Norman Marks on Governance, Risk Management, and Internal Audit

A few days ago, Lose Luiz Valentim commented on my post, Auditors need to understand risk management.  He pointed out that banks and other financial institutions are required by their regulators to have a risk appetite statement, and asked my views on assessing their effectiveness.

I replied with a quick suggestion, but this is a topic that merits more.

Much more (this is a long post) because this is a very important topic – for risk practitioners, executive management, board members, and auditors.

I will cover some background on risk appetite before talking about how to determine whether your statements add value in practice rather than checking the regulator’s box.

====================================================================

My most read post ever is on the topic of risk appetite. More than 89,000 have viewed Just what is risk appetite and how does it differ from risk tolerance? In it, I said (I will highlight throughout this post excerpts I find especially useful):

How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as clarify is “risk appetite’. What does it mean, and how does it differ from risk tolerance?

Let’s look first at the COSO ERM Framework. It defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” In their Strengthening Enterprise Risk Management for Strategic Advantage, COSO says:

“An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broadbased description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”

They continue:

“So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”

Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.

In 2020, COSO gave us Risk Appetite – Critical to Success; Using Risk Appetite to Thrive in a Changing World.

The authors, Frank Martens and Larry Rittenberg, tell us:

At its core, risk appetite is critical to organizational success. Articulating risk appetite for your organization will provide board members and senior management with important insight.

The COSO Enterprise Risk Management—Integrating with Strategy and Performance defines risk appetite as:

The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Inherent in this definition are several key points.

Risk appetite:

• Is intentionally broad to apply across an organization, recognizing that it may differ within various parts of the organization while remaining relevant in changing business conditions.
• Focuses on risk that needs to be taken to pursue strategies that enhance long-term success.
• Recognizes that risk is more than individual decisions.
• Links to value—it is tied to the choices the organization makes on how it creates and preserves value.

Risk appetite is at the heart of decision-making. It is equally important in determining that a decision is necessary.

Every organization must accept that taking risks to innovate and grow is inherent to business. To not do so leaves the organization vulnerable to losing ground to other competitive organizations. The challenge is to know the right amount of risk necessary to sustain innovation and growth across the organization. With that knowledge, an organization can determine which strategies to adopt and which objectives to pursue.

My good friend, Alexei Sidorenko has shared a free booklet on risk appetite. I will come back to that later.

====================================================================

Now let’s examine some risk appetite statements from leading organizations.

The United States Agency for International Development said in 2018:

We have a MEDIUM risk appetite with regard to: Implementing long-term strategic focus in our country programs. We will set priorities and implement long-term strategic focus in our country programs based on rigorous analysis and collaboration with key stakeholders to achieve more effective results. We will also continually balance this with our obligation to implement initiatives, directives and/or priorities from Congress and the interagency not foreseen during the strategy development process.

This is from the Office of the Comptroller of the Currency (OCC)

The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology.

Network Rail has defined its risk appetite statements as follows:

Network Rail has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers and workforce. Safety drives all major decisions in the organisation. All safety targets are met and improved year-on-year.

In the pursuit of its objectives, Network Rail is willing to accept, in some circumstances, risks that may result in some financial loss or exposure including a small chance of breach of the loan limit. It will not pursue additional income generating or cost saving initiatives unless returns are probable.

The company will only tolerate low-to-moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery and succession planning, breakdown in information systems or information integrity.

The company wants to be seen as best in class and respected across industry. It will not accept any negative impact on reputation with any of its key stakeholders, and will only tolerate minimum exposure ie, minor negative media coverage, no impact on employees, and no political impacts.

Are any of these useful standards or guidance that help an organization take the right level of risk risks to achieve its objectives? Remember that risk is taken or modified by every business decision, so to be effective a risk appetite statement should guide each of those decisions.

Do the words “moderate”, “low”, “no”, “minimum”, etc. mean anything? How do they influence decision-making or the setting of strategies?

====================================================================

Time for some more guidance.

