Paul Sobel, styreleder i COSO, var på Oslo-besøk våren 2019. Vi i IIA Norge benyttet muligheten til å høste litt av hans tanker rundt det store begrepet «risikoappetitt».
One organization – one risk appetite? Any smart thoughts on how to break the appetite down?
– I think, because of certain financial regulations around the world, there is a misunderstanding that risk appetite is a “statement” developed by a company. I believe it’s really the discussion that should occur during strategic discussions planning about the nature and amount of risk an organization desires to take, or avoid, in its pursuit of strategy.
For example, with each strategy chosen the board/executives should discuss what nature and amount of risk they are willing to accept in pursuit of that strategy and what they would prefer to avoid. If done comprehensively in connection with the strategic planning process, an organization may end up with several statements applicable to each of the individual strategies, as opposed to a single statement encompassing all strategies. So to summarize, risk discussions should relate to individual strategies rather than a blanket statement applicable to all strategies.
The Board is ultimately responsible for setting the risk appetite, but do they in general have enough knowledge about the business and emerging risks?
– The board is ultimately responsible as part of their oversight role, but they must heavily on executive management who has the detailed knowledge about the business, as well as individual and emerging risks. Board members should leverage their overall business experience to challenge management on whether the risk appetite being recommended to the board makes sense given the mission, vision and core values of the organization.
Any suggestions on how to engage board discussions on risk appetite and how to translate risk language into understandable terms?
– We went through an exercise with the IIA Board similar to what I described above. That is, for every goal that was part of the IIA strategic plan, a few of us brainstormed possible statements about what we thought the board would want to accept in pursuit of that goal and what they would prefer to avoid.You will notice that we didn’t say “not accept” because risk events sometimes are unavoidable so “prefer to avoid” better captured the direction to CEO Richard Chambers and his management team. I use this as an example because it illustrates a discussion with the board, using the language of the organization (IIA in that case) and specific words included in the goals. At the completion, when the board approved it, CEO Richard Chambers and his team had a much clearer idea of what risk the board would accept and what information he would need to timely communicate to the board if unavoidable risk events occurred. The same applies to any organization.
Management should come to the board to discuss the selected strategies as well as the nature and amount of risk they believe the company must accept or should try to avoid in pursuit of those strategies. That discussion should use the language used in strategic planning and discuss real-life scenarios to help the board calibrate their agreement with management’s risk appe- tite recommendations. Risk appetite is more of a strategic planning discussion than a risk management discussion.
In your role as a Chief Risk Officer, do you see a shift in what is considered risk types; such as compliance risk, financial risk, operational risk, strategic risk and new risks such as cyber, environmental etc. and will this affect the way risk appetite is defined?
I haven’t really seen a change in the risk categorizations, such as you mentioned (strategic, operational, compliance and financial). Those categories seem to still work, even in today’s rapidly changing environment. However, there occasionally needs to be discussion about where emerging risks fall in those categories. For example, would digital disruption be considered a strategic risk or an operational risk? The answer could be either depending on how it impacts an organization.
In the end, the important thing is to have the discussion with the board about the new and emerging risks, and less about how they’re categorized. The same then applies to risk appetite discussions. Even if there are no new strategies, management and the board need to discuss how emerging risk areas may impact their ability to achieve chosen strategies, and whether those emerging risks would change their perspective on risk appetite. Given the accelerated pace of change, these discussions should be held as often as necessary, as opposed to making it a once a year agenda item.
I 2018 ble Paul Sobel utpekt som styreleder for Committee of Sponsoring Organizations of the Treadway Commission (COSO), foreningen som er kjent for sine rammeverk for internkontroll og risi kostyring. Paul Sobel innehar vervet i tre år. Han har lang erfaring som leder av internrevisjon i flere virksomheter, men gikk over i rollen som Chief Risk Officer at GeorgiaPacific LLC omtrent på samme tid som han ble styreleder i COSO. Sobel har hatt mange verv i globale IIA og var også den globale foreningens styreleder i perioden 2013 – 2014.