One of my blogs, at http://www.theiia.org/blogs/marks/, on the subject of risk appetite has led to some interesting discussions.
The new ISO 31000 standard on risk management lays out the argument for risk appetite. It says: “The risk management policy should clarify the organization’s objectives for and commitment to risk management and should specify … the organization’s risk appetite or risk aversion.”
The principle is sound: assess the level of risk, and if it is more than the organization’s risk appetite take action to reduce the risk level.
After dialogue with a number of experts and practitioners, I made the following suggestion:
Each organization has a multitude of risks (to its success) that need to be understood and managed. However, only a relatively few are of such significance that they merit board attention. Management and the board should work together to identify and approve the organization’s risk appetite for each of these more significant risks. These may be a grouping of related risks. The risk appetite/tolerance may be defined in either quantitative (e.g., for currency risk) or qualitative terms (e.g., for employee safety) – or a combination of both – depending on the nature of the risk. Management is then responsible for developing risk management processes to ensure the level of risk within the organization is managed within the approved levels. The board should understand those processes.
While the standards may discuss the board setting or approving risk appetite, in practice they approve levels for those risks (or groups of risk, where they are capable of being aggregated) that may be of a significance meriting their attention.
We should acknowledge a couple of things:
- A risk is being taken as to which risks will be taken to the board. However, they have limited time and attention so we have to be diligent about what they review and approve. 24 is at the upper end of what they can be expected to consume.
- When it comes to groups of risks, care must be taken with aggregation. For example, it is appropriate to aggregate risks related to customer default on accounts receivable – the total of default amounts is monitored against tolerance. However, when it comes to compliance risks (if there is a “compliance” grouping), each risk in the group may monitored against tolerance.
As a next step, management should report to the board all risks, not just those above, where actual risk levels exceed approved tolerances above a specified threshold.