The Financial Reporting Council (FRC) report, Boards and Risk: A summary of discussions with companies, investors and advisers published by the FRC in September 2011, tells us:

There were differing views about whether it was either necessary or possible for the board to apply a single, aggregate risk appetite for the company as a whole, as opposed to having a clear view on its appetite or tolerance for individual risks. Many participants felt this was difficult, not least because of the difficulty of quantifying many of these risks and the company’s limited ability to mitigate a number of them, including external risks. A view was expressed that it was even more difficult for non-financial companies than for financial companies, particularly companies or groups operating across different sectors and markets, given the diverse nature of the risks they were dealing with. It was also noted that risk appetite can vary over time.

Some participants felt that all that could realistically be expected of the board was to have a clear understanding of the company’s overall exposure to risk, and how this might change as a result of changes in the strategy and operating environment. When developing the strategy, however, it was important for boards to agree their appetite or tolerance for individual key risks. At its simplest, it was suggested this could be done by articulating what types of risk were acceptable and what were not.

Where boards had set their risk appetite or tolerance for individual risks, some companies also compared the net and gross risks to the ‘target risk’, so that the Board could judge how close the company’s current exposure was to that which it considered acceptable.

The importance of ensuring that incentives were aligned with company strategy and risk appetite or tolerance to promote an appropriate culture was widely recognised. There were different views on the extent to which companies had succeeded in achieving this alignment.

Participants from companies said that in their experience most investors rarely asked questions about risk or internal control. There was a general wariness about disclosing commercially sensitive information or information that, if disclosed, might bring about the very risks the company was seeking to avoid. Reporting on the company risk appetite was felt to be difficult as risk appetite was not constant but varied over time and depending on market conditions, if it could be defined at all. The same could be said about the overall exposure to risk. However, some directors and risk managers accepted there was a need to find ways of conveying more useful information.

Also in 2011, another friend (Richard Anderson) led the development of the Institute of Risk Management report ‘Risk Appetite and Tolerance’. While I disagreed (as a reviewer of the draft) with much of the content of the report, this was useful:

1. Risk appetite can be complex. Excessive simplicity, while superficially attractive, leads to dangerous waters: far better to acknowledge the complexity and deal with it, rather than ignoring it.
2. Risk appetite needs to be measurable. Otherwise there is a risk that any statements become empty and vacuous. We are not promoting any individual measurement approach but fundamentally it is important that directors should understand how their performance drivers are impacted by risk. Shareholder value may be an appropriate starting point for some private organisations, stakeholder value or ‘Economic Value Added’ may be appropriate for others. We also anticipate more use of key risk indicators and key control indicators which should be readily available inside or from outside the organisation. Relevant and accurate data is vital for this process and we urge directors to ensure that there is the same level of data governance over these indicators as there would be over routine accounting data.
3. Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time: the temporal aspect of risk appetite is a key attribute to this whole development.
4. Risk appetite should be developed in the context of an organisation’s risk management capability, which is a function of risk capacity and risk management maturity. Risk management remains an emerging discipline and some organisations, irrespective of size or complexity, do it much better than others. This is in part due to their risk management culture (a subset of the overall culture), partly due to their systems and processes, and partly due to the nature of their business. However, until an organisation has a clear view of both its risk capacity and its risk management maturity it cannot be clear as to what approach would work or how it should be implemented.
5. Risk appetite must take into account differing views at a strategic, tactical and operational level. In other words, while the UK Corporate Governance Code envisages a strategic view of risk appetite, in fact risk appetite needs to be addressed throughout the organisation for it to make any practical sense.
6. Risk appetite must be integrated with the control culture of the organisation. Our framework explores this by looking at both the propensity to take risk and the propensity to exercise control. The framework promotes the idea that the strategic level is proportionately more about risk taking than exercising control, while at the operational level the proportions are broadly reversed. Clearly the relative proportions will depend on the organisation itself, the nature of the risks it faces and the regulatory environment within which it operates.

====================================================================

This is all great theory, but do risk appetite statements help decision-makers in practice?

A lot of this theory is about board members and executive leaders seeing whether the overall level or amount of risk (using COSO language) is acceptable.

But can you really aggregate these into one “amount of risk”? Remember that the likelihood of two discrete events or situations happening is less than the product of their individual likelihoods, and that the level of risk is a range of potential effects and not a single point.

