Enterprise Compliance Today

Axe archaic attitudes on Risk Appetite!

Posted by Greg Carroll on Fri, Oct 17, 2014 @ 11:00 AM

We need to discard the continuing archaic attitude to Risk Appetite as a compliance policing action and develop it as a tool of improving management and system performance.  In the brave new world of the 21st century volatile business environment not only are the goal posts moving, but the ground is moving under our feet.



Risk is about managing uncertainty and there is nothing more certain than the outcome of taking a short-cut over thin ice.


FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Concepts of sure and steady and adherence to strict process has to be replaced with flexibility and versatility in both thinking and decision making.  McDonalds and Ford rote service and mass production methodology of the 20th century have been replaced by personalised service experience and agile development.  Future survivors have already started to realise this from a customer perspective but few have been able to translate these realities into management and systems. 

The current attitudes on Risk Appetite are doing a major disservice to developing a culture of transformation needed for existing businesses to compete against the ground swell of start-ups that “get” this new world.  Risk Appetite discussions come down heavy on the side of ensuring unsupportable positions aren’t taken as they are seen as the greatest threat to business continuity.  Great measures are being taken to codify beliefs and attitudes within the business as a method of mitigating “risky” behaviour.  Unfortunately, this conservative approach has more in common with the 19th century than the 21st.

Don’t get me wrong, Risk Appetite is a valid component of a comprehensive Risk Management Framework but what I am calling into question is how we manage risk appetite.  Don’t confuse bad behaviour with risk tolerance.  Blatant disregard of controls and breaches of protocol are just bad behaviour not risk tolerance.  Risk is about managing uncertainty and there is nothing more certain than the outcome of taking a short-cut over thin ice.  

As I have stated many times, in these uncertain times Risk Management needs to be a proactive tool for business development not an albatross around its neck.  Risk Appetite must be about taking opportunities and innovation, not risk aversion.  The market today is not only volatile but changes at the speed of light.  To compete, we need managers to be lateral thinkers prepared to do the unexpected and take advantage of the opportunities in the micro timeframes they are available.  This is the new world in which we live.  Instead of restricting and regulating decision making, Risk Appetite audits and attitudes need to be oriented towards identifying and weeding out conservative risk adverse decision makers and developing a more risk tolerant approach to management and business.

At this point I can hear the howls of horror from most of those employed to protect organisations from the adverse effect of uncertainty on business.  Corporate objectives are invariably expansive, increasing market share or exceeding customer expectations etc., so as risk is the “uncertainty on [achieving] objectives”,   operating within safe tolerances is a risk to those expansive objectives.  To achieve those goals business needs to push boundaries and actively pursue the unknown, actions normally outside existing industry comfort zones, i.e. existing Risk Appetites. This is where people need to take that quantum leap of faith and convert their long developed protective concept of risk management into a useful 21st century proactive tool for decision making.

ISO31000 has all the ingredients of a proactive management tool for the 21st century but, sadly, is generally interpreted into the 19th century concept of Risk Management.  Just as the environmental movement is finding that nuclear energy isn’t that bad, with the right technologies and safeguards in place, so too can we in-build strength of confidence into risk taking by harnessing the capability of risk management to identify, evaluate and mitigate as part of a challenging decision making protocol.  In doing so, and with the right attitude, we free management to innovate and take chances, because that is where the future lies.

This also means ditching the easy (and lazy) ways of managing risk as historical items to be accounted for (coz it ain’t) and embrace new technologies that can monitor, review and assist decision making, all of which spreadsheets are incapable.  Let’s look at the basic tenants for good decision making from Harvard Business Review article The Effective Decision by Peter F. Drucker:

  1. Classifying the problem. Is it generic? Is it exceptional and unique? Or is it the first manifestation of a new genus for which a rule has yet to be developed?
  2. Defining the problem. What are we dealing with?
  3. Specifying the answer to the problem. What are the “boundary conditions”? 
  4. Deciding what is “right,” rather than what is acceptable, in order to meet the boundary conditions. What will fully satisfy the specifications before attention is given to the compromises, adaptations, and concessions needed to make the decision acceptable?
  5. Building into the decision the action to carry it out. What does the action commitment have to be? Who has to know about it?
  6. Testing the validity and effectiveness of the decision against the actual course of events. How is the decision being carried out? Are the assumptions on which it is based appropriate or obsolete?

To anyone familiar with ISO 31000 this would strike a chord.  Context, Identify, Analyse, Evaluate, Treat, Review.  Risk Managers’ role in the 21st century organisation is to enable/empower decision makers to take risks, informed risks, through establishing a solid and supportive risk environment and provide tools enabling them to understand the possible options, outcomes and how to monitor their execution to ensure a positive outcome.  So stop talking about controlling the corporate Risk Appetite and start building it.

Also see previous articles:

The “Risk Culture” Myth

Risk Culture vs Organizational Culture – Hitler Diaries Case Study


paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Tags: corporate governance, risk management, risk culture, decision making, risk tolerance