Making people believe they have effective risk management because they discuss a point-in-time list of so-called “top risks” and set limits for those few risks is making them believe in fairies.
It is setting them up to be surprised and for a failure to deliver success.
It amazes me that one of my most popular blog posts continues to be “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!
In that and several subsequent posts (notably “What is your risk appetite?”, “The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?”, “COSO Contributes to Thought Leadership on Risk Appetite” and “New guidance on risk appetite and tolerance”) I have expressed my preference for the concept of “risk criteria” used by the ISO 31000:2009 global risk management standard.
Unless and until any statement of overall organizational risk appetite is linked to guidance that enables decision-makers across the organization to take desired levels of risk, this idea is not working.
Not Getting Any Clearer
Now PwC has published a piece, “Board oversight of risk: defining risk appetite in plain English.”
I was hoping to see new thinking that would help organizations and their boards manage risk effectively.
Instead, while PwC says that risk appetite “is not a new concept but one that can be confusing,” I don’t believe they have succeeded in removing any of that confusion.
For example, while the piece talks about understanding an organization’s “exposure” and reducing “risk to an acceptable level,” it also points out (correctly) that organizations need to take care that they don’t take too little risk! (I am not going to bring into this discussion whether risk is the effect of uncertainty -- positive and/or negative -- on objectives. For the purpose of this post, I am going to use the term "risk" the way COSO does, as a negative with opportunity as the positive effect of uncertainty.)
A few major points from the PwC piece: