constrains my decision – what about the number of bedrooms, the nearest shops, the nearest public transport? So I would argue that a meaningful RAS restricts choice, while an RAS which permits choice would have to be either complex or so general as to be meaningless.
The COSO risk management document is largely a marketing document for consultants. It’s not about being useful for decision makers, but more about trying to create work and build up risk management into some sort of formalised discipline.
Norman, the value of a RAS is in communicating the level of risk that an organisation is willing to take in pursuit of opportunities.
As individuals, we all have our own risk appetite (albeit unwritten / documented). For example, I will not go bungy jumping or sky diving, whereas others will as these activities are within their personal risk appetite.
Organisations are made up of individuals with their own personal risk appetites. The RAS provides the guidance for individuals to use in decision making, separate from the individual appetites.
My view is that a RAS, when articulated properly and sets quantifiable metrics, sets the boundaries within which an organisation as a whole is willing to operate. If a pursuit or decision is outside of appetite, a decision maker can look at what controls can be implemented to bring the pursuit within appetite.
A RAS is not the be all and end all, but does provide a useful tool for organisations.
Thank you for your views.
Do you have an “amount of risk” you are willing to take, or do you have certain risks that you will not take because the downside overwhelms any upside?
They are not the same thing, IMHO.
Do you add in some way the risks relating to bungee jumping and sky diving? I think not.
Also, would you sky dive if that was the only way to save the life of your child, perhaps the only way to get to him or her in time to reach them with life-saving medications? A RAS ignores any upside.
Hi Norman. It’s a controversial topic but I struggle to see why.
For me it’s not about whether to do them, but to make sure to do them well.
I see great risk appetite statements and frameworks all the time that are incredibly useful. I also see ones that are fuzzy and of limited value. The latter were very common until recently. I can only assume that most of the people in the against argument have not seen a good one yet. Rest assured they do exist and are spreading as good practice. Done well they are profound enabler of strategy and incredibly useful.
While I don’t have a personal one documented the concepts do permeate my thinking and I do find myself saying that things are “out of appetite” occasionally when saying no to things.
More importantly right now in a Covid world and beyond is whether appetite exceeds risk capacity and matches risk necessity. These are the strategy sandbox and anchors.
Risk theory and practice does need an uplift but I do get annoyed at people who want to tear down old and sound constructs because they’ve never been able to make them work successfully. Some have an agenda. For me challenge has always been about making the concepts work, as it was when people said that IA was a waste of time.
Glad to have people genuinely pushing the debate. There is great innovation happening right now and much needed as during previous waves of #corpgov reform.
Can you please share some examples of these risk appetite statements that you believe are great and useful?
Todd, good to “see” you.
Do you actually calculate an “amount of risk” and make decisions based on it? Can you provide examples?
Would someone, anyone, for the sake of all that is good to humanity, actually post an example of a risk appetite statement that they feel makes sense. Of course it can be nameless. All I have seen or heard of so far are pretty useless to the organization. Of course they were very beneficial to the consultants who worked long and diligently in helping to prepare them.
Really glad to see this debate around the utility of RAS. None of the RAS I have encountered have been much better than boilerplate motherhood statements that are too vague or generic to be operationalised.
Fortunately I don’t work with that many clients that are mandated to use COSO by regulation so I steer my clients away from RAS, notwithstanding that most boards and executives think its necessary. Insted I undertake an exercise that provides client organisations with a risk profile by identifying and mapping their key risk drivers. This exercise highlights competing organisational priorities and I work with the key stakeholders to come up with a set of Risk Principles that guide how the organisation will resolve these competing priorities. I try and steer the organisation to produce a set of principles that can become the dominant risk decision-making tools for board, executive and management. They are usually qualitative but can be quantitative but the aim is to provide a clear cognitive framework that is an expression of the organisation’s approach to how it accepts and manages the inevitability of uncertainty in the advancement and prosecution of its purpose.
David, do you focus on only the potential for harm or consider all the things that might happen so you can decide whether to take the risk?
Norman,
Bravo!
I’ve seen dozens of risk appetite statements over the last few years and I’ve yet to find a case where they have become properly integrated in normal decision making. Well, to be honest, I’ve yet to find any organisation that uses them much for anything, except to keep regulators at bay and as a landing pad for flies.
In most cases, as always, they are yet another artefact that organisations have to pay to create to satisfy some regulatory requirement. Another money spinner for the consultancy industry!
When the financial regulator here introduced a requirement that risk appetite statements be produced by financial service companies, I was helping a superannuation fund (a pension fund) develop a credible and useful approach to considering uncertainty as part of decision making. I therefore asked the regulator what a good risk appetite statement would look like and if they could send me some examples of what they required.
Their response was most telling: they could not tell me what a good one looked like or contained, but if the fund prepared one before its annual audit, they would let us know if it complied with their requirements.
So, we prepared a document we called a ‘risk appetite statement’ but which included the sets of criteria the fund used for decision making; for example, for investments. However the regulator did not like this because it did not contain a section called ‘key risk indicators’. When we asked what these were, the reply came back as before – “we can’t tell you what they are or what they look like, but we’ll know if you’ve complied with it”!
We just listed changed the title over the table of criteria to ‘key risk indicators’ and the regulator accepted it!
Risk appetite statements are just another artefact of the parallel universe that ‘risk management’ has become. Like any belief system, you just have to accept all the special terms and concepts and never challenge the chanted mantra that it helps organisations make better decisions – even if, demonstrably, it does not.
