First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Business / COSO ERM explains the flaw in risk appetite statements

By | 2 Minutes Read

COSO ERM explains the flaw in risk appetite statements

There is one paragraph in the COSO update that explains why complying with risk appetite statements can lead organizations to fail to take the right risks.
risk appetite statementsYes.
I really mean that.
Of course, COSO ERM 2017 pushes organizations to establish “risk profiles” (a.k.a., lists of risks or risk registers) and their risk appetite.
But if you look carefully you will see one paragraph in the COSO update that explains why devotion to compliance with a risk appetite statement can lead an organization to fail to take the right risks.

“Organizations may … choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”

In other words, stay within risk appetite if it is the right thing to do. Don’t stay if that is the right thing to do.
It’s all about weighing all the potential consequences before acting – not just the potential for harm.
Of course, that is what all effective decision-makers do.
Of course, that is what risk practitioners should advocate!
Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.
So, what do we do instead?
Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.
Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.
Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.
Radical?
Sensible?
What do you think?

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

Main Menu

Stay Connected