Carol Williams has written a thoughtful post, Risk Appetite: Bridging The Gap Between Two Extremes that I recommend reading.
Before diving into it, I want to thank her for her comments about this blog and how it sparks useful discussion among practitioners.
Carol is a believer in risk appetite, but I am not.
My primary argument is that leaders of the organization should be managing the business, not a list of potential harms.
Risk appetite focuses only on potential harms absent the context of whether they should be taken on business grounds.
There are other problems with the concept, including:
- They are of little value if they don’t affect decision-making.
- They are harmful if they lead to decisions that consider only the downside, not whether risks should be taken.
- Business conditions are changing all the time, so we need decisions made based on current and future conditions, not some “statement” made in the past that is unchanging.
- It is impossible to establish a meaningful risk appetite, defined by COSO as the amount (whatever that is) of risk you are willing to accept in the pursuit of objectives, for risks like:
- The possibility of physical harm, even death, of personnel, or
- The possibility of non-compliance with applicable laws and regulations
- Risk appetite statements such as “we are risk…
