Recently, Chris Burt of Halex Consulting sent me a copy of a paper he had written, Feeling hungry? A simpler, more intelligent approach to risk appetite.
There’s a great deal to like in his approach:
- Your organisation is clear on its purpose and values, has a clearly-defined corporate strategy and has even set SMART strategic objectives for the executive. But how much risk should the organisation take in trying to achieve its objectives and deliver its strategy?
- Unfortunately, the generally accepted approach is to develop a board-level risk appetite statement. Such statements tend to be theoretical, static documents that jump through the hoops of addressing how much – or how little – of key types of risk the organisation is willing to accept or avoid.
- What about Board decision-making? Ideally, it should be informed by risk appetite. But how many boards consult their own risk appetite statement when considering major decisions, including changes to strategy? The answer is, unsurprisingly, very few. And the reason: board-level risk appetite statements tend to be difficult to understand and impractical to use in real-world decision-making situations.
- The key weakness of the current approach to risk appetite (including risk appetite frameworks derived from the Board’s risk appetite statement) is that it places undue emphasis on risks, rather than focusing on outcomes in decision-making.
- What this approach fails to recognise is that successfully achieving an objective relies not just on preventing bad things from happening (mitigating risks), but also on making good things happen. That is, taking active steps to deliver the objective. Current approaches to risk management tend to gloss over the importance of this activity, paying lip-service to exploiting ‘opportunities’ while focusing on lists of risks.
- The Board should clearly prioritise and set targets for certainty of achievement for each primary objective across a range of categories – such as strategic, operational, financial, compliance, CSR/ESG and viability. Those objectives most critical to the organisation – and thus requiring a very high certainty of achievement – should receive more Board attention and management resources than less important objectives.
- Current risk management thinking requiring definition of a risk appetite is flawed and unhelpful. A better approach is to focus on the certainty of achievement of objectives.
All of the above is, IMHO, 100% correct. It is very much in line with a new book I am finalizing that will be published (hopefully) before the end of the year. The working title is Risk Management for Success and talks about how organizations can change from using risk management to understand potential harms to using it to increase the likelihood of achieving objectives, i.e., success.
Unfortunately, I think Chris has not taken the argument to the next logical step. He stumbles instead.
He suggests that:
The organisation’s aim should be to increase the certainty of achieving its objectives through minimising residual risks to the point of residual risk/cost of control equilibrium and taking active steps to deliver the objective – i.e. ‘making good things happen’
While the cost of control is certainly something to consider, there are times (many, many times) when more risk should be taken because of the potential for increased reward. For example, organizations will introduce a new product to the market to drive new revenue even though they know that it is not 100% perfect. Waiting until it is perfect (which may never be achieved with certainty) may mean losing the opportunity. It is worth taking the risk.
Yes, organizations should seek to have an acceptable likelihood of achieving their objectives. That requires making informed and intelligent decisions and taking the right risks.
A better approach to risk appetite? Do what you need to comply with regulations and then run the organization for success.
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021