Page 477 - COSO Guidance
P. 477
Risk Appetite — Critical to Success | 5
The role of appetite in enterprise risk
management Clarifying Some Language
Appetite is only one part of enterprise risk management—
one that does not operate in isolation. As set out in the RELATIONSHIP BETWEEN STRATEGY
Framework, appetite flows through all aspects of enterprise AND OBJECTIVES
risk management. It needs to integrate with other parts of Strategy is the organization’s plan to achieve its
2
the business, from strategy development to implementation mission and vision and apply its core values to
and monitoring. drive performance and value. We hold the view that
strategy precedes objectives. It follows, then, that
This document reinforces the views in the COSO Framework strategy is directly linked to the decisions about
by emphasizing that: how an organization creates value. Objectives are
those measurable steps an organization takes to
• Organizations must understand the changing business achieve its strategy. Objectives cascade to the
context and how the organization reacts to those entity’s business units, divisions, and functions.
changes.
RELATIONSHIP BETWEEN OBJECTIVES
AND TOLERANCE
• The amount of risk the organization is willing to take is Tolerance refers to the boundaries of acceptable
something that the C-suite and board should know when variation in performance relative to objectives. We
selecting strategies and objectives. view tolerance through a performance lens, aligning
it with performance measures used for objectives,
• The choice of strategy and objectives are significant not risk. This is further explored in Appendix A.
factors to organizational success.
RELATIONSHIP BETWEEN RISK PROFILES
• Taking risks requires a sense of what amount of risk AND PORTFOLIO VIEW
is acceptable in pursuing strategies and objectives, Both risk profiles and portfolio view refer to
balancing the relationship of risk and reward. a composite view of the risk that may affect
performance relative to the strategy and objectives.
• Choosing the status quo constitutes a risk that A portfolio view is more encompassing, because it
management must also assess. is entity-wide, and risk profiles may be at any level
of the entity.
• Risk appetite need not be about quantification.
. . . . . . . . .
2 Appendix A provides an expanded description of Enterprise Risk Management—Integrating with Strategy and Performance
and how appetite is depicted in the Framework.
c oso . or g
