Taking a Closer Look at the Concept of Risk Appetite

GUEST BLOG
What is risk appetite? It is defined by COSO as the “amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” Before analyzing that nebulous statement, it is useful to consider why we are even thinking about risk appetite statements.

Basically, regulators and board members influenced by them want to prevent management from taking too much risk. By that, I mean acting or failing to act in a way that puts the success, even the viability, of the organization in peril for no good reason and without the approval of the owners of the organization: the shareholders. In addition, these days it is recognized that the failure of an organization can affect others, including customers, creditors, and the community. Ergo, the concept of risk appetite.

The concept has been broadly accepted in the financial services sector and is required by banking and insurance regulators. But is it necessary and useful to come up with “an amount of risk that the organization is willing to accept?”

Limits on Risk Taking
What did organizations do before there was talk about risk appetite? What do many still do in the absence of a risk appetite statement? Do they let management run wild, taking all the risk they think would help their results and get them significant bonuses—while putting the organization in peril? No.

That’s because there are several limits and policies that constrain management actions everywhere:

• Limits on spending (budgets) and purchasing (purchase orders)
• Limits on the granting of credit
• Limits on the approval of discounts
• Limits on the approval and signing of contracts and commitments, both purchase and sale
• Trading limits
• Approval requirements for the granting of system access rights
• Health and safety policies
• Ethics policies
• Information security policies and standards
• Hiring policies
• Policies around the sale by management of the company’s shares
• Limits on the number or value of assets held by the company (such as insurance policies, mortgages, inventory at specific locations, etc.)
• And so on

Some have developed risk appetite statements that attempt to come up with a single number or value for all the sources of risk facing the organization. They seem to believe that they can aggregate disparate sources of risk, such as credit risk, operational risk, cyber risk, and so on. I don’t think that is logically (or mathematically) sound.

Risk Appetite Statements
Some have risk appetite statements (and previous COSO guidance has examples) that say things like “the company has a low tolerance for compliance risk.”

It is interesting that the COSO document I wrote about in May seems to think this example has meaning and value:

“Echo Relief, a service organization to help people through disasters, will pursue new programs that enhance the delivery of services to those in need within our financial ability. We will accept moderate risk to the safety of staff and volunteers as we respond to disasters. In order to maintain good stewardship of donor funds, we have a low appetite for risks related to misuse of funds.”

I don’t think that adds more than lipstick value. It won’t affect any decisions. So what does make sense?

Better Risk Appetite Statements
If I were a CRO today (I retired from that wonderful position several years ago) I would consider developing a risk appetite statement of a different kind—even if I were in an organization bound by related regulations.

Its purpose would be twofold:

1. To explain how management is guided to take the right risks, neither too much nor too little.
2. To ensure there is sufficient guidance for decisions made by management (and the board as needed). (Every decision involves taking risk.)

I would certainly not try to come up with a single value for risk appetite, nor would I attempt to come up with single numbers for different types of “risk.”

I would also avoid flim-flam language that is not actionable, such as “we have a low appetite” for this or that.

How can you ever say that having a low or even no appetite for compliance or safety failures is meaningful? It is impossible to have a zero likelihood of a failure in either area.

Risk Guidance
My idea of a risk appetite statement would take each area of “risk” and reference how management is guided when it comes to taking it. The document would explain what policies, procedures, and standards apply and whether there are specific limits. I would include how exceptions are handled.

In some cases, there will be specific limits, such as in the granting of credit. In other cases, such as employee safety, management judgment will be guided by related policies, procedures, and standards.

It is essential, as COSO recognizes, that management be able to take the right risk when warranted—making informed and intelligent decisions.

Also recognized by COSO, limits (even those they refer to as risk appetite) should be exceeded when the business need or reward justifies it. A rigid limit has the effect of limiting success.

Informed Decision Making
If risk management is to be meaningful, it needs to deliver actionable information to help people make informed and intelligent decisions—and take the right level of the right risks.

If you have a risk appetite statement or are developing one, don’t do it to comply with the regulations. Do it so it means something! Or, reconsider and focus instead on helping leaders make the right decisions. 

Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.

Republished with permission from: Norman Marks on Governance, Risk Management, and Audit.