The essence of risk appetite

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.

The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.

I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.

Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.

Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.

On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.

The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?

You can read more about Performance Risk Management at Risk Leader (


The essence of a risk management framework

In an earlier post I described risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable.

A risk management framework is a systematic way of approaching those activities. I see four main parts to an effective risk management framework:

  1. A common language. It’s important to share ideas, not just words. The words must mean the same thing to everything otherwise you’re sharing the words but not the underlying concepts. For example, when you use the word “risk” what do you mean? Are you referring to the concept of uncertainty or does your organization prefer to speak solely about specific risk events?
  2. A primary focus. A good framework can be adapted for a number of purposes, but it typically exists for one primary reason. My personal experience tells me that the highest and best purpose for a risk management framework is to help an organization achieve its goals in a more predictable manner. There are certain attributes of any good framework (see below) that will make it adaptable for a variety of purposes – but every framework must target a specific benefit. For me it’s the achievement of organizational goals.
  3. Abstraction. In order to make a risk management framework broadly applicable you need rules that describe which ideas are fundamentally similar and which are not. For example, your organization may traditionally use the term “strategy” and “process” in different ways. However, for purposes of a risk framework it may be valuable to abstract these and treat them the same because they both describe the action that will be taken to accomplish some goal. In the case of “strategy”, it may be primarily a high level plan that mostly consists of delegating to others. In the case of “process” it may be a specific activity that a single person will perform. But from an abstract view, they both represent how you will achieve a goal.
  4. Breadth and depth. A framework needs to be a road map. It should be sufficiently broad that the big picture is easily seen. But it also needs to be supported by sufficient depth and insight so that it can help us understand and take action in a detailed, complex, and often confusing real world. For example, it’s not good enough for a framework to simply define a term like “risk tolerance”. It also needs to sufficiently describe how this concept provides value in the real world to a CFO, a regional sales manager, or a production supervisor.

As I continue with these ‘essence of risk management’ posts I will share the components of a practical risk management framework. These future posts will include my recommendations for common language, abstraction, and depth in order to help everyone use this practical management tool.

You can read more about Performance Risk Management at Risk Leader (


The essence of risk management

This is the first in a series of posts that attempt to get to the essence of risk management. I’ll touch on various topics as they occur to me. Some of these posts will be on broader topics like this one. Others will be on very specific points that help you implement these concepts. As time goes on I hope to amass a series of short thought-pieces that help bring together a rather complicated subject.

The key word, of course, is “risk”. Risk is a synonym for uncertainty. It’s unpredictability.  Risk is the uncertainty of whether you’ll safely cross a busy street. Risk is the uncertainty of your body’s reaction to medication. Risk is the uncertainty of investing your money and getting the hoped-for return. Risk is the uncertainty of a strategic initiative delivering the expected results. Risk is the uncertainty of your town’s first responders arriving at a fire in time to prevent a catastrophe. Risk is the uncertainty of your sports team winning today.

This topic – the first one – is on risk management in general. Let’s start with the big question. What is risk management?

To answer that question, I will first avoid recapping all of the authoritative descriptions. Many of the definitions and explanations lead to over-complication. I prefer to keep it simple. As a business person, my point of reference is always centered around organizational results. In that context, risk management is very simple. It is the group of organizational activities that try to improve results by making the unpredictable a little more predictable. It’s that simple.

Managing risk is simply taking steps to make each goal a little more certain. Whether it’s crossing a busy street, taking medication, or any of the other examples mentioned above – risk management consists those activities that eliminate uncertainty to help you get what you want and avoid what you don’t want.

With this understanding of risk at its simplest and most fundamental level, I will explore the essence of specific parts of risk management in future posts.

Continuous Auditing – is it really “auditing”?

Thomson Reuters’ magazine “Internal Auditing” has an article in their current January/February edition called “The Value-Added Significance of Continuous Auditing”. This is my rant because I continue to chafe at the concept of continuous auditing.

Let me preface this by saying that I am not an expert on continuous auditing. Quite the opposite. I’ve been reading about it for years but have never found its basic premise to be sufficiently compelling to encourage me to develop any expertise.

Now, on its face, there is clear logic for reviewing controls more frequently than less frequently. But every time I imagine which controls I could actually review by continuous auditing, I stumble. I first image detailed reviews of “exception conditions” that might be highlighted through automation. But in my book, that’s the role of management, not internal audit. Maybe it’s just semantics, but I can’t really conceive of anything that I would audit on a continuous basis. I go back to the assertion that continuous monitoring of a process is management’s role, not audit’s.

Audit’s role, in my view, is to stand apart from the process. To second-guess. To avoid getting caught up in execution of individual transactions and focus on the big picture – asking questions like “What is this function trying to accomplish? What are the risks? How is management monitoring and mitigating those risks? Is management’s monitoring process sufficient, efficient and effective?

