So I’ve been thinking about risk appetite this week. It always seems like a strange term – appetite. Does anyone have an appetite for risk? This is particularly so if we think about risk in terms of downside risk; the chance of bad or negative things happening.
Risk appetite is so often used as a proxy for issue appetite. i.e. we don’t have an appetite for things going wrong, here, now. Well of course, entirely understandable. If things, however, are going wrong here and now, this has nothing to do with risk at all, it is in the realm of issue management, in effect a failure of risk appetite.
Also risk appetite is so often disconnected from objectives. Yet risks flow from objectives. Risk is concomitant to them. These objectives may not be written down, fully articulated, measured and clearly set, but risks flow from them. So if I am a business and I have no objective to trade internationally, a whole raft of overseas risks, foreign currency etc. do not accrue to the business.
Yet the real problem with risk appetite is that it is not consistent. Much like the quixotic, strange, complex, messy humans and organisations that take them. It is not consistently understood, i.e. we don’t really spend enough time reviewing, analysing and monitoring and understanding risk. Also the risks we take are not consistent. Take a friend of mine. They will not eat food if it is anywhere near the sell by date. Yet they are happy to fly, to drive in a manner that is not risk averse etc. So it is with organisations. Organisations very rarely, carefully and consistently consider, quantify and analyse risks prior to making decisions, allocating resources, or designing control frameworks. We should be careful that our aversion to issues is not, falsely, linked to our risk appetite. For often the two are not linked at all in any meaningful way.
The second related issue is a sense of not managing risk. I’ve seen virtually all of my clients over the years assess but not manage risk. ‘Management’ etymologically comes from the latin for hand. i.e. ‘management’ is a verb not a noun. So it is with risk management. Too often I’ve seen it become a noun not a verb. Active addressing of risk, or active management genuinely informed by risk is difficult to achieve and rare in practice. We as humans, and our organisations, have a natural optimism bias. We think because something hasn’t happened it won’t happen. That is not the case. Only with legislation in the main are organisations forced to manage risks rather than issues. Take health and safety. We have fire protocols because organisations are legally forced to. Organisations left to their own devices would never make a business case to tackle this risk on their own. How many of our clients have really embedded risk management? I would contend very few, because it goes against human nature.
So, overall, risk appetite is poorly understood, risk management is poorly done. So where does this leave a risk based internal audit? I would suggest, doing the heavy lifting in most cases. We should continue to make the case for good risk management, continue to really deliver a strong risk management message, continue to express our work in risk terms. For as fires and loss of life prompted legislation to enhance fire controls, so a good internal audit will, over time, prompt good risk controls and understanding in due course.
I am of course subject to the human optimism bias, however…