You're reading...


COSO on risk appetite – reaching for the ideal

COSO have also issued guidance on the ‘risk appetite’ to go along with that of the  IRM and other authorities.  I think it’s a good example of  how risk appetite would be dealt with in an ideal world.  By this I mean a world with two characteristics: you could decide how much risk you wanted to dial up and you would know (in some objective way) how much risk you are and will experience.  Since the world ain’t like that it comes across as naive, though well meaning and decently written.

COSO defines risk appetite as:

… the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value.  Each organisation pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

COSO cannot resist adding an admonishment into a definition, but otherwise this aligns reasonably well with the UK Corporate Governance Code requirement that

… the Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.

Both statements indeed give the impression that risk can be dialed up independently of reward, but apart from this quibble, they set out a well-defined task.  And COSO are able to take this forward in the form of a plan-do-review management loop, in this case Develop, Communicate and (Monitor and Update).  The executive summary – but not the main text – also addresses the ‘can it be done?’ question.  The response though is rather lame, “it would be good if we could, so let’s say, ‘Let’s get it done!’.”

The guidance does contain quit a number of examples.  But when the first one arrives it punctures the risk appetite idea straightaway.  A board purposely decides to bet the farm.  Fine but you don’t need to invent the cumbersome risk appetite concept for that.  Amusingly this case study contradicts the statement 2 inches up the page that the risk appetite should lie within the risk capacity.

At the centre of the guidance lies the risk appetite statement.  This is what is communicated.  It is supposed to be the mechanism whereby the top of the organisation ensures that the bottom operates in line with its wishes on risk nad does not create more risk that the organisation wishes to eat.  The risk appetite statement is pictured as

  • linked with objectives
  • being stated with sufficient precision
  • determining acceptable risk tolerances
  • facilitating alignment (of people processes and infrastructure)
  • facilitating the monitoring of risk.

The first point is the obvious one about your risk profile being related to the business you are in.  We deal with that in our article on risk appetite.  The second point is vacuous.  The fourth and fifth are just characteristics of our attempt to manage risk systematically.  The third point, about tolerances, is more interesting.

First, the guidance morphs seamlessly between tolerance and tolerances.  Risk tolerance is defined as

… the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.

This definition is stated in terms of  performance, not risk.  ‘Tolerance’ of risk of one sort or another is a characteristic of risk appetite guidance and I discuss its various meanings and implications in the main article.

More importantly, tolerance statements are the primary guide to ensure the level of risk is controlled.  However I have some difficulty in seeing how operating drones in an aerospace manufacturer would interpret the following:

  • ‘near zero’ risk tolerance for product defects
  • ‘low’ risk tolerance for sourcing products that fail to meet quality standards
  • ‘low, but not zero,’ risk tolerance for meeting customer orders on time and a ‘very low’ tolerance for failing to meet demands within x number of days (yes you can just see that x making it into the final document)
  • ‘high’ risk tolerance for potential failure in pursuing research ….

Or to come to something more quantitative, this time for a university:

  • the university does not expect any decrease in the nature, quality, or number of publications related to the research mission
  • student teaching evaluations should not decline by more than 5%.

Let’s be clear: these are not risk measures; they are not even risk indicators; they are just performance measures.  However there are a couple of real risk tolerances:

  •  while we expect a return of 18% on this investment, we are not willing to take more than a 25%  chance that the investment leads to a loss of more than 50% of our existing capital
  • we will not expect more than a 5% risk that a new line of business will reduce our operating earnings by more than 5% over the next 10 years.

These look pretty strategic to me and do not reflect more than a quantification of the risk appetite.

The guidance ambles through unexceptionable motherhood guff as it deals with the cycle steps of developing, communicating, monitoring and updating and the respective roles.  In many ways it’s not a bad document.  But in accepting and promoting the flawed risk appetite concept it is likely to create a further barrier to improving our understanding and practices in organisational risk taking.

Print Friendly