The article that I mentioned at the top of this post asserts a difference between continuous monitoring and continuous auditing. I can accept their assertion that management is responsible for continuous monitoring. But their further implication is that continuous auditing is similar to a quality control function by assuring that management’s continuous monitoring is taking place. I don’t think that this definition of continuous auditing is a universal concept. I don’t feel that my profession and my experience is in any way aligned with quality control monitoring. It seems that this view simply doesn’t align with the words “continuous auditing”.

So I’m back to my starting point. Continuous auditing is so fuzzy that it is, to me, unusable – yet it keeps getting discussed in the literature as a critical leap forward for internal audit.

What am I missing?

Performance Risk Management for Auditors

This article was published in Thomson Reuters’ Internal Auditing in May/June, 2013 …


Charles D. Schrock, CPA, CIA CRMA
Senior Vice President
Inland Bank and Trust, Oak Brook, IL

Daniel J. Gaffney, CPA, CFF, CIA, CISA
Daniel Gaffney & Associates LLC, Chicago, IL

Auditors understand the fundamental value of risk management. Although ‘formal’ risk management may not be our day-to-day job, it’s always a part of what we do. That’s probably true for your executive management team also. We know that Audit Committees are vitally interested in risk management, even if they don’t know precisely what it is. (reference for the following)

According to the 2011 Annual Corporate Director Survey issued by PricewaterhouseCoopers, LLP, risk management remains at the top of the list of stakeholder concerns. Only 19% of directors measured their board as very effective at monitoring a risk management plan that mitigates corporate exposure. In an effort to enhance this performance, 57% of respondents reported they would like to increase their focus on risk. (reference for the following)

Survey findings from our latest KPMG Roundtable Series in more than 25 cities are telling: Only 39 percent of the 1,200-plus directors and senior management polled during the series said they are satisfied that their company’s governance activities are appropriately focused on the greatest risks to the company’s reputation and brand. Less than a quarter said they are satisfied that key governance activities are aligned with the company’s risk hot spots, and that the company’s governance activities are integrated into the strategy and add “real value” beyond simple compliance. (reference for the following)

As highlighted by the conference dialogue, internal audit can be most effective when focused on the critical risks to the business, including operational risks and related controls. Among the keys to fully leveraging internal audit:

  1. Challenging internal audit to take the lead in coordinating with other governance, risk, and compliance functions within the organization to limit duplication in coverage and, more importantly, to prevent gaps
  2. Maintaining a direct, open line of communication between internal audit and the audit committee
  3. Ensuring that internal audit has the resources, skills, and stature within the organization to succeed

Organizations want to manage risks. They want internal audit to be a part of the risk management process. The most common sources of guidance for risk management come from COSO and ISO. While both of these sources are strong on theory, they tend to fall short on practical guidance for implementing risk management. They provide even less guidance to us, as auditors, as we try to use risk management as a tool for our own purposes.

Performance Risk Management (PRM) is a new approach to risk management. It was developed in order to bridge the gap between theory and implementation. PRM is based on the sound fundamental ideas within the COSO and ISO models. PRM brings ERM into the real world. It aligns ERM with the way that organizations truly function.

Performance Risk Management is a process for addressing risk in a straight-forward and practical way that works for both management and auditors.  As auditors, we can use Performance Risk Management to develop the audit plan, the audit program, and the audit steps. By using risk management as a foundation for our own activities, we can help our organizations start to develop a risk management emphasis that our boards of directors want. Additionally, we can serve as a force for change within our organizations as the expert advisors to help implement practical risk management more broadly.

Performance Risk Management was developed as a tool for management. However, it also helps auditors in three ways:

  1. It helps auditors discuss objectives and risks in ways that are relevant to auditees, executives, and Audit Committee members;
  2. It helps auditors set high level audit plans and budgets by identifying what’s important to the organization and, accordingly, what areas most need assurance from internal audit; and
  3. It helps auditors design better low-level tests because it requires auditors to focus on specific risks within a particular process.

Before going further, it’s important to identify the three foundational ideas that make Performance Risk Management unique. It will then be easier to discuss in greater detail how it helps us as auditors.

  1. Objectives, not risks, are the most fundamental component of PRM.
  2. Each person in the organization ‘owns’ one or more of these objectives.
  3. Risks exist within the context of people trying to accomplish their objectives.

These foundational ideas help us, as auditors, in the following ways:

First, PRM provides a very straight-forward entry point for incorporating risk management into your audit activities. Without PRM, simply getting started with risk management can require a large top-down project to brainstorm and identify risks. PRM, on the other hand, does not require a global organizational initiative. It can be used in a focused way to understand the risks within a specific area. Because PRM focuses on objectives that are owned by a specific individual, you can choose which individual (and his/her objectives) you want to address. If, for example, you want to perform an audit of your Regional Accounts Payable function, you can begin by using PRM to focus on the objectives of the Regional Accounts Payable Manager.