Of course, the authors of this guide are some of the ‘high priests’ of this belief system and therefore have a vested interest in wanting us all to just ‘believe’, not question – and just continue tipping cash into the collection plate.
What actually is ‘risk appetite’ is wreathed in the religious smoke of the belief system. COSO seems confused (and maybe, deliberately confusing) and even the industry which gave birth to this Frankenstein monster, seems perplexed. For example, the Basel Committee on Banking Supervision “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches” says it is:
“a high level determination of how much risk a firm is willing to accept taking into account the risk/return attributes; it is often taken as a forward looking view of risk acceptance.”
They also say that risk tolerance is:
“a more specific determination of the level of variation a bank is willing to accept around business objectives that is often considered to be the amount of risk a bank is prepared to accept.”
But then, just to make everything as clear as mud, they say:
“In this document the terms are used synonymously.”
Go figure!
Question: How can a Risk Manager design and implement an enterprise risk management environment without a set of boundaries outlined and approved by the Board of Directors? Answer: The Risk Manager cannot make any type of informed risk opinion without knowing the boundaries.
Question: How can a Risk Manager provide commentary on the risk of success for a new product; removal of an existing product or operation; or the probability of success of a merger or acquisition?
Answer: The Risk Manager cannot make any type of informed risk opinion without knowing the boundaries.
Question: Can the accounting profession survive without boundaries (i.e. GAAP; FASB Statements)?
Answer: No.
The RAS is the Board’s risk boundary statement. There has to be an agreed boundary to assess strategic moves against. If the Risk Appetite Statement moniker causes heartburn, change it to a “Risk Boundary Statement.”
Good questions, Gary:
Question A: How can a Risk Manager design and implement an enterprise risk management environment without a set of boundaries outlined and approved by the Board of Directors?
Answer:
1. Risk needs to be taken when it is right for the business. A rigid set of boundaries makes for rigid management that is not sufficiently agile to respond to changes in conditions. Even COSO ERM recognizes that sometimes risk limits should be overridden – but it provides no guidance on how to recognize that the reward justifies taking the additional risk Businesses have always had limits that can be exceeded after escalation to more senior management and the board if necessary. But both the risk and reward are considered.
2. Why does a Risk Manager have to set these boundaries? This is simply good management and the practice has existed for decades if not centuries.
3. I agree with a “set of boundaries” that is appropriate for different decisions, such as limits on speculative positions, customer credit, investment strategies, approvals for expenditures, who has which systems access. and so forth. What have they got to do with an “amount of risk”? You don’t need a RAS to have limits.
Question B: How can a Risk Manager provide commentary on the risk of success for a new product; removal of an existing product or operation; or the probability of success of a merger or acquisition?
Answer: By helping management assess both the possibilities of harm and success, providing the tools and processes to weigh each scenario’s possible results and make a judgment call. If the risk manager only looks at the possibility of doom, without regard for the potential for reward, does that make him or her a Chicken Little? I don’t know how a RAS helps. Many organizations use an ROI or similar calculations for the type of decisions you mention and I prefer that to relying on risk appetite or tolerance alone.
Question C: Can the accounting profession survive without boundaries (i.e. GAAP; FASB Statements)?
Answer: No. But that has nothing to do with RAS.
The Board does not need, IMHO, a RAS. It needs assurance that people are considering the downside and the upside and making informed and intelligent decisions. An artificial calculation of an “amount of risk” may satisfy regulators but adds little value, IMHO, to the quality of decision-making.
In other words, continue with limits and such to drive appropriate decisions, but don’t try to aggregate everything into an “amount of risk”, especially when the traditional method of I*P is logically and mathematically flawed.
Comments?
Those of us who’ve been around long enough may recall the era before the Sarbanes-Oxley Act of 2002 when pretty much all ERM efforts, including COSO, were languishing in obscurity, read only by risk managers, auditors and similar risk nerds. Then Enron, Tyco and Worldcom happened, the markets crashed, the bubble in tech stocks burst like an infected boil and people suddenly decided that board directors and CEOs needed to be held personally accountable for fallout from unethical business practices, whether they knew about them or not. Suddenly the captains of industry got religion and cast about for a some solution that would, ideally, help them properly search out and identify risk in their organizations, or failing that, at least give them a safe harbor from personal liability by evidencing that they did their best. And there was COSO, a framework that could easily be adapted to produce the documentation that satisfied S-Ox compliance requirements. The rest is history.
So you are saying it helps with SOX compliance (that would be the Internal Control Framework rather than ERM)?
Risk Appetite is a management tool together with capital management in the face of the risks assumed by the business strategy. In other words, the Business-Risk-Capital tripod must maintain a balance. New risks assumed by the business must have sufficient capital to support them
Risk Appetite is a management tool together with capital management in the face of the risks assumed by the business strategy. In other words, the Business-Risk-Capital tripod must maintain a balance. New risks assumed by the business must have sufficient capital to support them
I totally agree with you Norman – I’m in my 5th semester teaching IA (in addition to my day job in IA), and I always deviate from the textbook when it comes to Risk Appetite, mainly because of your point #5. I’ve never encountered anyone who actually consults a sufficiently articulated and granular RAS to make a decision (I suppose it’s possible, in some circumstances, but probably few & far between), so I teach Risk Appetite as a derivative value that is revealed by decisions – i.e. your (or a Board’s) choices reveal what you value more accurately than what you might say ahead of having to make the decision. I think one of the reasons RAS’s aren’t worth the time and effort necessary to create them is that people aren’t honest with themselves (especially in front of others) about what they actually value and prioritize. IMHO, that’s a big reason why RAS’s stay vague and useless.