GRC Tuesdays: The Problem with Risk Appetite
It’s probably heresy for a risk management professional, but I simply do not accept the practicality of the concept of “risk appetite.” Sure, it’s conceptually appealing but in most cases it’s not useful for making risk acceptance decisions. At best it’s one factor and not the most important. It gets too much emphasis.
COSO’s new exposure draft of “Enterprise Risk Management: Aligning with Strategy and Performance” provides some good discussion and some palatable examples. But often risk appetite is expressed as the amount of money a company is willing to lose in pursuit of an objective. That’s the part I can’t accept. One example COSO offers is: “A credit union with a lower risk appetite for loan losses cascades this message into the business by setting a loan loss target of .25% of the overall loan portfolio.”
Where’s the “911” Button?
Why would a business accept a loan loss target of .25%? How can we decide if that is good or bad? I have seen software solutions that produce elaborate and large “expected loss” calculations for fraud or duplicate payment losses. Seeing them I think to myself, let’s add a “911” button or link. A crime must be in progress here. Call the police for goodness sake.
There is an answer of course. It makes perfect sense for a business to accept a loss in pursuit of an opportunity. But I have rarely seen an “opportunity appetite” definition or calculation.
It’s like setting a limit for the liabilities on a balance sheet without considering the underlying assets. Risk appetite is only half of the story.
I have been making the case for years that risk management practices must add value. How can we add value if we make decisions based by guessing at losses?
Doesn’t it make sense that business should understand both the cost and the opportunities they are seeking in pursuit of objectives? Shouldn’t the management of losses and opportunities be measured by performance? Could there be such a thing as performance appetite?
Measuring Performance Appetite
Some years ago as a financial manager in the oil and gas business, my operating vice president set out what I now consider a set of what I call performance appetite standards.
He stated he wanted us to find oil and gas reserves at a cost between $x and $y per barrel of reserves.
Why set a lower limit on the cost of finding and developing new reserves? Wouldn’t cheap reserves be good? The answer is no. Cheap finding and development costs are usually associated with heavy bituminous crude—expensive to produce, expensive to refine, and priced below other more expensive crude.
Why have an upper limit on acceptable finding and development cost? The reason is because higher finding and development costs are usually associated with exploration in higher risk frontier areas. The quality of the oil may be great, but time, cost, and risk in getting it to market is unacceptable.
In another case, one of my clients (an airline) set a performance appetite statement that went something like this—”85% of our flights must arrive within 15 minutes of scheduled arrival time.”
Pushing hard to achieve 100% arrival times bears unacceptable risk. Lower standards would incur costs to accommodate passengers who missed connections, perhaps increased fuel costs, and certainly unhappy customers and lower market share.
As for the bank that has a loan loss target of .25%, let’s translate that into a performance target. Making no loans at all will satisfy the risk appetite target. I don’t think that is the intent.
What’s the Answer?
COSO’s new exposure draft has some good discussion on the link between performance and risk. And it does recognize qualitative performance statements. My view is that risk appetite and performance are irreconcilably linked and can’t be looked at separately.
Risk management will not add or preserve value by focusing on risk appetite. Risk management must focus on value adding activities and must understand and support business performance.
I’d prefer to focus on performance appetite. A focus on risk appetite alone forced defensive thinking. Risk manage is about opportunity and performance.
I’m interested in your comments. Do you calculate risk appetite? Is it useful? Do you consider opportunities and business performance?
Join Us at SAPinsider GRC 2017
I’m looking forward to seeing you at SAPinsider GRC in Las Vegas in March. (Register now and save.) Hear our own SAP experts and customers suggest best practices and describe their case studies.