Making people believe they have effective risk management because they discuss a point-in-time list of so-called “top risks” and set limits for those few risks is making them believe in fairies.
It is setting them up to be surprised and for a failure to deliver success.
It amazes me that one of my most popular blog posts continues to be “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!
In that and several subsequent posts (notably “What is your risk appetite?”, “The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?”, “COSO Contributes to Thought Leadership on Risk Appetite” and “New guidance on risk appetite and tolerance”) I have expressed my preference for the concept of “risk criteria” used by the ISO 31000:2009 global risk management standard.
Unless and until any statement of overall organizational risk appetite is linked to guidance that enables decision-makers across the organization to take desired levels of risk, this idea is not working.
Not Getting Any Clearer
Now PwC has published a piece, “Board oversight of risk: defining risk appetite in plain English.”
I was hoping to see new thinking that would help organizations and their boards manage risk effectively.
Instead, while PwC says that risk appetite “is not a new concept but one that can be confusing,” I don’t believe they have succeeded in removing any of that confusion.
For example, while the piece talks about understanding an organization’s “exposure” and reducing “risk to an acceptable level,” it also points out (correctly) that organizations need to take care that they don’t take too little risk! (I am not going to bring into this discussion whether risk is the effect of uncertainty -- positive and/or negative -- on objectives. For the purpose of this post, I am going to use the term "risk" the way COSO does, as a negative with opportunity as the positive effect of uncertainty.)
A few major points from the PwC piece:
- It is important for the board, as recommended by PwC, to understand and debate which risks the management team assess as being the most important to monitor and address.
- It is also important for the board, as expressed in the paper, to understand and agree with management how they will determine the type and level of risks they should and should not be taking. (You can call this risk appetite; I prefer to call it risk criteria.)
- Even more important, and not mentioned as far as I can tell in the paper, is for the board to obtain assurance (from internal audit, preferably) that the management team has effective processes for identifying, assessing, evaluating and treating risk as an integral part of running the business. Risk is not limited to what is included in a point-in-time list presented to the board. Risk is created and modified by every business decision, and the potential effects of uncertainty need to be integrated into every decision-making process, from the setting and monitoring of strategy and performance, to the decisions made by front-line employees every day. (I do not support in any way an internal audit of a point-in-time list of risks. That provides little assurance that management’s continuing processes for managing uncertainty across the organization are what they need to be for the organization to succeed.)
- If all the board is doing is reviewing a static, point-in-time list of risks and determining what are acceptable levels for those risks, it is reviewing a small subset of risks that is most likely already out of date. Furthermore, its focus may be on the horizon just as the organization is about to step off a cliff. Relatively minor decisions, such as the outsourcing of maintenance and operations of an oil rig in the Gulf, will never rise to the level of board attention but can be sources of massive damage.
- A risk appetite statement (some use other expressions, such as a risk appetite framework) has limited value if the people making decisions are not guided as to how much risk to take. All it does is create a target for a level of risk that can be compared (after the fact) to the levels of risk actually taken, but doesn’t stop people taking more risk (or less risk) than the board and top management desire. A risk appetite statement will not tell a procurement manager whether to accept a bid from a vendor that has the lowest price but not the highest reputation for quality and reliability, whether to allocate purchases among several vendors (at collectively higher cost but increased reliability), whether to implement additional quality control measures (at a cost) to address potential quality issues or take another approach. A risk appetite statement will not tell a hiring manager whether to select the highest cost but most experienced employee, or to take the inexperienced individual who will help him stay within budget.
- Risk appetite is not a single number. Every area is different and may well need different criteria to establish what is acceptable, from employee safety to cash flow, exchange rate exposure, customer credit risk, investment risk, the loss of key employees and customer relationships, supply chain disruption, quality manufacturing issues, data center disruption, vendor price increases, theft of intellectual property, litigation, brand and corporate reputation, capital project completion, and more.
- Risk criteria used to evaluate and determine how to respond to risk include but are not limited to values for risk appetite and tolerance. (COSO ERM says this as well.) For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept a. a 20 percent likelihood of a $50 loss if there is an 80 percent likelihood of a $50 gain, b. a 20 percent likelihood of a $50 loss if there is an 80 percent likelihood of a $500 gain, or c. a 20 percent likelihood of a $50 loss with an 80 percent likelihood of a $5 gain?
- Risk criteria should include not only values for risk, but other attributes. For example, COSO’s ERM Framework states “Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.” It continues with “an entity that has set a target of a customer satisfaction rating of 90 percent may tolerate a range of outcomes between 88 percent and 95 percent. This entity would not have an appetite for risks that could put its performance levels below 88 percent.” However, in my experience managers might well be willing to accept a 2 percent chance that performance levels fall below 88 percent if there is an 80 percent chance that customer satisfaction might exceed 95 percent. Risk criteria should reflect both impact and likelihood, not just one or the other.
- Other attributes that should be considered include the speed of onset of the adverse effect (a negative impact that hits the organization faster than it is able to respond and cushion the impact is less acceptable than one that comes at a pace that enables a considered response), the duration of the negative effect, the corporate culture and social environment, and more.
- Risk appetite is not -- or at least should not be -- set in stone. For example, as the economy thrives, a company may be willing to take a higher level of customer credit risk.
- Those responsible for making decisions -- and decisions are where risks are "taken" -- need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
- The consideration and discussion of risk by the board has to be integrated with its discussion of strategy. The choice of strategies should be based, in part, on an understanding and appreciation of risk. Performance and the execution of strategy is only successful when those risks, and new ones that may appear, are understood and addressed. Further, the organization should be prepared to shift strategies as risks change.
- You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.
This is, indeed, a complex topic and boards must be extremely careful not to oversimplify.
The Goal: Risk-Intelligent Decision Making
Believing that you have effective risk management because you agree with management’s point-in-time list of so-called “top risks” and have agreed on the organization’s appetite for those risks is believing in fairy tales.
My advice is for the board to understand and become comfortable with management’s ongoing process rather than spend much time reviewing a point-in-time list of risks.
Challenge management on the points I list above. Are you satisfied, not just with the list of risks that management chooses to share with you, but that management addresses the potential effects of uncertainty as it manages the business -- at all levels -- every day?
Will it step off a cliff as it looks only at the horizon, the few risks on that list?
Separately, I understand that COSO is considering a project to update its COSO ERM Framework, now that it has updated the Internal Control -- Integrated Framework. I support such an endeavor and suggest that they consider:
- How managers can be guided to make risk-intelligent decisions every day.
- Moving from risk appetite to risk criteria, so that other issues (such as speed of onset, duration of effect, and so on) are considered when evaluating risks
- Moving towards convergence with the ISO 31000:2009 global risk management standard. One step would be to redefine risk and uncertainty as the potential effects of uncertainty on objectives -- a compromise definition I propose between that in ISO and that in COSO today.
I welcome your comments. My tolerance for risk appetite statements without guidance to enable risk-intelligent decisions is fading to black. How is yours?