In reply to editor Lauren Gow’s recent opinion piece, author, blogger and retired chief audit executive, Norman Marks, responds in a equally thought-provoking piece 

Last month, our editor Lauren Gow wrote an opinion piece questioning the validity of risk assessment documents in our new agile world. She reasoned that if risk managers were only using them out of habit, then perhaps it is time for a rethink. 

Now, reknowned author, blogger, chief audit executive for major firms, Norman Marks, responds in a equally thought-provoking piece asking ’Should we “tear up the risk appetite” statement?’

That is advocated in a provocative post in StrategicRISK. The author, Lauren Gow, is the  StrategicRisk Asia Pacific editor, based in Australia. As far as I can tell, she has not been a risk practitioner (except in the sense that all of us are because we are constantly weighing and taking risk). But that doesn’t mean she doesn’t have (a) a point, and (b) a right to express it and challenge us all in the process.

Here are some key excerpts from the article:

  • Let’s talk about risk appetite. Or more specifically, let me ask you – what is the point behind you, as a risk manager, preparing a specific risk appetite document for the board? Have you ever stopped and really thought about why you do it? If you are doing it because you believe it adds value to the management of the business, it may be time for a rethink.
  • A risk appetite document is a vertical silo tool. And it is being used during a period when most businesses are pushing for more horizontal, integrated ways of working. One might argue that silos themselves do not cause problems within a business, but the closed mentality that comes as a result of the silo-style operation does.

Writing a specific risk appetite document for the board separates risk management from all other parts of the business. How do you effectively make a mark across the whole business when you are not integrated within it?

  • In the creation of a specific risk appetite document, risk managers are essentially handing the board further ammunition to shorten the leash of management. You are adding barriers to management from a board level and making it more difficult for management to take a calculated risk on new products or markets. This goes against what most risk managers say they want to be seen as within their business.

You want to be a business enabler, not innovation impediment; a driver of transformation, not the brakes of revolution. Creating more rules for management from board level will not achieve this goal.

  • Be bold. Tear up your risk appetite policy today. Tell the board you will no longer be doing a specific risk appetite document for them but instead you will be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working.

I have written about this topic for several years. Of note are:

Let me quote my own post from March:

  • These days, I talk about the need for people to make intelligent and informed decisions, because that is where risk is taken.
  • Top management and the board need a reasonable level of assurance that important decisions are both intelligent and informed – that they give due consideration to what might happen (i.e., risk).
  • In fact, I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.
  • The key is to make informed and intelligent decisions that take the right level of the right risk, where it is justified on business and other grounds. Decision-makers need guidance so that they know that what they are doing (taking risk) is consistent with the desires of top management and the board. You may call that risk appetite (I prefer not to) or risk criteria, but often it is covered by policies such as investment guidelines, hedging policies, delegations of authority, and stop-loss limits.

I quoted an October 2017 post:

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.

Then I suggested:

  1. Recognize that if you are required by law or regulation to have a risk appetite statement, or even by boards who (perhaps on the advice of consultants) believe this is necessary, you need to put one together.
  2. Any risk appetite statement should first satisfy the needs of the regulators. (Sadly, they seem to be happy with fluff such as “we have no tolerance for non-compliance with laws and regulations”.)
  3. If at all possible, develop risk appetite statements that actually mean and do something. (Or indicate that the guidance is in other standards and policies.) They should:
    1. Guide decision-makers, so that they know before they take a risk whether their decision would be acceptable and in the interests of the organization as a whole as it strives to achieve its objectives
    2. Allow for flexibility where there is a business justification for taking what might appear to be a lower or higher level of risk – because of the opportunity that is presented. For example, require such decisions to be escalated to more senior levels of management or the board
    3. Enable top management and the board to have assurance after-the-fact that risk to objectives (which I define as the likelihood of failing to achieve an objective) is within desired levels
    4. Distinguish between different sources of risk. Don’t attempt to have a single risk appetite that encompasses market risk, compliance risk, reputation risk, and so on. That is nonsense. Develop guidance that is suitable for decisions in each area
  4. If you decide on ‘fluff’ risk appetite statements, you still need guidance for decision-makers (see below)
  5. If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership
  6. Provide reports to the board and top management (as described in my books) that help them see whether enterprise objectives are likely to be achieved
  7. Have the CEO provide assurance to the board on the quality of decision-making, risk-taking, and the achievement of enterprise objectives
  8. Have the CRO (if there is one) do the same
  9. Have the CAE provide an opinion on the above
  10. Include the quality of decision-making in each individual’s performance assessment

Returning to Lauren’s provocative piece……

She suggests that instead of some high-level document (risk appetite statement), management should “be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working”.

I’m not going to agree that this is a matter of board policies. Neither do I believe that it’s about safety and avoiding harm.

It’s about taking the right level of the right risks as we make decisions and achieve our objectives.

How does the board obtain assurance that management is taking the right risks? How does it know that management is making informed and intelligent decisions?

Part of the answer lies in repudiating Lauren’s last words: “take a chance on a new way of working”.

Let’s think about the old way of working.

For example, many if not most organizations already have these in place:

  • Limits on the credit that can be granted to new customers
  • Requirements that credit limits are approved by appropriate management
  • Limits on the level of hedging and other use of derivative instruments
  • Requirements that expenditures over a certain value are approved by a more senior individual, even by the board if necessary
  • Policies that indicate the quality of investments that can be made
  • Requirements that all acquisitions are approved by top management and the board
  • Controls to ensure that all write-offs are approved by appropriate management
  • Controls to ensure that excessive discounts are not offered to customers
  • ….and so on

So I stand by the suggestions I made in March. But, I am going to emphasize step #5: “If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership”.

Figure out, for your organization, what you need to achieve the objectives of:

  1. Providing assurance that the right levels of the right risks are being taken through informed and intelligent decisions
  2. Ensure that information provided to the board and investors is reliable, complete, and accurate
  3. Satisfy the compliance requirements of the regulators and others

If you think that risk appetite statements work for you, guiding people to take the right level of the right risks, then fine.

If not, understand whether there is sufficient guidance already in place – and if that is sufficient rely on it; if not, fix it.

If you would like to comment on Norman’s thoughts or see more of his work, please see follow this link to his original piece: