Do you know what a Risk Appetite is?
I don’t mean the Institute definition, useful though that is for audit methodology manuals, crosswords and the like. I mean the tangible meaning behind these terms, the description that helps us understand the way the world works, or at least how the business should operate and respond to audit findings among other things. There must be more to those phrases apart from the garlic-to-vampires effect that they produce when used on auditors.
OK, so the ‘business’ can decide what its risk appetite is, what risks its prepared to carry, and which it will remediate or transfer or terminate or whatever. I get that in principle. But if its an appetite, doesn’t that imply that there’s some sort of desire, something that they want?
When I develop an appetite, I need big mouthfuls of tasty food to satisfy it, and I’m gonna scour the high street looking for it at all hours in the night or day. I’ll hand over my hard earned cash in to pay for it, confident in the knowledge that it’s a sound investment in my long term wellbeing, and if push comes to shove I’m gonna satisfy that appetite with a big greasy mac or whatever else I can find, rather than go hungry for another hour and leave that appetite languishing.
When my traditional Friday afternoon appetite hits me (often not on a Friday), when I can hear the pints of stout calling my name on the wind, softly crying out to me in their loneliness, you better believe that I’ll move hell and high water to be reunited with that object of my desire, and satisfy that appetite as fast and as thoroughly as I can possibly manage. That’s appetite.
But it seems to me that the risk appetite that we auditors deal with is the opposite of this. It’s the point beyond which even the most obstinate short-termist audit client doesn’t want to go, a risk which even in the immediate term looks like a bad gamble. Risk appetite only comes up in the discussion when we’re talking about risks we’re carrying because of a bad decision years ago, or even months ago. Its OK to accept the risk because it would cost heaps to remediate it.
Yeah, it would now, because you cut too many corners, you screwed up your process design, you implemented inadequate systems, and you retrenched the staff who used to know how it all worked and replaced them with feeble minded automatons! So now, at this point in time, it’s expensive to fix, and that’s where the appetite kicks in. We’ll accept the risk. Yeah, good one.
Does that sound like a healthy appetite to you?
Shouldn’t the business be scouring the metaphorical food courts of their operations hunting for tasty morsels of risk to stuff in their gob? Wouldn’t you expect them to be doing allegorical online shops to fill their “pantry” (or their project roadmap if you like) with pots and pots of pot noodles (barely-there controls) and enough microwave frozen dinners (manual workarounds with increased potential for error or malicious insider activity) to see them through a series of The Soprano’s?
And if they find that the risk profile of most of their operations are well below their appetite, shouldn’t they look for ways to pour on the figurative sweet and sour sauce (of reduced effort in control activities) to get that profile inching up the chart?
Anyway, the conclusion I’ve reached is that audit clients have some symptoms of an eating disorder when it comes to risk. The appetite can come on very strong at times, especially at audit time, causing an over indulgence. Then, with regret and sometimes shame, the client sometimes realises that it can’t stomach everything its eaten. Its appetite was too big, and now it needs to displace some of the excess (before the next audit), and that can be followed with a total aversion to eating anything for a while.
I put the blame on those glossy magazines that promote unrealistic images of corporate governance.
See you next week.