About BWise

Blog

The challenge of implementing Risk Appetite

February 6, 2012 by
Filed under: General, Risk Management

I just read a very good and comprehensive paper from COSO on Risk Appetite. Written by Dr. Larry Rittenberger and Frank Martens, the paper provides a practical and well-substantiated framework for implementing Risk Appetite. It is truly a paper to study carefully and put into practice. Well written and full of good examples, the paper will help companies take an important step forward in implementing Risk Appetite across the enterprise. The COSO website provides the full document.<>There is one element in the discussion on Risk Appetite where I would like to ask some extra attention be given. Extra attention should be given to the challenge of divvying up Risk Appetite over various divisions, business units and entities. For the more quantitative components of risk appetite, this is already challenging, because risk appetite and risk tolerances can be divided over business units. This however may mean that risk appetite is actually the same for all, or every unit gets their fair share. Say, the risk tolerance for the company is that the board accepts no more than 5% deviation from budget revenue and profit numbers. This can be divided equally over all the business units, because if all would equally fail, the overall risk tolerance would not be surpassed. This works because these are percentages rather than absolute numbers. What if the same company has a very low tolerance for safety incidents, and would not accept a number higher than say three (because last year results were three)? It is not possible to give all units the same number, because this would lead to some very scary situations. Dividing the number three over all entities will not be possible. Finding alternative measures has the risk that it might not be 100% correlated to the true corporate risk tolerance. This can then either lead to unrealistic numbers or it leads to a too high overall risk tolerance. This means that these risks need to be monitored at a corporate level, and entity-level risk tolerance will probably reach zero tolerance.

This becomes even more difficult with qualitative risks. The reputation risk appetite on all sorts of topics will perhaps be very low, but it should be realized that even the smallest entity can witness an event with devastating reputational impact, just like the largest one. So, risk appetite for this should be viewed at a corporate level. This may mean that risk tolerances would need to be set at (near-) zero tolerance for all entities, in order to prevent risks being taken that are higher than the overall risk appetite. In itself, it is an indication that the organization has become so large that its size has made it more vulnerable for risk events with a reputational impact. Perhaps, this effect is also the reason why large organizations are considerably less agile than smaller ones. Organizations need to ensure that the risk tolerances they set this way do not freeze business, while there is a considerable risk in doing so the more detailed an organization becomes.

So, having some sort of system in place to monitor risks at a corporate level becomes crucial, more so than micro-managing all decisions in the organization. In addition, monitoring risks at a corporate level means that there needs to be a clear and defined way to roll-up risk monitoring results from all the entities. With that in mind, the discussion on risk appetite and risk tolerances will add a lot of value to today's business conduct.

Tags: BWise, Risk

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up