First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

COSO ERM explains the flaw in risk appetite statements

There is one paragraph in the COSO update that explains why complying with risk appetite statements can lead organizations to fail to take the right risks.

risk appetite statementsYes.

I really mean that.

Of course, COSO ERM 2017 pushes organizations to establish “risk profiles” (a.k.a., lists of risks or risk registers) and their risk appetite.

But if you look carefully you will see one paragraph in the COSO update that explains why devotion to compliance with a risk appetite statement can lead an organization to fail to take the right risks.

“Organizations may … choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”

In other words, stay within risk appetite if it is the right thing to do. Don’t stay if that is the right thing to do.

It’s all about weighing all the potential consequences before acting – not just the potential for harm.

Of course, that is what all effective decision-makers do.

Of course, that is what risk practitioners should advocate!

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.



What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.