As I and others repeat often, it is impossible to manage every risk. Doing so is counterproductive and leads to even more problems than it solves, including preventing your organization from achieving its goals and objectives.
Here is the truth: life is about choices and resources (time, financial, etc.) are scarce. Risks are no different.
Once the likelihood, impact, and other parameters like velocity are understood, you then conduct a risk analysis to see how the risk (…or opportunity) aligns with your predetermined appetite and tolerance. With this knowledge in hand, you, your team, and executives can then develop an appropriate response to that risk.
It’s inevitable that through this process you discover that some risks exceed your organization’s appetite. Technically speaking, the next step should be to mitigate or take other actions to bring the risk down to an acceptable level. This will often be the default course of action for risks around safety or compliance, but for risks and opportunities around strategic objectives…
It’s not always practical or advisable to reduce a risk to an acceptable level, so the question becomes ‘what do we do?’
Most executives understand that risks have to be taken for the organization to reach its goals and remain relevant. In our constantly changing world, companies who take a ‘risk-averse’ approach will increasingly find themselves being displaced by more agile competitors who are willing and able to stay ahead of the curve.
But are executives taking risks in an informed way?
As Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives:
The biggest gap is in understanding that risk management is not about avoiding harms. It is about increasing the likelihood of success. It is about understanding what might happen and acting to increase the extent and likelihood of success.
As we discuss in this fundamental article, traditional risk management is about managing a list of harms and taking steps to reduce their impact and likelihood. But this mindset leads executives to view risk management as just another check-the-box compliance exercise and not a valuable tool for developing the right strategic goals.
So when it comes to any risks that exceed acceptable limits, the first and most important step is to remember to…
1. Take things on a case-by-case basis. Don’t assume that you always have to take action(s) to reduce a risk just because they exceed risk appetite. If the potential gain exceeds the potential loss, you may be able to accept the risk as-is or make slight adjustments to certain elements of it.
Once you have identified risks that are impractical to reduce or mitigate to within acceptable limits, you then need to…
2. Understand what is and isn’t within your control. Risks and opportunities do not occur in a vacuum…there are many interconnected moving parts at work. Root cause analysis is one tool for helping you separate out what you can and can’t fix. As I discuss in a previous article on enterprise risk analysis:
Root cause analysis is especially helpful when examining risks that are out of your organization’s control. While you may be unable to do anything about this risk, you may be able to dig into its root causes, address those, and take steps to reduce the likelihood of the main risk occurring.
An example mentioned in this article is a grain company who identified weather as a risk. Now we are all keenly aware that weather is out of our control, so instead of trying to fight nature, the company decided to look at things within its control like product waste or loss that could impact grain volume. While they may have reduced the likelihood of the weather impacting grain volumes, they are not able to affect the likelihood of a weather event or reduce the impact to an acceptable level. However, by taking these other steps, they can say with confidence that they can accept the risk.
Therefore, once you have taken steps to appropriately manage the components of the risk that are within your control, whether that’s minimizing them or otherwise, it is time to…
3. Monitor what’s out of your control. Despite risk monitoring being such a vital process, it remains a struggle for many companies according to surveys from NC State and others. Essentially, risk monitoring activities are seeking to understand when and how a risk changes and how those changes will impact objectives.
While important for all risks, monitoring those elements outside of your control and your company’s appetite/tolerance are even more vital. Risks, the internal and external factors surrounding them, and their effects on the organization are always changing. Taking steps to understand these changes in a systematic way are necessary for knowing if any adjustments need to be made to the strategy, to the assessment of the risk itself, the response, and so on. Unfortunately, both ISO and COSO provide little to no guidance on how to do it effectively.
It’s quite possible that, through this process, you will discover that the risk is not as big of a deal as once thought, and the organization can shift its focus to more urgent threats and opportunities.
So is it ever okay to exceed risk appetite?
The answer is: it depends. (Of course!) However, by taking the steps above, you can uncover the elements of a risk that are truly out of your control, monitor them closely, and adjust accordingly, while giving your organization the chance to focus on areas that truly need time and attention.
How does your company handle risk(s) that exceed predetermined appetite and tolerance levels?
Like risk appetite in general, this can be a challenging topic for many organizations. If you have any thoughts or experiences you would like to share that may help your peers, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
Lastly, if there are risks outside of your control that could have a big impact on your organization’s success and you don’t know where to begin, feel free to contact me today to discuss potential next steps.
Featured image courtesy of August de Richelieu via Pexels.com
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More