Whether you are one of those who like the term ‘risk appetite’, prefer ‘risk tolerance’, or advocate (as I do) the ISO 31000:2009 term ‘risk criteria’, this is a tough area. While regulators frequently (including Basel III and multiple nations’ corporate governance codes) require organizations to establish one, I have yet to see something that really works.
While it may be possible to establish acceptable risk levels or criteria for aggregated financial risks, how do you set such standards for reputation, strategic, compliance, political, or IT-related risks? How do you establish and then measure aggregate reputation or compliance risk across the organization?
I have seen some companies set a single number, say 3% of capital, as their “risk appetite”, but how can that make sense when you are considering compliance risk? How does it help a procurement manager decide whether to use a sole source vendor of essential components, to use two and allocate each 50% of the supply, or take another approach? Surely, (a) no organization can rely on a single “risk appetite” number: you need several, each covering a different category of risk; and, (b) what counts is the ability to direct risk-takers (frontline managers) in their daily decisions as they run the business.
Attempts to solve the problem have come from:
- COSO, in a paper by Dr. Larry Rittenberg and Frank Martens
- The Institute of Risk Management, in guidance authored by Richard Anderson
- RIMS, in a paper offered for $59
- Ernst & Young
- And more
Although each has value, none have so far met my test, which I have summarized below.
To be effective, an organization needs measures (whatever you want to call them) that allow:
- The board and top management to ensure that the risks taken across the organization, individually and in aggregate, are the risks they want taken. This is extraordinarily difficult when you consider the risk decisions that are taken every day as part of running the business and how they interact, with a decision in one area affecting risks and opportunities in a distant part of the organization, plus how they need to be aggregated to provide risk vision across the entire enterprise.
- Managers making decisions to understand not only the risks they are taking (and modifying), but whether they are the risks top management and the board want them to take. The issue here is applying top-level “risk appetite statements” to individual decisions. If this bridge cannot be crossed, then the entire exercise has limited value – other than cosmetically.
That’s the key for me. If there is no practical guidance for the frontline manager, this is all a chimera: a look-good, check-the-box practice that does not have any real effect on how risk is being managed across the organization.
What do you think?