Page 493 - COSO Guidance
P. 493
Risk Appetite — Critical to Success | 21
Building appetite into day-to-day practices
Management cannot just assume that responsible EX AMPLE 7
individuals will make decisions within the intended Gaining acceptance within the organization
appetite. Therefore, organizations need to review the
application of appetite through other practices. These An organization was considering how to gain
may include the following: acceptance for using appetite in decision-making.
The director of enterprise risk management ran a
• Expanding the time allocated to performance versus workshop, dividing attendees into two teams. Each
appetite in senior management meetings, considering team was presented with a scenario that required
analysis and a decision to proceed with the
both over- and underperformance.
plan. Each team discussed, then presented their
decision and how they arrived at it. Team 1 was
• Integrating appetite statements into business cases, so given a copy of a newly drafted set of appetite
that major decisions are made with a full consideration statements. Team 2 was not given this guidance.
of risk (e.g., by adding questions that link to appetite
statements). When it came time to debrief, it was clear to all
attendees that Team 1—those with the appetite
• Conducting sessions on appetite with those with key statements—had a much more robust business
decision-making authority, taking them through scenarios conversation. Team 2 tended to default to their
considered when developing appetite to reinforce the own area of experience in reaching a decision.
desired type and amount of risk to be taken on. Team 1 had used the appetite statements to
consider a great number of perspectives before
reaching a decision. The outcome did not just
• Reviewing reports on actual or expected changes in the “anchor and adjust” from experience, but rather it
external environment, including megatrends shaping the provided a broader and richer analysis, leading to
overall future of the business. more comprehensive discussion.
.
• Enhancing reporting to management and board on
how actual performance and risks are tracking versus
expectations.
We suggest organizations integrate risk
• Incorporating any appetite and tolerance measures into appetite and tolerance into the review
an existing governance, risk, and compliance system. and revision practices used to
evaluate performance.
• Incorporating appetite within senior management’s
personal plans and objectives.
Review and revise when needed
• Reflecting tolerance in operating policies and Once an organization’s appetite is developed and
procedures. communicated, management, with board support, must
revisit and reinforce it. Appetite cannot be set once and
then left alone for extended periods. A review is especially
important whenever the organization’s business context
begins to change. These may include, for instance, the
following:
• Viewing performance as depicted in established
tolerance levels. Where actual performance is
approaching the boundaries of acceptable levels,
either develop plans to bring performance in line with
established limits or revisit the established limits to
determine if they remain appropriate given the current
business context.
c oso . or g