• Credit risk
• Safety risk
• Compliance risk
• Cyber risk
• Operational risk
• Cash flow risk
• Supply chain risk
• Third party risk
• Etc.

Not if you want a number that means something, and many of the participants in the FRC report agreed.

In any event, all you can do is calculate the sum (good luck with that) and compare it with some number somebody has previously calculated as acceptable.

I think we can discard the concept that there is a single “amount of risk”.

Now let’s examine again the examples above.

The United States Agency for International Development talked about having “a MEDIUM risk appetite”.

Sorry, that is fluff that means nothing.

The OCC said it:

“…has no appetite for unauthorized access to systems and confidential data.”

“…has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability.”“…has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment.”

How does anybody use that to guide decision-making?

If there is no appetite, that means you need the risk to be zero – and that is impossible without shutting down the organization.

Network Rail also fluffs around:

Network Rail has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers and workforce.

In the pursuit of its objectives, Network Rail is willing to accept, in some circumstances, risks that may result in some financial loss or exposure including a small chance of breach of the loan limit. It will not pursue additional income generating or cost saving initiatives unless returns are probable.

The company will only tolerate low-to-moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery and succession planning, breakdown in information systems or information integrity.

The company …will not accept any negative impact on reputation with any of its key stakeholders, and will only tolerate minimum.

I recognize that the regulators in some industries, and even some corporate governance codes, require a risk appetite statement.

But fluff only checks the box.

Fluff doesn’t add value.

The challenge of ensuring people take the right level of the right risks to achieve objectives remains.

That is why people seem (as they should) to be moving towards some form of risk limits (“risk criteria” in ISO:31000 language).

Alexei’s guide is about limits or guidance for specific sources of risk, rather than an “amount of risk”. When he refers to risk appetite for this or that risk, he is not using the term in the way it is defined by COSO. I would translated his use of appetite to risk limits or criteria.

If you want to tell people how much risk to take in certain well-defined repetitive decisions and situations, risk criteria or limits can work – if you can define that level of risk in practical terms.

For example, it may make sense to establish a limit on the amount of credit that may be granted to a new customer. However, for that risk limit to be the right one for the organization, it can’t be arbitrary. It has to be the result of an analysis (updated periodically) that balances the risk of credit default or slow payment against the additional revenue and cash generated by higher limits.

It may make sense to define how excess cash at the end of each day is invested. But that policy and its risk limits have to be reviewed and updated (if needed) periodically. See this Storytime with Norman video.

The test of a risk appetite statement, risk tolerance, risk limit, or risk criterion, is whether it leads to taking the right level of the right risk to achieve objectives.

====================================================================

Time to lay out a series of steps for assessing your risk appetite statement or risk criteria.

1. Does it meet the needs of the organization? Does it help decision-makers take the right level of the right risks, balancing “risk and reward”, to achieve organizational objectives? Is it measurable, rather than expressed as “low”, “medium”, etc.?
2. Does it help both strategic and tactical decision-making across the extended enterprise?
3. Are there adequate controls over the (risk) analysis behind the risk limit? Does it use reliable, complete, accurate, and current data? Are any calculations correct? Is judgment properly applied and the right people involved?
4. Is it periodically reviewed to ensure that it remains appropriate in a dynamically changing environment?
5. Does it encourage risk-taking (including taking more risk) when that is right for the business? Are people adequately or overly risk-averse?
6. Do people understand it and how it relates to their decisions and their responsibilities?
7. Do people believe in it?
8. Is it followed and what happens with exceptions?
9. Does it help the board and executive leaders understand the decisions being made and whether the right levels of the right risks are being taken to achieve objectives?
10. How can it be improved, made more practical and value-add?

Or is the risk appetite statement fluff designed to meet the regulator’s mandate, adding little in terms of value?

You can probably tell that I am not a fan of risk appetite or risk appetite statements. But if an organization deploys risk limits or criteria that work and calls them, as a whole, their risk appetite statement, I might be able to go along with the idea.

However, I remain convinced that the path to success is by understanding how what might happen (i.e., risk, both positive and negative) might affect the achievement of enterprise objectives.

I’ve said a lot! What do you think?