There is one paragraph in the COSO update that explains why complying with risk appetite statements can lead organizations to fail to take the right risks.
Yes.
I really mean that.
Of course, COSO ERM 2017 pushes organizations to establish “risk profiles” (a.k.a., lists of risks or risk registers) and their risk appetite.
But if you look carefully you will see one paragraph in the COSO update that explains why devotion to compliance with a risk appetite statement can lead an organization to fail to take the right risks.
“Organizations may … choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”
In other words, stay within risk appetite if it is the right thing to do. Don’t stay if that is the right thing to do.
It’s all about weighing all the potential consequences before acting – not just the potential for harm.
Of course, that is what all effective decision-makers do.
Of course, that is what risk practitioners should advocate!
Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.
So, what do we do instead?
Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.
Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.
Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.
Radical?
Sensible?
What do you think?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- A twist on risk appetite - September 21, 2022
- Upgrade to effective GRC - August 24, 2022
- Common sense on cybersecurity - July 20, 2022
