The Committee of Sponsoring Organizations of the Treadway Commission or COSO (www.coso.org) has released its paper Enterprise Risk Management — Understanding and Communicating Risk Appetite. This paper discusses what it assumes to be the parlous state of ERM systems’ risk appetite statements and processes. For an American publication it is remarkably reflective, flexible and principles based rather than the usual compliance and rules-based approach that has historically been reflected in the US legislative, financial and business management arena.
Whilst the paper has some useful thoughts about the process, there is a useful diagram on page 4 covering the components of risk appetite, it really proposes nothing new. I also struggle with its basic premise; that a written statement (no matter how well crafted) will fundamentally change attitudes to risk or inform risk handling. The suggested statements are so glib that they they would not really add much to any real-life risk management.
The way I have always suggested that my clients handle risk management is to use a likelihood and impact graph, have intuitive names for the scales of each; for example ‘certain’, ‘possible’, ‘severe’, ‘minor’ and ‘moderate’. Whilst these terms are imprecise (sorry to those quantitative risk managers out there), they do reflect real people and managers and how they describe things. The real debate then is to constantly review the risk maps generated and to set a risk appetite line on them, i.e. all risks ‘major’ and ‘possible’ are de facto not tolerated. Then the next stage of debate is then about whether the risk event described is indeed ‘major’ and ‘possible’. As long as this debate occurs, and it needs to be constant and embedded in ongoing business discussions, it should, in my view, provide a workable risk appetite.