COSO recently published a thorough PAPER which is intended to help foster new dialog between boards and senior executive leadership as they partner to more fully develop their organization’s resiliency to risk.
We think the paper does address the critical issues, however:
1) it lacks a Glossary, thus it may be misinterpreted by readers that have not been educated in risk.
2) as a consequence of 1), some terms (for example “risk tolerance”) can be misunderstood.
3) Risk appetite is a nice wording, but for historic reasons and to avoid misunderstandings it should be compared/defined together with Risk Tolerability and Risk Acceptability
4) The “non linear shape” of the “risk appetite” curves displayed on the “heat maps” from page 14 on deserves some explanations. The shape is such only on a log-log likelihood-impact plot (not defined). We have spent years of research, pushed by our clients to study tolerability curves.
Finally, in this Document you will see how risks can be properly prioritized by comparing their “intolerable portion” rather than their “face value”. This type of analysis shows that rational prioritization often brings counter-intuitive results, but generally great sensibility in the proportioning of mitigative funds. It is not unusual that “first priority risks” only represent a small portion of the entire risk portfolio of a corporation.
As one of the delegates to our Courses said “Once I was blind and now I see”
Our claim is indeed that ready to use methodologies exist to support those tasks, as demonstrated by a number of real life applications, and thanks to those methodologies “we can see” way better!
In order to get to a more coherent and integrated level of critical components management, one needs to “see better”, understand which are the real critical exposures, prioritize them, etc. We claim that’s only possible if the appropriate techniques are used, which have to define, in a very transparent way, the tolerability of the client.
Our view is that too much reliance is given to qualitative approaches that actually end up blurring the perspectives and allowing very costly biases to be taken in risk mitigation decisions. It’s indeed “funny” that multi-million dollar decisions or strategic options may be taken based on qualitative appreciations of risks, unclear definitions of tolerability, “color based” prioritizations!
Some may find it unfortunate that some maths and quantitative approaches are needed, but the final result is definitely worth the effort. A properly done prioritization may save millions of dollars that could be spent in other areas, or avoid the selection of a ill-fated strategic alternative.
Oh, one more thing: it is not necessary to kill the client with unsustainable data gathering to deploy these methodologies, as they accomodate incomplete data sets. Uncertainties are considered in the process and can be reduced when more data come in, after the first preliminary approach.
Thank you for starting this very interesting discussion. I get really passionate when I see all the wasted money these days, or corporations reducing their risk management programs because they feel (and in many cases they may be right), that it’s too expensive (actually, it’s not too expensive: most of the time it addresses the wrong issues because the risk prioritization is wrong!).