Over too many years, when pointing out a risk or situation, either management of below may respond with "it's okay, we've accepted that risk".
Really? Who accepted that risk, and did they have the authority to accept that much risk on behalf of the business. In too many cases the risk identified was significant, and if presented to senior management or the Board, that risk would not have been "accepted", at least not without consideration of the implications and costs of remediation or reduction of the risk.
What actually happened is that the person or people dealing with the risk have been unable to quantify or otherwise clarify the risk and potential impact, or develop a costed and realistic plan to mitigate the risk. Because of this, they have failed to convince themselves of the severity of the risk, and therefore are unable to communicate that exposure to senior management. Having failed to effectively communicate, they fall back on "we've accepted that risk".
Too often what was missing was an actual assessment of the risk, either subjective or quantitative where possible. Included in such as assessment should be a definition of the existing controls and an assessment of the effectiveness of those controls.
Controls exist to provide confidence that risks are being managed. As such, on a quarterly, six-monthly and for some annual basis, management owners of controls should confirm that the controls associated with risks are functioning and are effective. Evidence should then be provided that demonstrates that the controls are functioning.
Rarely is there a formal confirmation that the person responsible for the control actually has the authority to accept the associated risk.
Risk acceptance can be split into two parts:
- First, is the Risk Appetite appropriate for this risk? It may well be that the entities Risk Appetite is too caution for this type of risk, and therefore the reduction of the risk to tolerable levels will be too expensive and result in a situation of "over-control".
- The second factor is the authority of the person accepting the risk. While companies generally have Delegations of Financial Authority (DFAs), rarely is there a formal Delegation of Risk Authority (DRA).
To put that into a concrete example, a manager may have a financial delegation of up to $/€/£10,000. That is the level of expenditure that has been determined to be appropriate for that level or individual, without the need for additional authority. The next level up may have a delegation of $/€/£50,000. Finally, for major decisions, a Director or Board authority might be required, say for investment or programmes with a value above $/€/£1,000,000.
But how much Risk can a manager accept?
What is missing from the picture is the Delegated Risk Authority to accept a residual risk position. All risks have an inherent level of risk and potential impact. We implement controls to reduce or manage the risks resulting in our residual or "net" risk position. Yet our residual risk position may not represent a level of risk that is acceptable to the entity within the bounds of the entity's Risk Appetite.
Where the residual risk is above the acceptable level, either additional controls or mitigation needs to be put in place, or the residual level of risk needs to be "accepted" (which logically would alter the Risk Appetite for that particular risk).
The question is; who has the authority to accept that residual level of risk?
My recommendation is that companies put in place a Delegation of Risk Acceptance (DRA) that mirrors their Risk Assessment levels. As most companies use, for better or worse, a Likelihood x Impact grid, that provides us with an example for the Delegation of Risk Acceptance.
When a ‘risk’ is accepted, this indicated that there is agreement that no additional actions or controls will be put in place to further reduce either the impact or the likelihood of the risk.
If, for example, the entity may have assessed the risk of a System Failure as a "High Likelihood / High Impact" pre-remediation of any kind. Controls in the form of effective governance over IT systems may have brought the assessed residual level of risk down the "Medium/Medium". However, the Risk Appetite may have been stated by the Board to be "Medium (Likelihood)/ Low (Impact)".
In this case, there is a disconnect between the residual risk position and the Risk Appetite, and either the residual risk must be "accepted" or additional control must be put in place.
The "solution" is the Delegations of Risk Acceptance.
For each risk (as per the Risk Appetite and/or grid) there should be an identified level of authority to accept a residual risk position. For example, a residual risk level of High/High should only be "accepted" by the Board, while a Low/Low residual risk position may be "accepted" by a manager.
In this case, the DRA may state that residual risk positions that are "Medium" (in likelihood or impact) require acceptance at the Cxx level. In which case, for this example, the CIO should be required to "accept" the residual "Medium / Medium" position, based on an assessment of the cost and effort to bring the residual risk to the Risk Appetite level of "Medium / Low".
The key to the Delegation of Risk Acceptance is that it is linked to the difference between the actual residual risk scoring and the Risk Appetite. Where there is no difference, and the residual risks score equals the Risk Appetite, there is no need to "accept" the risk.
Has this been implemented?
Yes, though with mixed success. As with all issues of Risk Management, the quality of Board, Director and Senior Management buy-in is critical. Communication is required, and an understanding of the risk and control environment, both internal and external.
When used effectively, the DRA can ensure that risk acceptance is being taken at the right levels, or additional investment is authorised to bring the residual risk situation into line with the Risk Appetite. I have seen this accomplished, and the risk environment has been demonstrably improved.
Likewise this provides Internal Audit with an effective tool to communicate and encourage the implementation of effective controls. On the one hand, IA "empowers" the auditee to perform their risk assessment and to then gain the required investment or reallocation of resources to resolve the audit issue, or management with sufficient DRA is then able to confirm that the risk as identified by IA has been accepted at an appropriate level.