As I and others repeat often, it is impossible to manage every risk. Doing so is counterproductive and leads to even more problems than it solves, including preventing your organization from achieving its goals and objectives.
Here is the truth: life is about choices and resources (time, financial, etc.) are scarce. Risks are no different.
Once the likelihood, impact, and other parameters like velocity are understood, you then conduct a risk analysis to see how the risk (…or opportunity) aligns with your predetermined appetite and tolerance. With this knowledge in hand, you, your team, and executives can then develop an appropriate response to that risk.
It’s inevitable that through this process you discover that some risks exceed your organization’s appetite. Technically speaking, the next step should be to mitigate or take other actions to bring the risk down to an acceptable level. This will often be the default course of action for risks around safety or compliance, but for risks and opportunities around strategic objectives…
It’s not always practical or advisable to reduce a risk to an acceptable level, so the question becomes ‘what do we do?’
Most executives understand that risks have to be taken for the organization to reach its goals and remain relevant. In our constantly changing world, companies who take a ‘risk-averse’ approach will increasingly find themselves being displaced by more agile competitors who are willing and able to stay ahead of the curve.
But are executives taking risks in an informed way?
As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives:
The biggest gap is in understanding that risk management is not about avoiding harms. It is about increasing the likelihood of success. It is about understanding what might happen and acting to increase the extent and likelihood of success.
As we discuss in this fundamental article, traditional risk management is about managing a list of harms and taking steps to reduce their impact and likelihood. But this mindset leads executives to view risk management as just another check-the-box compliance exercise and not a valuable tool for developing the right strategic goals.
So when it comes to any risks that exceed acceptable limits, the first and most important step is to remember to…
1. Take things on a case-by-case basis. Don’t assume that you always have to take action(s) to reduce a risk just because they exceed risk appetite. If the potential gain exceeds the potential loss, you may be able to accept the risk as-is or make slight adjustments to certain elements of it.
Once you have identified risks that are impractical to reduce or mitigate to within acceptable limits, you then need to…
2. Understand what is and isn’t within your control. Risks and opportunities do not occur in a vacuum…there are many interconnected moving parts at work. Root cause analysis is one tool for helping you separate out what you can and can’t fix. As I discuss in a previous article on enterprise risk analysis:
Root cause analysis is especially helpful when examining risks that are out of your organization’s control. While you may be unable to do anything about this risk, you may be able to dig into its root causes, address those, and take steps to reduce the likelihood of the main risk occurring.
An example mentioned in this article is a grain company who identified weather as a risk. Now we are all keenly aware that weather is out of our control, so instead of trying to fight nature, the company decided to look at things within its control like product waste or loss that could impact grain volume. While they may have reduced the likelihood of the weather impacting grain volumes, they are not able to affect the likelihood of a weather event or reduce the impact to an acceptable level. However, by taking these other steps, they can say with confidence that they can accept the risk.
Therefore, once you have taken steps to appropriately manage the components of the risk that are within your control, whether that’s minimizing them or otherwise, it is time to…
3. Monitor what’s out of your control. Despite risk monitoring being such a vital process, it remains a struggle for many companies according to surveys from NC State and others. Essentially, risk monitoring activities are seeking to understand when and how a risk changes and how those changes will impact objectives.
While important for all risks, monitoring those elements outside of your control and your company’s appetite/tolerance are even more vital. Risks, the internal and external factors surrounding them, and their effects on the organization are always changing. Taking steps to understand these changes in a systematic way are necessary for knowing if any adjustments need to be made to the strategy, to the assessment of the risk itself, the response, and so on. Unfortunately, both ISO and COSO provide little to no guidance on how to do it effectively.
It’s quite possible that, through this process, you will discover that the risk is not as big of a deal as once thought, and the organization can shift its focus to more urgent threats and opportunities.
So is it ever okay to exceed risk appetite?
The answer is: it depends. (Of course!) However, by taking the steps above, you can uncover the elements of a risk that are truly out of your control, monitor them closely, and adjust accordingly, while giving your organization the chance to focus on areas that truly need time and attention.
How does your company handle risk(s) that exceed predetermined appetite and tolerance levels?
Like risk appetite in general, this can be a challenging topic for many organizations. If you have any thoughts or experiences you would like to share that may help your peers, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
Lastly, if there are risks outside of your control that could have a big impact on your organization’s success and you don’t know where to begin, feel free to contact me today to discuss potential next steps.
Featured image courtesy of August de Richelieu via Pexels.com