This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.
This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.
The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.
I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.
Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.
Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.
On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.
The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?
You can read more about Performance Risk Management at Risk Leader (rskldr.com)