A friend of mine, Richard Anderson, has released a new paper on the topic of risk appetite. Richard is an expert on risk management, especially compared to me. True, I have implemented risk management at one company, run it at another, and assessed risks for management for many years as chief audit executive. But Richard not only has greater experience and insight but has been involved in major risk thought leadership for a long time. For example, he quotes from the BS31100 standard, which he developed, as defining risk appetite as the "amount and type of risk that an organization is prepared to seek, accept, or tolerate."
The new ISO 31000 standard on risk management lays out the argument for risk appetite. It says:
"The risk management policy should clarify the organization's objectives for and commitment to risk management and should specify ... the organization's risk appetite or risk aversion."
The principle is sound: assess the level of risk, and if it is more than the organization's risk appetite, then take action to reduce the risk level. Richard's conclusion is:
"As we stand at the moment, risk appetite is almost impossible to measure and can never sensibly be expressed (except for a limited number of risks that are subject to quantitative techniques — and even they have their now well-known limitations). As a consequence risk appetite is never going to be condensed into ... [a] magical single metric."
I believe there is another practical limitation. I have issues understanding how you can aggregate different risks. This is what I asked him in an e-mail this morning:
"I am of the opinion (but flexible) that you need micro and macro risk appetites, but not necessarily enterprise level. For example, you need a risk appetite for your portfolio of loans, or your total AR (both of which are macro). But you also need a risk appetite for a major IT implementation (micro). With respect to enterprise, how can you accumulate these three areas (none of which 'value' risk impact in quantitative terms alone) and get something meaningful? Do you take your total reputation risk level and add it to your cash flow risk to get something meaningful — which implies that if cash flow risk is lower, it is OK to have a higher reputation risk?"
Reflecting further, let's consider risk appetite for one corporation: me. Just limiting personal risks today, I can identify a few risks that I need to manage:
Personal safety: I might have an accident while driving to/from work.
Reputation: I might say something, including my microblogging (here or on Twitter), that damages the little reputation I have.
Health: I need to eat and exercise wisely, and avoid individuals who are clearly ill.
Career development: I am in a number of important meetings today, and the perceptions of others might impact my career aspirations.
How do I value them, and should I aggregate them? Does it make sense to have a total level of risk appetite? That implies that I am prepared for one risk area to go up, should another go down.
An easy answer is to set a risk appetite for each of the individual risks — and that may be the best answer as well.
But how does this work when there is guidance that suggests top executives and the board (in its risk oversight role) need to set a corporate risk appetite and monitor against it?
My suggestion is to break down organization risks into buckets where it makes sense to aggregate them and to monitor actual levels against appetite. For example, I could see a business setting risk appetite for:
Cash flow risk.
Risk of a material weakness in financial reporting.
But I am not persuaded that some artificial aggregate measure makes sense.
What do you think?