- Clouds of Vagueness - http://riskagenda.com/cv -
COSO on risk appetite – reaching for the ideal
Posted By Andy Garlick On 20 November 2012 @ 18:11 In Reviews | No Comments
[1]COSO have also issued guidance on the ‘risk appetite’ to go along with that of the IRM and other authorities. I think it’s a good example of how risk appetite would be dealt with in an ideal world. By this I mean a world with two characteristics: you could decide how much risk you wanted to dial up and you would know (in some objective way) how much risk you are and will experience. Since the world ain’t like that it comes across as naive, though well meaning and decently written.
COSO defines risk appetite as:
… the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value. Each organisation pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.
COSO cannot resist adding an admonishment into a definition, but otherwise this aligns reasonably well with the UK Corporate Governance Code requirement that
… the Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.
Both statements indeed give the impression that risk can be dialed up independently of reward, but apart from this quibble, they set out a well-defined task. And COSO are able to take this forward in the form of a plan-do-review management loop, in this case Develop, Communicate and (Monitor and Update). The executive summary – but not the main text – also addresses the ‘can it be done?’ question. The response though is rather lame, “it would be good if we could, so let’s say, ‘Let’s get it done!’.”
The guidance does contain quit a number of examples. But when the first one arrives it punctures the risk appetite idea straightaway. A board purposely decides to bet the farm. Fine but you don’t need to invent the cumbersome risk appetite concept for that. Amusingly this case study contradicts the statement 2 inches up the page that the risk appetite should lie within the risk capacity.
At the centre of the guidance lies the risk appetite statement. This is what is communicated. It is supposed to be the mechanism whereby the top of the organisation ensures that the bottom operates in line with its wishes on risk nad does not create more risk that the organisation wishes to eat. The risk appetite statement is pictured as
The first point is the obvious one about your risk profile being related to the business you are in. We deal with that in our article on risk appetite. The second point is vacuous. The fourth and fifth are just characteristics of our attempt to manage risk systematically. The third point, about tolerances, is more interesting.
First, the guidance morphs seamlessly between tolerance and tolerances. Risk tolerance is defined as
… the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.
This definition is stated in terms of performance, not risk. ‘Tolerance’ of risk of one sort or another is a characteristic of risk appetite guidance and I discuss its various meanings and implications in the main article.
More importantly, tolerance statements are the primary guide to ensure the level of risk is controlled. However I have some difficulty in seeing how operating drones in an aerospace manufacturer would interpret the following:
Or to come to something more quantitative, this time for a university:
Let’s be clear: these are not risk measures; they are not even risk indicators; they are just performance measures. However there are a couple of real risk tolerances:
These look pretty strategic to me and do not reflect more than a quantification of the risk appetite.
The guidance ambles through unexceptionable motherhood guff as it deals with the cycle steps of developing, communicating, monitoring and updating and the respective roles. In many ways it’s not a bad document. But in accepting and promoting the flawed risk appetite concept it is likely to create a further barrier to improving our understanding and practices in organisational risk taking.
Article printed from Clouds of Vagueness: http://riskagenda.com/cv
URL to article: http://riskagenda.com/cv/?p=130
URLs in this post:
[1] Image: http://riskagenda.com/cv/wp-content/uploads/2012/11/COSO.gif
[2] Image: http://www.printfriendly.com/print?url=http%3A%2F%2Friskagenda.com%2Fcv%2F%3Fp%3D130
[3] Email: http://riskagenda.com/cv/?p=130&share=email
[4] Facebook: http://riskagenda.com/cv/?p=130&share=facebook
[5] Twitter: http://riskagenda.com/cv/?p=130&share=twitter
[6] LinkedIn: http://riskagenda.com/cv/?p=130&share=linkedin
[7] Google: http://riskagenda.com/cv/?p=130&share=google-plus-1
Click here to print.
Copyright © 2012 Clouds of Vagueness. All rights reserved.