Second, as auditors we want to assure that we are spending our time (and our audit budget) in the best possible ways. PRM supports this. As the Regional Accounts Payable Manager’s objectives are identified, PRM incorporates the idea of assigning an impact level (i.e., a rating) to each objective. In our example, after a little prompting, the Regional Accounts Payable Manager might tell you that her objectives are: i) paying the right vendors, ii) paying the right amount, iii) posting expenses to the right general ledger account, iv) paying within the right time frames, v) preparing management summary reports of accounts payable operations, and ,because she recently received a memo from HR as a reminder to all managers, vi) assuring that all human resource policies are fairly applied to her employees.

Each of these objectives may not be equally critical to the Regional Accounts Payable Manager, or the organization overall. The assignment of an impact level can help. PRM suggests assigning a factor (1 to 10, with 10 as most critical) to each objective. Together, the auditor and the AP manager might assign the following tentative values:

i) paying the right vendors – 6 (if you pay the wrong vendor, the money may be gone forever; however, the amounts involved won’t break the company)

ii) paying the right amount – 5 (not so critical – the company can typically make adjustments with a vendor later)

iii) posting to the right general ledger account – 4 (again, not so critical; the AP clerk can only post to a certain subset of general ledger accounts)

iv) paying in the right time frames – 6 (if not done in the right time frames, there may be a minor impact on either cash flow or discounts taken)

v) preparing management summary reports – ?? (as auditors, we may not be sure – how is this report used by senior management?)

vi) application of human resource policies – ?? (we know it’s important, but how important is it among this manager’s responsibilities?)

Understanding this relative ranking of the auditee’s objectives can help the auditor focus the audit on the more critical activities. What’s interesting is that this specific exercise yields two initial uncertainties that may need to be discussed with more senior people. Let’s consider the management summary reports. Unless we go through an exercise like this, the management summary reports may seem like an insignificant component of this person’s day-to-day activities. And that may be true. But, after discussing this with more senior executives, the auditor may learn that these reports are forming the basis for a major strategic vendor pricing initiative. Incorrect data could cost the organization $millions. If the auditor fails to specifically consider each task or objective owned by this Regional Accounts Payable Manager, he might miss the single most important activity that he needs to review. And, perhaps even more important, the Regional Accounts Payable Manager will now have a better understanding of the importance of this task.

Third, as auditors we need to design and execute audit tests.   PRM helps with this as well. From the prior step, we can determine what general areas should be the focus of our audit testing. Now, we can formulate specific tests. Part of the PRM process is to identify specific real-world risks that may be associated with these objectives. We can do this through several techniques.

First, we should simply ask the manager “what can go wrong when you are determining who to pay?” We typically get very solid answers like “The approved invoice copy that I receive is sometimes unclear on the ultimate payee.” Of course, as auditors, we follow up with the question “if you’re uncertain, or if there is an error in the named payee, how would you catch that?” and “how often does that occur?” The goal is to understand what the risks might be and how likely they are to occur.

The second way that we can identify risks is to use standard frameworks, if such frameworks exist for the area under review. Examples of a framework might be the COBIT or ITIL frameworks within the information technology realm. Another helpful source of information might be existing internal control questionnaires. As auditors, we should not use these documents to simply take someone else’s list of risks. Instead, we use these frameworks and questionnaires to help assure that we remember to discuss major areas where risks might lurk.

Finally, the third way to identify risks is to simply consider the typical high-level categories. We should ask our auditees “are there any risks that might impact financial reporting? compliance? the company’s reputation? what about internal or external fraud? etc.” Again, the goal is to assure that we haven’t inadvertently skipped over entire categories of risk.

Once we have a reasonable list of real-world risks and identified their likelihood of impacting the success of the associated objective, we can determine how best to test. As auditors, we have training, experience and professional guidance to help us design tests. What PRM provides is a clearly documented rationale behind which risks are worthy of our testing.

In Summary

This article begins to touch on the value that Performance Risk Management can bring to an organization and, more specifically, to internal auditors. The main benefits to us, as internal auditors, are:

  1. We are speaking with the auditees in ways that are relevant to their day-to-day activities. We build rapport when we can step away from “auditor-speak” and talk about what is really happening in their department.
  2. We have a systematic process (and associated documentation) to support our audit program and specific audit tests.
  3. Audit recommendations are linked to specific risks which, in turn, are tied to specific (and agree upon) objectives that exist within the audited area.

But there is one more benefit that demonstrates the value that internal audit can provide. You can become a model for organizational improvement. Through your use of PRM you are demonstrating the value that a straight-forward implementation of risk management can bring. Through your experience, you can help articulate the benefits of risk management as part of the organization’s overall risk management environment.

