Michael D. Moberly January 27, 2014 ‘A blog where attention span really matters’.
Companies and organizations encounter – engage risk every day, even multiple times per day, certainly no debate on that issue. But, in my 25+ years of experience on the security – asset protection side of risk, I, like many of my colleagues, recognize business risk is perceived, defined, and addressed through a variety of lens, often dependent on (a.) one’s professional discipline, and (b.) their company specific responsibilities and/or oversight of assets.
One point I wish to make at the outset is this; as an intangible asset strategist and risk specialist, it is consistently necessary for me, when engaging clients, particularly new ones, that when the subject of risks arises, its absolutely critical that I recognize and respect that just because key business unit and management team members are at the same table, seldom do their perceptions and targets of risk necessarily coincide nor is consensus reached easily.
I attribute this circumstance in large part, to another reality, which is, a sizable number of management teams, c-suites, and boards, while they may generally know what intangible assets are, they (a.) variously remain operationally unfamiliar with the intangibles their company produces and utilizes, and (b.) have yet to feel compelled to achieve a higher level of operational familiarity to consistently engage their intangibles more effectively, competitively, and profitably.
Obviously, these realities present some challenges. One is that it can impair the accuracy of a company’s risk assessment even though, as noted above, intangible assets are quite literally integral to most every aspect of conducting business regardless of industry sector, company size, or maturity. Nevertheless, I endeavor to remain respectful of the various (business) risks management team members espouse through their diverse ‘lens’. My initial objective is to respectfully guide management team members, c-suites, and boards, to recognize the ultimate target of their company’s risks – threats are, with increasing consistency, intangible assets.
That is, for a substantial majority of companies globally, 80+% of their value, sources of revenue, and ‘building blocks’ for growth, sustainability, and profitability today lie in or directly emerge from intangible assets. My experiential expression of this economic fact – business reality generally produces the necessary intellectual and business bridge and/or linkage to achieving sufficient consensus to move forward on communicating an enterprise wide risk management initiative.
Admittedly, the notion that for most companies, their risks – threats, i.e., the ultimate, if not primary target are its intangible assets may be new. Nevertheless, a significant percentage of economic – competitive advantage adversaries globally, are really seeking a company’s intellectual, structural, and relationship capital, i.e., intangible assets. So, it is these intangibles that management teams are obliged to address and mitigate risks to, which starts by communicating (articulating) those risks, and putting in place practices, policies, and procedures designed to simultaneously sustain control, use, ownership, and monitor (the assets) value, materiality, and risks – threats. That is, if their firm is to maintain its path of success, profitability, and competitive positioning.
But, insofar as most company’s never ending efforts to manage their risks, a fundamental question remains which warrants thoughtful attention, that is, how much risk, rightfully or wrongfully, do a company’s decision makers find acceptable as they pursue their company’s mission and objectives? In other words, what is their ‘appetite for risk’? Again, as an intangible asset strategist and risk specialist correctly gauging a company management teams appetite for risk is a responsibility I do not take lightly.
A complicating factor to answering the question lie in the reality that regulators, various oversight entities, and certainly stakeholders (and, stockholders) are seeking, if not demanding companies develop better descriptions of – and refinements in their risk management processes.
The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, 2012 report titled Enterprise Risk Management — Understanding and Communicating Risk Appetite suggests, in a related way, that communicating company risk should commence by…
· understanding how much risk a company is willing to accept.
· how should a company decide how much risk it is willing to accept?
· to what extent should the risks which a company accepts, mirror stakeholders’ objectives and attitudes towards risk, and
· how does a company ensure that its business units are operating within the agreed upon boundaries which actually represent the company’s appetite for specific kinds of risk?
COSO defines ‘risk appetite’ as the amount of risk a company is willing to accept in pursuit of value. Each company pursues various objectives to add value and should recognize and understand the risk it is willing to undertake to achieve those objectives.
Accordingly, the COSO reports’ authors, suggest answers to the above questions essentially embody and/or frame a company’s risk appetite. So, readers can assume then, that the foundation or starting point for developing and communicating a clearer understanding of a company’s risk appetite is determining…
· which (business) objectives to pursue and which objectives should not be pursued, and
· how to manage those objectives within the boundaries of a company’s agreed upon appetite for risk.
Admittedly, and unfortunately, some company management teams, c-suites, and boards, when asked, characterize ‘risk appetite’ as being an interesting theoretical discussion, probably best suited for a university lecture hall than a company’s conference room and probably more relevant to ‘risk management’ than ‘risk appetite’ and therefore, not easily integrated into a company’s strategic planning or even its day-to-day decision making.The COSO report’s authors though, believe that discussions regarding risk appetite exceed the theoretical. This means, when effectively articulated, a company’s ‘risk appetite’ essentially provides guideposts and/or boundaries around the amount of risk a company should consider pursuing as part of say, a new (business) project, initiative, R&D, or transaction. Therefore, presumably, a company which decides upon – accepts an aggressive appetite for (business) risk is more likely to set aggressive goals for itself, whereas a company that is (more) risk-averse, with a lower appetite for business risk, will likely set more conservative (business) goals and objectives.
Carried to the next logical level, readers can assume when a company’s visionaries and/or its decision makers consider or embark upon a particular business strategy, somewhere in that decision making process, preferably in advance of execution, there will be a determination as to whether the agreed upon strategy will actually align with and/or remain within the company’s risk appetite boundaries. Again, when effectively communicated, a company’s ‘risk appetite’ can serve as a guide to management team members who are actually engaged in – responsible for setting the company’s goals and executing the necessary decisions to increase the probability those goals will be achieved and become sustainable relative to its operations and mission.
In other words, risk management decision making and compliance should not be executed as if they were separate – distinct from strategic planning and daily decision making. Rather both should be recognized as important components to a company’s culture, just as making decisions to attain a company’s (business) initiatives, projects, and objectives should be part of a company’s culture.
Again, an initial step, most would agree, to more fully embed risk management in a company, its decision makers and management teams should know and reach consensus on how much risk is acceptable insofar as developing strategies to accomplish both company-wide and individual business unit objectives for a company.
As a company and its management team actually begin to factor their risk appetite into their decision-making processes, they will become better positioned to (objectively) balance business risks with business opportunities.
For example, if a CEO expressed a need or desire to increase her company’s ‘risk appetite’ based on expectations that key aspects of its profitability were declining or would become stagnant, it’s quite likely…
· if it were a financial services firm, by accepting a lower risk appetite, it may well choose to avoid opportunities that produce higher levels of risk while offering the possibility of higher returns, whereas
· if it were a manufacturing firm, that accepts a higher appetite for risk may be more inclined to engage an opportunity to procure natural resources from a volatile country where its investment could be lost, literally at the whim of that country’s political leader(s). Obviously, in this instance the rewards may be high, but the risks are high as well.
So, company decision makers are obliged, if not fiduciarily responsible, to consider its risk appetite in unison with its goals and selecting which operational tactics to pursue.
I am very grateful for the work/research produced by Dr. Larry Rittenberg, Ernst & Young Professor of Accounting University of Wisconsin-Madison School of Business, Frank Martens, Director, PricewaterhouseCoopers in the development and writing of this blog post and I encourage readers to read their COSO Report titled ‘Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite’.
Comments regarding my blog posts are encouraged and respected. Should a reader elect to utilize all or a portion of my posts, full attribution is expected and appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or [email protected].