Risk AppetitePosted: February 13, 2012
My work on the COSO Internal Control Integrated Framework revision advisory committee has brought home the importance of a risk assessment in setting up internal controls. If you don’t know what your risks are, then how do you set up appropriate controls to manage those risks. I think many CPAs “get this” although a surprising number of companies still do not have formal or informal risk assessment processes. The next step, however, is less understood. That step is setting a risk appetite.
Dr. Larry Rittenberg, former Chairman of COSO and Frank Martens, a member of the PwC team working on the ICIF revision recently issued a paper through COSO on Understanding and Communicating Risk Appetite. The paper can be found at http://www.coso.org/documents/ERM-Understanding%20%20Communicating%20Risk%20Appetite-WEB_FINAL_r9.pdf . The paper does a great job explaining what risk appetite is and why it is important to actually decide, document and communicate the risk appetite level throughout the organization.
Just as is the case with not determining what your risks are, without determining your risk appetite, you may end up with too few controls and risks you never intended to accept. Just as importantly in today’s environment, without determining your risk appetite, you run the risk (pun intended) of having too many controls and incurring more cost than is necessary to manage an organization’s risk to an acceptable level.
Just as an auditor sets a materiality level in their audit to help determine the level and amount of audit work that is necessary, an organization must set a risk appetite that is agreed to by the governing body (Board of Directors) as well as management. In addition, it is extremely important to communicate this risk appetite throughout the organization. If you don’t do so, you may end up with employees not understanding what risks they should be taking, what risks need to be limited and what risks avoided all together.
In many ways setting a risk appetite goes hand-in-hand with setting the tone at the top. But just like saying one thing and doing another confuses employees (not to mention the children in your own family), telling people to manage risks without giving them any idea on what level to manage them too leaves employees bewildered at best or frozen by inaction for fear of doing the wrong thing at worst.
Communicating risk appetite may not be easy, but without it, a business is running on pure luck and that is no way to stack the odds in favor of success.