What is risk appetite? COSO defines it as the “amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”
Before analyzing that nebulous statement, it is useful to consider why we are even thinking about risk appetite statements. Basically, regulators and board members influenced by them want to prevent management from taking too much risk.
By that, I mean acting or failing to act in a way that puts the success, even the viability, of the organization in peril for no good reason and without the approval of the owners of the organization: the shareholders. In addition, these days it is recognized that the failure of an organization can affect others, including customers, creditors and the community.
Ergo, the concept of risk appetite.
What Did We Do Before Risk Appetite?
The concept has been broadly accepted in the financial services sector and is required by banking and insurance regulators. But is it necessary and useful to come up with “an amount of risk that the organization is willing to accept”?
What did organizations do before there was talk about risk appetite? What do many still do in the absence of a risk appetite statement? Do they let management run wild, taking all the risk they think would help their results and get them significant bonuses — while putting the organization in peril?
No. There are limits and policies that constrain management actions everywhere.
- Limits on spending (budgets) and purchasing (purchase orders)
- Limits on the granting of credit
- Limits on the approval of discounts
- Limits on the approval and signing of contracts and commitments, both purchase and sale
- Trading limits
- Approval requirements for the granting of system access rights
- Health and safety policies
- Ethics policies
- Information security policies and standards
- Hiring policies
- Policies around the sale by management of the company’s shares
- Limits on the number or value of assets held by the company (such as insurance policies, mortgages, inventory at specific locations, etc.)
- And so on
Related Article: Revisiting the Concept of Risk Appetite
Do Risk Appetite Statements Provide Value?
Some have developed risk appetite statements that attempt to come up with a single number or value for all the sources of risk facing the organization. They seem to believe that they can aggregate disparate sources of risk, such as credit risk, operational risk, cyber risk and so on.
I don’t think that is logically (or mathematically) sound.
Some have risk appetite statements (and previous COSO guidance has examples) that say things like “the company has a low tolerance for compliance risk.”
It is interesting that the COSO document I wrote about in May 2020 seems to think this has meaning and value:
Echo Relief, a service organization to help people through disasters, will pursue new programs that enhance the delivery of services to those in need within our financial ability. We will accept moderate risk to the safety of staff and volunteers as we respond to disasters. In order to maintain good stewardship of donor funds, we have a low appetite for risks related to misuse of funds.
I don’t think that adds more than lipstick value. It won’t affect any decisions.
So what does make sense?
Related Article: How Do We Fix Risk Management?
Risk Appetite as Guidance, Not a Numbers Exercise
If I were a CRO today (I retired from that wonderful position several years ago) I would consider developing a risk appetite statement of a different kind — even if I were in an organization bound by related regulations.
Its purpose would be twofold:
- To explain how management is guided to take the right risks, neither too much nor too little.
- To ensure there is sufficient guidance for decisions made by management (and the board as needed). (Every decision involves taking risk.)
I would certainly not try to come up with a single value for risk appetite, nor would I attempt to come up with single numbers for different types of “risk.” I would also avoid flim-flam language that is not actionable, such as “we have a low appetite” for this or that.
How can you ever say that having a low or even no appetite for compliance or safety failures is meaningful? It is impossible to have a zero likelihood of a failure in either area.
My idea of a risk appetite statement would take each area of risk and reference how management is guided when it comes to taking it. The document would explain what policies, procedures and standards apply and whether there are specific limits. I would include how exceptions are handled.
In some cases, there will be specific limits, such as in the granting of credit. In other cases, such as employee safety, management judgment will be guided by related policies, etc.
It is essential, as COSO recognizes, that management be able to take the right risk when warranted — making informed and intelligent decisions.
Also recognized by COSO, limits (even those they refer to as risk appetite) should be exceeded when the business need or reward justifies it. A rigid limit has the effect of limiting success.
Risk Appetite Statements That Mean Something
If risk management is to be meaningful, it needs to deliver actionable information to help people make informed and intelligent decisions — and take the right level of the right risks.
If you have a risk appetite statement or are developing one, don’t do it to comply with the regulations.
Do it so it means something!
Or, reconsider and focus instead on helping leaders make the right decisions.
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.