A recent thought paper on risk appetite by COSO prompts guest writer Norman Marks to explore the place risk appetite and its management have in the day-to-day strategic plans of organizations.
My congratulations go to Professor Larry Rittenberg and Frank Martens of PwC on the Thought Leadership Paper "Understanding and Communicating Risk Appetite," recently released by COSO.
While I am not enthralled by the COSO definitions of risk appetite and tolerance, preferring the ISO 31000:2009 variants, this is a clear and well-written paper that makes a valuable contribution to thought leadership in this area.
It shouldn’t matter whether you like COSO Enterprise Risk Management (ERM) or hate it. I ask that you set aside the COSO language and terms -- especially the dreaded "cube" -- and see if the general advice is valuable.
Before getting into the paper, let me refer you to prior posts and references on this topic:
- Just what is risk appetite and how does it differ from risk tolerance?
- An effective risk tolerance, appetite, criteria, etc. statement
- New guidance on risk appetite and tolerance. I like some parts, disagree with others
- A discussion of Risk Appetite by thought leaders
Here are some quotes from Rittenberg and Martens I like.
Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives?
How Much Risk to Take On?
The COSO document "Enterprise Risk Management--Integrated Framework" explicitly states that an organization must embrace risk in pursuing its goals. The key is to understand how much risk it is willing to accept.
Further, how should an organization make this decision? To what extent should the risks accepted mirror stakeholders’ objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization’s appetite for specific kinds of risk?
When properly communicated, risk appetite guides management in setting goals and making decisions so that the organization is more likely to achieve its goals and sustain its operations.
ERM is not isolated from strategy, planning or day-to-day decision making. Nor is it about compliance. ERM is part of an organization’s culture, just as making decisions to attain objectives is part of an organization’s culture.
Risk Appetite Needs Ongoing Review
An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue.
Risk appetite cannot be set once and then left alone. Rather, it should be reviewed in relation to how the organization operates, especially if the entity’s business model changes.
Management should monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate evaluations. Internal auditing can support management in this monitoring. In addition, when monitoring risk appetite, organizations should focus on creating a culture that is risk-aware and that has organizational goals consistent with the board’s.
- is strategic and is related to the pursuit of organizational objectives;
- forms an integral part of corporate governance;
- guides the allocation of resources;
- guides an organization’s infrastructure, supporting its activities related to recognizing, assessing, responding to and monitoring risks in pursuit of organizational objectives;
- influences the organization’s attitudes towards risk;
- is multi-dimensional, including when applied to the pursuit of value in the short term and the longer term of the strategic planning cycle; and
- requires effective monitoring of the risk itself and of the organization’s continuing risk appetite.
As an organization decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis for making those important decisions. Those in governance roles should explicitly understand risk appetite when defining and pursuing objectives, formulating strategy and allocating resources. The board should also consider risk appetite when it approves management actions, especially budgets, strategic plans and new products, services or markets (in other words, a business case).
The Complementary Roles of Risk & Strategy
The point is that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. That consideration takes place throughout the execution of the strategy, and it is most important when strategy is being formulated with due regard for risk appetite.
An organization’s risk appetite should be articulated and communicated so that personnel understand that they need to pursue objectives within acceptable limits. Without some articulation and communication, it is difficult for management to introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits. A risk appetite statement effectively sets the tone for risk management.
The organization is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance, and reporting objectives.
A risk appetite statement is useful only if it is clear and can be implemented across the organization. Risk appetite should be descriptive enough to guide actions across the organization. Management and the board should determine whether compensation incentives are aligned with risk appetite, not only for top management but throughout the organization.
To be effective, risk appetite must be
- operationalized through appropriate risk tolerances;
- stated in a way that assists management in decision making; and
- specific enough to be monitored by management and others responsible for risk management.
The paper talks extensively about the difference between risk appetite and tolerance. I have not quoted from it here as I don’t personally find that useful. As I said above, I prefer to think of risk appetite and tolerance using the ISO terms: appetite is the amount and type of risk that an organization is willing to pursue or retain, and tolerance is the organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. I also prefer the notion of risk criteria, which include but are not limited to risk appetite and tolerance.
But that shouldn’t matter to whether this paper adds value or not.
What do you think?
Editor's Note: You might also be interested in reading:
- SharePoint, eContent and the GRC Rules by @hisoftware
- The Potentially Harmful Side Effects of Mismanaged Mobile Health by @moveroinc
- GRC: The Evolution Chief Ethics and Compliance Officer Role