As of its inception, there have been a lot of comments on COSO-ERM and how it can be applied in practice in an organizational setting. Those of you, dear reader, who have followed this blog know I am not an avid fan of the framework. However, contrary to some experts I don't agree the authors made an error when introducing risk appetite as a concept as early in the ERM cycle as they have.
Understanding risk appetite
Dr. Larry Rittenberg (Ernst & Young) and Frank Martens (PwC) authored a short(ish) document on understanding and communicating risk appetite, which was published by COSO in January of 2012. It aimed to present a set of answers to the unclarity surrounding the concept of risk appetite as it was introduced in COSO-ERM:2004. In its executive summary, they clearly state that:
"Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is will to undertake in doing so."
In defining risk appetite in this way, they aim to get ERM out of the compliance corner it has been painted in for a long time. It elevates risk management above the level of a mere tool or requirement and positions it where it should be and informally often already is: an integral part of the strategy process.
Risk appetite as a key element in strategy setting
A strategy can be defined as it is in venerable Wikipedia as follows:
"A plan of action designed to achieve a vision. Strategy is all about gaining (or being prepared to gain) a position of advantage over adversaries or best exploiting emerging possibilities. As there is always an element of uncertainty about future, strategy is more about a set of options ("strategic choices") than a fixed plan."
Hence, reading this again, the key risk element, the uncertainty element, is an inherent part of the definition of a strategy. A lack of awareness of what, in broad terms, this risk may be and to what extent it would be acceptable for the organization to be confronted with it, is required to develop the action plan. Hence, risk and especially risk appetite drives strategy.
In my personal opinion, the authors did not adequately emphasize this.
An illustrative example
Imagine that your organization, for the sake of argument a non-profit organization, is offered the opportunity to start activities in an area which in content is adjacent to what the core purpose of the organization is. Imagine the organization is about assisting the development of civil society in fragile states, and the area you are invited into would like you to work in post-conflict issue resolution between two tribes. There are some elements of uncertainty here.
However, the geographic area and its culture is completely unknown to your organization. There is no prior experience here. Hence, there are quite a few elements of uncertainty here.
Without a clear view on the risk appetite of the organization as compared to the potential risk exposure the organization may encounter, it is virtually impossible to develop a relevant strategy.
COSO-ERM is far from perfect. However, in light of some of the, already old, comments on the risk appetite, I believe it to be essential to consider risk and risk appetite, even in the broadest of terms, during strategy setting.