last bite

A compliance thought leader and practitioner recently asked my opinion about the relevance risk management, and more specifically, risk appetite to compliance and ethics programs.

The long and the short of it: I’m not a big fan of risk appetite.

Sounds Good in Theory

Taking a risk management approach to operating in compliance with both laws and regulations, and society’s expectations (even when they are not reflected in laws and regulations) is a smart business approach. 

Regulatory guidance reinforces this, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

The question comes down to whether you can — or should — establish a risk appetite for the risk of failing to comply with rules or regulations, or the risk that you will experience fraud.

While risk appetite sounds good in theory, and establishes what the board and top management consider acceptable levels of risk, it has significant issues when it comes to practical application (i.e., influencing the day-to-day taking of risk).

I dedicate quite a few pages to the discussion of risk appetite and criteria in my new book, "World-Class Risk Management." Here are some excerpts:

"I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

'Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.'

One of the immediate problems is that it talks about an 'amount of risk.' As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as 'The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.'

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5 percent (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value....

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful — even if you could put a number on each of the risks individually?"

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Marks example

One Risk Appetite is Bad Math

How can an organization establish one risk appetite when it has multiple sources of risk?

  • “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
  • “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2M to $1.5M but my risk appetite remains at $10M, I can accept an increase in the risk of non-compliance from $1M to $1.5M. That is absurd.”

The first line is “non-compliance with applicable laws and regulations.” Setting a “risk appetite” for non-compliance may appear to indicate that the organization is willing to fail to comply with laws and regulations in order to make a profit. If this becomes public, expect a strong reaction from regulators and the organization’s reputation will (and deserves to) take a huge hit.

Setting a risk appetite for employee safety also poses a problem. There is no level of acceptable employee safety issues — setting one up may indicate a lack of appropriate concern for employees' (and others) safety.

"Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down."

This is key.

While risk appetites such as $1M for non-compliance or $1.5M for employee safety are problematic, setting the level of either at zero is unrealistic. The only way to ensure that this is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

Some express risk appetite in descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

While it may make an executive team feel good saying this, it accomplishes nothing.

Why? Because a. how can you measure whether the level of risk is acceptable based on these descriptions, and b. how do managers know they are taking the right level of the right risk as they make decisions and run the business?

Compliance and Risk Appetite

If risk appetite doesn’t work for compliance, then what does?

Risk criteria (found in ISO 31000:2009) is better suited to the task.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable and acceptable quality processes.

The regulators recognize that an organization can only establish and maintain reasonable processes, systems and organizational structures when it comes to compliance. Failures will happen, because organizations rely on humans  — be they employees or partners. What matters is if the organization takes what a reasonable person would believe are appropriate measures to ensure compliance.

Organizations should be able to establish measures, risk criteria, to ensure that processes are at that reasonable level and operating as desired. 

Risk appetite tends to focus on levels of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

Another problem arises when organizations set a single level for all compliance requirements. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

We have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels — the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. As every store operator does, we experienced “shrink” — the theft of inventory by employees, customers and vendors. Though undesirable, shrink of 1.25 percent was deemed acceptable by the industry because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

Creative Commons Creative Commons Attribution 2.0 Generic License Title image by  Rachel Zack