Carol Williams has written a thoughtful post, “Risk Appetite: Bridging The Gap Between Two Extremes” that I recommend reading. Carol is a believer in risk appetite, but I am not.
My primary argument is that leaders of the organization should be managing the business, not a list of potential harms.
Risk appetite focuses only on potential harms absent the context of whether they should be taken on business grounds.
What’s Wrong With Risk Appetite?
There are other problems with the concept, including:
- It’s of little value if it doesn’t affect decision-making.
- It is harmful if it leads to decisions that consider only the downside, not whether risks should be taken.
- Business conditions are changing all the time, so we need decisions made based on current and future conditions, not some static “statement” made in the past.
- It is impossible to establish a meaningful risk appetite, defined by COSO as the amount (whatever that is) of risk you are willing to accept in the pursuit of objectives, for risks like:
- The possibility of physical harm — even death — of personnel, or
- The possibility of non-compliance with applicable laws and regulations
- Risk appetite statements such as “we are risk averse” are meaningless. If you are risk-averse and want to minimize potential harms as much as possible, you should not be in business.
- It doesn’t help anybody know what risks to take.
- People aggregate disparate sources of risk to create a meaningless number. That helps nobody.
Carol quotes my good friend, John Fraser. John as usual makes a good point, that these statements can spark a discussion. Anything that gets people talking is, of course, healthy and desirable. But do they lead to informed and intelligent decisions?
I don’t deny that people need to know when there are limits on the risks they should be taking. (I prefer the idea of taking risk to the passive language of accepting it.)
But that can be done through risk limits and other meaningful policies, with specific numbers and guidance (such as requiring more senior managers to be involved in the decision) instead of attitude statements. It can also be done by making sure people know how to make decisions that weigh both the positive and negative potential effects of what might happen.
Related Article: How Do We Fix Risk Management?
A More Nuanced Approach to Risk Taking
Let’s take a moment to consider Carol’s argument that when people in management have different attitudes about risk-taking, there’s a problem. I don’t see it that way at all!
I don’t want my Sales and Finance leaders to have the same attitude about risk-taking. I want my sales team to be more imaginative and creative than my accounting folk. I am sure you do as well.
What is important is that when there is an important decision to be made, the right people are at the table with reliable information about what might happen. That can mean that the risk-taking EVP Sales and the risk-averse General Counsel are talking and listening to each other. Any risk appetite statement is unlikely to come up in discussion.
Here’s my bottom line: How can you make sure that people are making informed and intelligent decisions, taking the right level of the right risks, considering all the things that might happen?
If risk appetite factors into your solution to that mission, great. It would not at any of the companies where I worked.
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.