The goal of risk management, especially enterprise risk management (ERM), is to provide management (and the entire company) with valuable insights for risk-informed decision-making. But day in and day out, decisions are being made that don’t reflect what is voiced in the risk appetite statement approved by executives.
Growth is being stifled, and the company is barely remaining viable.
OR, on the flipside, extremely risky decisions are being made in desperate chances to increase income, gain customers, or be considered edgy.
You thought the risk assessment results would be enough to trigger action and decision-making, but nothing happens. Why is management not using the risk information to make decisions?
Management says the risk information is “informative” or “very helpful” but sets aside (both physically and mentally) the risk report to then talk about how to allocate resources for projects in the next quarter. The end result is a decision without research, information, and scenarios to support it.
Who knows what the outcome will be.
Will the company crumble to the ground? Is the reputation about to be pummeled into dust by consumers on social media?
You think that the way to fix this problem is to become more quantitative. Let’s think about this for a minute. Quantitative risk assessments mean making a significant investment in modeling for in-depth, statistical modeling and scenario analysis.
Is this the right step? Well, surely it is…management always asks for metrics and key performance indicators, so maybe they need hard numbers on the risk side as well. Right? No.
There is another way to provide management with the information they need for meaningful, risk-informed decision-making.
It is okay to take risks. We do it every day, at work and in our personal lives. But it becomes a matter of how much risk we are comfortable accepting, what risks are too big and need to be reduced, and which risks should be avoided at all costs. Essentially, we each have an informal personal risk appetite statement.
What about your company? Do you have a risk appetite statement? If so, what does it look like?
Is it high-level and oh, so ambiguous? Or maybe it’s so detailed it can’t be used in real life.
Reality is that a risk appetite statement should help a company verbalize – at a very high level – how much risk in what areas they are willing to take. One of my earlier posts defines risk appetite and gives some examples.
(For a more in-depth review, check out this article on the basics of risk appetite.)
But there is a deeper level of information – risk tolerance. That same earlier post has this definition of risk tolerance: “risk tolerance establishes minimum and maximum boundaries around the risk appetite that the board is willing to accept.” Absolutely true. These boundaries are what transform high-level information in the risk appetite statement into something actionable.
Risk tolerance can be applied to whatever context you are working – strategic goals and objectives, a project, process changes, whatever. They are flexible and adaptable…and it is crucial for risk management processes to be adaptable, as I discuss in this post.
It can be phrased in terms of money, customers, reputation, or even multiple ways.
So let’s talk about how to actually do it.
Using Risk Assessment Results with Risk Tolerance
It is easiest to describe how to compare risk assessment results to risk tolerance with an example:
Your company is about to rollout a new product. Due to the regulatory oversight, management and the board have agreed on zero tolerance for any regulatory fines or investigations. However, they are willing to accept a cost variance of up to $500,000 to ensure a successful launch. (Make sure that risk tolerance is defined prior to a risk workshop, so the results do not influence management…)
Now that you know this information, let’s apply it further.
During a risk workshop on this new product, a risk was identified and assessed. The risk has the potential impact of $1 million dollars if it occurs. Compare this assessment to the risk tolerance – what is the outcome? This risk is not acceptable as it stands.
Now management needs to do one or more of the following:
- Change the situation so that the risk doesn’t exist in its current form, hopefully reducing the potential impact to an acceptable level.
- Take action (create an action plan and dedicate appropriate resources) to mitigate the risk down to the acceptable level.
- Stop the product launch in its entirety. (Of course, there are other considerations to this decision, but it is a possible decision.)
You have now just made risk appetite and risk tolerance actionable. You have taken risk assessment results, compared them to the risk tolerance, and given management the information they need to make a risk-informed decision. Wow!
What challenges have you faced in your organization related to risk appetite? How did you overcome them?
I would love to hear your thoughts. Please share in the comment field below, or join the conversation on LinkedIn.
Do you want someone to guide you through the process of making your risk appetite statement actionable? Are you struggling to get your risk management initiative off the ground or back on track? If so, contact me so we can discuss your options.