Risk "Appetite"

The accounting and finance industries surely lead the way in management of risk, despite the recent mortgage debacle in the finance industry. I say this because of the maturity of the risk management processes in these industries. Risk management processes are represented by the Integrated Framework study performed by the Committee of Sponsoring Organizations (COSO) in September of 2004 which describes the committee's recommended approach to what they refer to as Enterprise Risk management (ERM - there's another acronym for your collection). This study was commissioned by the American Institute of Certified Public Accountants (AICPA) and called the Treadway Commission. The sponsoring organizations include a "who's who" of the American accounting and Financial industries; just about all the accounting organizations were represented as were companies such as I.E. Dupont, Motorola, and PriceWaterhouse Coopers.

One of the key recommendations of their study, and a cornerstone of their Enterprise Risk Management processes, was that the Board of an organization was ultimately responsible for giving direction to the company in the area of risk management. Their contribution to directing efforts is represented by a statement of "risk appetite" which is intended to be used by the management of the company to select the projects it undertakes and to manage risk on those projects. The statement is a very general description of the approach to risk which they wish the company's managers to take. The COSO actually makes management responsible in part for solicitation of the statement. Although this dual responsibility may muddy the waters of statement creation it clearly implies that if the Board of Directors is not educated in the ways of ERM it is up to management to educate them and be proactive in educating the board and soliciting the statement. This statement then governs the setting of risk tolerance thresholds, defining risk activities, and monitoring and controlling the risk activities carried out by the organization.

The approach taken by the COSO, as described in their Integrated Framework, mirrors that taken by many Quality methodologies in that it is directed from the top down and requires support and input from the very top of the organization's managerial hierarchy. ERM probably goes one step beyond most Quality methodologies in this area by starting with the Board of Directors. You can't get any higher up the ladder than that! Although the approach may seem slightly over the top, the COSO have moderated it somewhat by holding management dually responsible for soliciting direction from the board. This strategy has worked for many quality methodologies for a good many years so it seems to me that the COSO is emulating a proven approach.

By now, you will be asking yourselves what any of this has to do with project management. Let me explain. We all know the frustration of managing a project where the customer or client doesn't make their requirements clear to us. We usually find out what our client wanted after we have delivered what we thought they wanted and found out otherwise. Nowhere is this more true than in the area of managing risks to the project. Those of us who studied the best practices espoused by the PMBOK in a PMP course, or otherPMP Exam preparation training, attempt to get at a risk tolerance threshold that we can use as a yardstick against which to measure our prioritized risks to determine if we should mitigate or accept them. I'm not recommending that you try to teach your sponsors, customers, and clients Enterprise Risk Management; just that you communicate to them how important their guidance is in defining an approach to risk management that mirrors their expectations. Soliciting a "risk appetite" statement should be simpler than trying to educate a sponsor in the mysteries of risk analysis and PI scores so that they can define a tolerance threshold.

Don't simply approach your sponsor/client/customer and ask them for a "risk appetite" statement. Schedule a meeting for the purpose of discussing risk management for your project. You can begin with a quick review of your Risk Management plan which should contain an explanation of your approach, including this meeting. Explain the purpose of an appetite statement and then break your project down into goals, objectives, milestones, and deliverables. Ask them what their appetite is around each. You can ask them to rate appetite on a scale of 1 to 10, or rate them as high, medium, or low. Approaching risks in this fashion won't give you the threshold score you need but should give you enough of an insight into their priorities to allow you to prioritize your risk list. Don't forget to include goals in the areas of performance, project budget, quality, safety, and Corporate Social Responsibility. You can then decide on how to establish a threshold to apply. One method is to determine the budget for mitigation and then determine how much of the list your project can afford to mitigate.

The SANS Technology Institute is one organization that has created a risk appetite statement that they are willing to share with the public. They use a five point scale to measure appetite:

1. Risk Averse. The institution is unwilling to accept the risk
2. Low Risk Appetite. This institution is unwilling to accept the risk in most circumstances
3. Balanced Risk Appetite. The institution is willing to accept a "balanced" risk
4. Moderately High Risk Appetite. The institution is willing to accept a moderately high risk to their goals and objectives
5. High Risk Appetite. The institution uses the sponsorship of a football team as an example of this degree of risk. They assess the probability of an injury from playing football as a question of when, not if.

The institution uses this scale as a guideline for choosing which projects they are willing to undertake.

This is not a cure-all for what ails your project in the area of risk management but is a new way of viewing risk management that you may not have considered previously. The new approach to risk management might just succeed in extracting direction in terms of risk appetite which has been missing from your projects to date.