Risk Appetite & Common Sense

Key Takeaways

• Risk Appetite is Overly Simplistic: The traditional concept of risk appetite, expressed as a single number, fails to capture the complexity and nuances of real-world risk, which includes a wide variety of factors like employee safety, regulatory compliance, and market volatility.
• Static Risk Appetite is Not Practical: Defining a fixed "risk appetite" and expecting organizations to stay within it doesn’t reflect the dynamic nature of risk or the changing priorities and circumstances businesses face.
• Focus on Achieving Objectives, Not Risk Limits: Instead of focusing on a vague "amount of risk," organizations should assess risks based on how they impact the likelihood of achieving their objectives, ensuring decisions are driven by goals rather than abstract risk thresholds.
• Risk Should Be Considered in Context: Context and the potential for reward should influence how risk is approached. Risk appetite should not be a static measure; rather, it should evolve with the changing business environment and objectives.
• A New Approach to Risk Management: Rather than focusing on limiting risk, a more practical approach would be to ensure reasonable assurance that business decisions align with strategic goals while avoiding unnecessary and unjustified risk-taking.

Deep Dive

In this article, Norman Marks inspects the concept of "risk appetite," challenging its validity and questioning its role in decision-making. Drawing from personal experiences and real-world examples, Marks argues that the traditional approach to defining and managing risk is overly simplistic and fails to capture the complexity of real-world risk. He critiques the common practice of quantifying risk as a single number and suggests that a more dynamic, objective-driven approach is needed. Rather than focusing on a static "risk appetite," Marks proposes that organizations should consider the likelihood of achieving their objectives, using risk as a factor in the decision-making process.

The Case Against Static Risk Appetite

I like to think I have common sense. If I read or am told something, I question it. Does it make sense? I did just that when I read this, more than twenty years ago, in COSO’s ERM Framework, "Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value."

I didn’t then, and still don’t, understand how you can have an “amount” of risk. How does that make sense? When it adds “on a broad level,” it implies you can quantify and aggregate, producing a single number (usually expressed in monetary terms) for very different and unrelated sources of risk.

For example, it can include risks pertaining to the safety of employees, compliance with applicable laws and regulations, currency fluctuations, ethical conduct, information security, product safety, physical security, energy supply, the actions of third (and fourth) parties, the supply chain, competitor actions, changes in import and other taxes, the economy, natural disasters, the hiring and retention of key employees, employee morale, the advent and adoption of new technology, the reliability of current technology, and many more. I don’t think it is common sense to express the totality of risk as a single number—a value.

Some risk experts tell me that you have different risk appetites for each of the above. I’m not sure that makes much common sense either, as making decisions based on a single source of risk doesn’t seem that sensible to me! Consider how financial institutions are expressing their ‘risk appetite’, presumably to comply with regulations. In their filings, they say things like, “We have no tolerance for …” and “We have a modest appetite for …” How do vacuous statements like this influence, let alone change, a business decision? How can a decision-maker understand how one of these applies to them and the situation they are faced with? I don’t see the common sense in this.

I prefer to talk about “the big picture,” the “totality of risk” (what might happen) that is relevant to the decision being considered. But I recognize that the level of any source of risk is a distribution and prefer to “value” them in terms of how they might affect the likelihood of achieving (or exceeding) one or more objectives. I don’t talk about an “amount of risk.” I talk about whether there is an acceptable likelihood of achieving enterprise objectives.

I did some consulting work for a nonprofit that sends employees and others into war zones. The chair of the audit committee wanted to know what the risk appetite should be and whether it was being exceeded. I was unable to persuade him that such an idea, such a question, made no sense. How do you aggregate the possibilities that one or more of your people will lose their lives in Gaza, Yemen, Sudan, etc.? Then add to that the possibility that the food and other supplies you are trying to provide are stolen or simply prevented from reaching their destination. How would any risk appetite statement change whether you will send more people to one of these war zones or when you should pull them out and stop giving aid?

Maybe I was wrong, as he was persistent and an experienced and successful executive. But I think he was regurgitating what he had read without digesting and understanding what he was saying.

The phrase “in pursuit of objectives” isn’t bad. I prefer to talk about achieving or exceeding objectives rather than pursuing them. I think that makes more sense. Risk is about the effect on objectives (ISO 31000)—affecting the likelihood of achieving them.

People talk about making sure you stay within your risk appetite. They act as if it’s a static number, passed down to decision-makers by the gods of the board and top management. I also question the common sense of that. Where is the concept of risk and reward? Where is the idea that you take risk for a reason?

Does your appetite for risk change when:

• You can earn $50 by betting $50.
• You can earn $100 by betting $50.
• You can earn a million dollars by betting $50.
• You can earn a billion dollars by betting $50.

The likelihood of getting nothing—losing the $50—may change because more people are betting. But your decision whether to make the bet is going to be heavily influenced by the possibility of reward.

Here’s another example. Does your appetite for risking your safety by running across a busy road change in these circumstances?

• You would get to work five minutes earlier.
• You see an old friend on the other side that you want to talk to but can’t get his attention from where you are.
• Your friend has fallen down and is asking for help.
• Your friend has been shot and needs your help.
• Your child is on the other side. She has fallen down, and you can’t see why.
• The building behind you is starting to fall down.

Does your appetite for taking risk change?

How about this? You win the lottery and $100 million (after tax) is deposited in your account. Does that change your appetite for taking monetary risks like lending $10,000 to a cousin? I don’t think risk appetite should be static. Your appetite for risk changes, or should change, all the time. As conditions change, your priorities may change, the potential rewards can change, and your willingness to take risk should change.

My common sense says that staying within a static risk appetite number doesn’t make sense. But taking the right level of the right risk(s) to achieve an acceptable likelihood of achieving or exceeding objectives does. What does your common sense tell you about risk appetite? Do you develop one and stay within it to appease the regulators or because it is the best way to run your life and business?

What is the question to which risk appetite is the answer? It seems to me that the regulators and COSO are talking about preventing management from recklessly gambling away the interests of the shareholders and other stakeholders. But is risk appetite the best way to address that, especially when it ignores the need to deliver an acceptable return on the investments of those same shareholders?

If you are only concerned with preventing losses, don’t run a business. The question should be along the lines of, “How can we have reasonable assurance that the right business decisions are being taken, achieving enterprise objectives without unnecessary and unjustified risk-taking?”

I have wandered around the topic now (and many times in the past). Does what I have written make common sense to you? How does a risk appetite statement help an organization deliver what its owners want? If it does not, then what?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.