A Ball of Confusion: What Is Your Appetite for Risk Appetite?
Vincent Tophoff | June 18, 2014 |
Even if you are not a risk management expert, chances are that you have come across risk management jargon, such as risk tolerance or risk appetite. People—such as regulators or consultants—might ask you questions about how your organization, or governing body, determines its risk appetite.
As a non-expert, you might have no idea what this means exactly. However, many risk management professionals are also not so sure—or should not be so sure—as many different definitions or explanations of terms exist. If you look up the term in various regulations, standards, or guidelines, or ask several experts, you will end up with a plethora of meanings. This creates unnecessary confusion and is not good, even dangerous, for the management of risk!
Good risk management is important for organizations to support their decision making and reduce uncertainty associated with achieving their objectives. As the management of risk is an inherent part of an organization’s system of management, it concerns all people working in or with that organization.
The best way to inform everyone in your organization, as well as your external stakeholders, about the importance of risk management to their daily job is to speak their language—use common language without jargon. Just think how confusing it gets to lay people when the even the jargon has multiple meanings! To help all the non-experts, risk management terms and concepts should be as straightforward as possible to avoid, or resolve, any confusion or misalignment.
Unfortunately, as my example demonstrates, there already exists a lot of confusion and instead of getting better it seems to get worse, for several reasons. An important cause of the confusion is the consulting industry trying to scare you and lure new lucrative engagements by predicting disaster if your organization does not have the right risk culture, is not able to adequately determine its “risk clock speed,” or does not sufficiently take into account the effects of “risk propinquity”.
Another reason is that the various regulators, standard setters, and issuers of guidance for governance and risk management around the globe do not seem to coordinate their efforts. On the contrary, they all issue new definitions and interpretations, which only adds to the already existing confusion. Your organization does not have to be a multinational to be affected by multiple layers of regulation(s) or to use several different guidelines for the management of risk.
In fact, respondents to IFAC’s global Risk Management and Internal Control Survey in 2011 already highlighted the need for further international alignment of risk management and internal control guidelines, starting with the underlying terms and concepts. Facilitating this global alignment is something IFAC is addressing, as I discussed in a previous article and will continue to provide updates on new developments.
But action isn’t for IFAC alone—you could also contribute to better alignment leading to better communication about the management of risk and, ultimately, better performance and better outcomes. What specific term or concepts are confusing the people in your organization? What do you propose to better communicate the value of risk management?