This article has described only some of the benefits of PRM. Additional benefits accrue when you add other well-integrated concepts such as Key Performance Indicators (KPI), Key Risk Indicators (KRI), risk assessments, and clear linking of individual objectives to higher level strategies. You can read more about Performance Risk Management at

© 2013 Thomson Reuters/RIA. All rights reserved.

A practical approach to reputation risk

Every organization has some desirable public image. Does it want to be perceived as environmentally sound? Family friendly? Political activist? A ‘high roller’? Cutting edge? Traditional? Or, perhaps it simply wants anonymity in the public eye.  Reputation risk results from strategies or actions that conflict with the desired public image.

Rather than wait for reputation risk issues to arise, it is important to be proactive. Let’s take a step back. Organizations are constantly developing strategies at all levels. Whenever someone is assigned a new task or objective, a strategy needs to be developed to accomplish it. The process of selecting or creating a new strategy can include the evaluation of whether that strategy is consistent with the organization’s public image.

In risk management, I use the term “risk attitude” to describe which strategies management would, or would not, feel comfortable with. A “low risk” attitude indicates that management expects assurance that the proper results will be achieved. A “high risk” attitude indicates that management is willing to take its chances and would be comfortable with a strategy that might deliver results ranging anywhere from wild success to total failure. Neither is necessarily good or bad and can vary not only from one objective to the next, but also with different components of a single objective. It’s possible, for instance, to develop a desirable strategy that is high risk in some areas (e.g. financial returns) while low risk in others (e.g. worker safety). But nearly every organization wants very low risk when it comes to protecting its public image. If that’s the case, then it’s reasonable to have a specific question that needs to be answered as part of every new strategy — is it consistent with our public image?

Of course, this assumes one very critical component. The organization needs to define and be able to describe its preferred public image. If that’s not the case, then reputation risk is increased simply because it may be unclear what to embrace or avoid during strategy development. If employees don’t know that the organization is cultivating a worker-friendly image, then a cost reduction initiative may include a strategy that includes massive worker layoffs.

That’s the first part — making sure that the organization understands how to develop appropriate strategies that will, at least initially, be consistent with your public image.

There is another part. An organization needs to be generally perceived as trustworthy and competent. For example, while an organization may not be explicitly cultivating a public reputation for good customer service, excessively poor customer service will still create a public image problem. The same would be true for any normal business activity if it is executed poorly to the level where the public perceives the organization as being incompetent. Even something as mundane as an inability to pay its bills accurately could grow to the extent that it creates a public perception of incompetence.

To avoid this, an organization also needs a general performance and risk management environment where expected performance levels are defined. Performance levels that don’t meet reasonable expectations need to be elevated to management long before such “incompetence” becomes a subject of public discussion.

Please share some stories about how your organization is addressing reputation risk.

COSO 2013 moves in the right direction

Many organizations base their Sarbanes-Oxley (SOX) documentation on COSO’s Internal Control – Integrated Framework. This publication was originally issued in 1992 and significantly updated in 2013. In the next year these organizations must update their financial reporting internal control documentation and testing to match the newly updated framework.

This major update adds 17 newly articulated principles which support the 5 already-existing components of internal control. These new principles must all be present, functioning, and working together in order to achieve an effective system of internal controls.

In my view, an organization cannot accomplish 12 of these 17 new principles without a functioning performance and risk management environment. That’s a good thing – it seems that COSO is now heading in the right direction. Internal control isn’t simply about having a certain set of control processes. It’s about having an environment that assures an organization is meeting its performance and control objectives.

Having an effective  performance and risk environment is a little bit like having a good exercise program. Everyone knows that it’s a good idea. Sometimes we’re too lazy to do what we know we should do. But there is no doubt, once it’s in place, that we’re extremely better off because of it.

It’s time to think of COSO 2013 like a doctor’s “wake up” call. Let’s stop paying lip service to managing risk and performance; let’s actually do it.  The group at Risk Leader ( has a new approach that links risk management with performance management. They call it, not so surprisingly, Performance Risk Management and their idea is that risk management is not a separate stand-alone activity. It has a clear and distinct purpose as part of an organization’s normal management activities — to help an organization achieve its objectives better, faster, and more completely. It seems to me that a system like this solves two issues for COSO 2013:

  1. It is a risk and performance environment that, by its very existence, directly supports the organization’s ability to meet 12 of the new principles relating to organizational performance and risk management, and
  2. Because it is a risk and performance environment, it can be used to identify, assess, and monitor financial reporting risk

So is this (or something like it) the way to go for COSO 2013? I think that the accounting and investing communities expect an organization to have a real performance and risk management in place. COSO 2013 is merely reflecting this. Good job.