Attending an IIA training in Brussels today on Corporate Governance audits, an excellent training by the way, we (the participants) started discussing risk appetite. The discussion got me thinking about the way we establish or validate risk appetite and the issues that come with that. Let me take you through my thoughts ...
A reflection of stated risk appetites
Let's look at a traditional process of establishing risk appetites.
Following COSO-ERM, the board has established some kind of risk appetite. In order to translate this to an operational reality, we start with a risk analysis, often based on risk maps specific to your industry. Management and process owners assess impact, probability of occurrence within a certain time interval and current risk coverage. They follow this with an assessment of the adequacy of that coverage in order to determine their "appetite" for the specific identified risks ...
Well, there is a bit of a problem with that approach. This approach gives us a reflection of the stated or expressed risk appetite, the stated preferences of the participants with respect to these risks.
What we don't know is whether this is a truly accurate reflection of the risk appetite, or whether it is a subjective response reflecting what management believes it should answer as a truthful interpretation of the expressed preferences of the board.
In other words, is this a reflection of how they really would behave with respect to these risks, or of how they believe they should behave.
Real risk appetite is reflected by exhibited risk appetite
There is one good way of finding out real risk related behaviour. For risks which occur with some frequency, we can observe the behaviour of management and process owners.
How? Well, any actual behaviour towards risks is reflected in the day-to-day decision making and action taking. In other words, our operational behaviour is an accurate reflection of risk related behaviour. From a risk management point of view, we can look at evidence of this behaviour, such as:
- publications which exhibit our opinion on certain key issues in our industry which may be related to one or more risks, hence giving some information on our real risk appetite;
- project choices and priorities give information on our preferences in terms of organisational strategies that we want to focus on as we deem them relevant;
- meeting minutes of and reports presented to the board and exco give us information on which decisions are being taken as to where the organisation should focus.
In essence, these real life rather than stated set of choices reflect our actual attitude as an organisation, a management team, a division with respect to risks and our exposures to these risks: in other words, our risk appetite.
Using the results
Okay, what can we do with the information we gathered? Recapping, we have information on the stated, expressed behaviour of management and process owners towards risk and we have information as to the actual behaviour exhibited by the management and the owners regarding these risks.
We can perform the following analyses:
- Internal interpretation of the board's risk appetite: When we compare the board's risk appetite with the stated management and process owner risk preferences;
- Actual versus stated risk appetite: When we compare the stated management and process owner preferences with the exhibited preferences.
For any discrepancies, I would ask management or process owners to come up with a good explanation which motivates the deviations. They may be relevant and valid, but they need to be in line with the board's choices.