New COSO Risk Appetite Guidance
News for all you guidance enthusiasts: COSO just released a 40-page primer on how to define your organization’s risk appetite, and then weave that risk appetite into corporate strategy and decision-making.
The booklet is available for free on the COSO website, and is the latest in a series of smaller, focused pieces of guidance that COSO has churned out in recent years. Anyone involved in corporate risk management, audit, strategy, or compliance can give it a read and put it into practice.
“What’s important is to recognize that the choice of strategies and objectives requires an understanding of the appetite for risk,” Paul Sobel, chairman of COSO, said in a statement. “While most often an organization can adjust to take on more risk, there may be times where it needs to adjust the appetite, or perhaps even strategy, to accommodate a shifting business environment such as the one we are currently experiencing.”
Translation: companies can set all the lofty goals they want, but if that’s not grounded in a clear understanding of the organization’s appetite for risk, employees could pursue those goals in reckless ways, which tend to produce reckless results — especially in unpredictable business environments like, say, a pandemic and global recession.
So executives need to define their appetites for risk almost as qualifying statements: “Our objective is to open new plants in the Far East, within the confines of applicable government regulations and the free cash flow we already generate from operations.” Or, “Our goal is to double market share within three years, primarily through organic sales growth rather than mergers and their attendant integration challenges.”
In other words, a clear risk appetite is invaluable for strong corporate compliance or risk management programs. It defines the guardrails around strategic plans announced by the C-suite, and that helps you.
Without a risk appetite defined as part of corporate strategy, employees try to figure out those guardrails by themselves. That can lead to all sorts of trouble, such as:
- sales teams violating anti-corruption laws to meet aggressive performance goals;
- senior managers pushing through a merger when the company has no means to integrate the deal later;
- Insufficient testing for software or product upgrades, leading to embarrassing market failures;
- new sales strategies such as independent agents working from home, leading to data security breaches because IT controls weren’t upgraded.
If management doesn’t have a clear risk appetite from the start, to help employees avoid those blunders as they scramble to pursue strategic objectives — then you’re the one stuck trying to spackle over the cracks in plan after it’s been constructed. You’re the one telling everybody, “Well, we can’t pursue our objectives like that…” and handing them lists of action items for policies, procedures, and controls.
Avoid that, by pushing to define risk appetite from the start.
Anyway, Back to the COSO Guidance
My one criticism of COSO guidance is that it sometimes goes heavy on esoteric lingo, where readers might lose sight of how all that theory would work at an actual company.
The lingo beast occasionally rears its head here, too, such as this passage:
An organization should expect that the strategy it selects will be able to be carried out within the entity’s appetite; that is, strategy must align with appetite. If the risk associated with a specific strategy is inconsistent with the entity’s appetite, it needs to be revised, or an alternative strategy needs to be selected, or the appetite itself needs to be revisited.
Like, you understand the point the paragraph is trying to make, and ultimately the point is a good one; but the sentences read like something from an overpaid MBA’s PowerPoint presentation.
That said, this particular piece of guidance also includes plenty of specific, easy-to-grasp examples that any large company might encounter. For example, one section explains the difference between objective-focused and risk-focused strategies; and then demonstrates how executives might translate between those two approaches. See Figure 1, below:
The objective-focused approach in red is one of those imperatives that might come from the CEO or the board, which makes sense at the highest level but still leaves everyone else unsure what they’re actually supposed to do. The risk-focused approach in grey brings much more specificity, where senior and mid-level executives can say, “OK, we know how to manage around those threats.”
Elsewhere in the document are examples of risk appetite statements, discussion questions to pose to senior executives, mini-case studies, and so forth. At the very least, even if you’re uncertain about some lingo and abstract points in the guidance, you’re bound to find several examples that resonate with your organization’s industry or approach to management, that will leave you saying, “OK, now this all makes sense.”
Get Disciplined
My suspicion is that many organizations already try to apply a risk appetite to their actions or strategy, but not always in a disciplined manner. That’s where this guidance could help: by showing what that disciplined manner looks like, so you can apply it more skillfully.
That’s not to say a business should be rigid in its risk appetite. On the contrary, the more uncertain your business landscape is — and uncertainty is sky-high right now — the more flexible you should be with your risk appetite. You’ll need to re-adjust your risk appetite, and perhaps your corporate strategy too, over and over again.
The more you understand the logic of how that adjustment should happen, the more deft you’ll be at taking those steps as necessary. So if you’re looking for some reading material to get you through your covid lockdown, this latest COSO guidance has a lot going for it.