Page 489 - COSO Guidance
P. 489
Risk Appetite — Critical to Success | 17
ARTICULATING AND COMMUNICATING RISK APPETITE
TO SUPPORT DECISION-MAKING
Once an overall risk appetite is developed, management Of these terms, “medium” is often the most challenging.
must then choose a mechanism for communicating it. The Many simply interpret it to mean as “more than low and less
clarity of communicating appetite improves when there than high,” often leaving appetite statements lacking clarity
is a commonly applied structure, one that considers the unless there is added context.
choice of language, the intended level of precision, and
preferably a focus on strategy and objectives rather than That’s why organizations are encouraged to add context to
risks. Regardless of approach, appetite does need to flow the broad terms, for example,
from the board down through senior management, middle
management, operational leaders, and staff. Echo Relief, a service organization to help people through
disasters, will pursue new programs that enhance the
Each organization should determine the best way to delivery of services to those in need within our financial
communicate appetite to operational leaders in a manner ability. We will accept moderate risk to the safety of staff
specific enough to provide clarity to those tasked with and volunteers as we respond to disasters. In order to
monitoring whether risks are being managed within appetite. maintain good stewardship of donor funds, we have a low
Although those in a risk role will often use risk-specific appetite for risks related to misuse of funds.
terminology, communication styles need to resonate
across stakeholder groups and at varying levels within the Others will develop more precise appetite statements,
organization. such as,
To be effective, appetite must be: We are not comfortable accepting more than a 10%
probability that we will incur losses of more than
• Operationalized through appropriate tolerances, and $1 million in pursuit of a specific objective.
where necessary, codified through policy
Deciding which type of appetite statements are best is
• Stated in a way that assists management in decision- up to management. Stakeholders, however, prefer risk
making statements that are not generic, but rather refer to how
management and the board run the organization. Often,
• Precise enough to be useful in making decisions and in as organizations become more experienced and their risk
monitoring by management and others responsible for management capabilities mature, their appetite statements
managing risk become more precise.
• Applied by those with decision-making authority from the
board through senior and middle management on down We suggest organizations view the
into the entity current level of precision in their
appetite statement and ask if it has
evolved as overall risk management
We suggest organizations adopt capabilities have matured.
language that resonates with both the
stakeholder group and at varying levels
within the organization.
Choice of language
The choice of language and length of an appetite statement
will vary by organization. Some statements require several
Precision in appetite statements sentences to express how much risk is both necessary and
Appetite statements often start out broadly, perhaps acceptable, while others may be more succinct and still
with a single overarching statement, followed by more clearly communicate management’s appetite for risk. The
precise statements that cascade into tolerance statements aim is to balance brevity with clarity.
relevant to operations across the organization. Some
organizations find that broad statements crafted around In developing a statement, the organization should
terms such as “low,” “medium,” or “high” appetite are ensure that appetite is sufficiently stated so that it can be
sufficient for their needs. communicated to a variety of stakeholders and to those at
various levels within the organization.
c oso . or g
