Page 494 - COSO Guidance
P. 494

22    |   Risk Appetite — Critical to Success







        •  Considering how often the organization approaches
          set boundaries. If an organization never approaches      We suggest organizations draw on
          these boundaries, or constantly exceeds them, perhaps   continual improvement practices. As part
                                                                  of internal reporting practices, report
          management doesn’t have a clear strategy, doesn’t      variation from desired risk appetite to
          understand, has a poorly constructed appetite, or is not   management and the board.
          behaving consistently with its own rules.


        •  Probing into appetite and decision-making when
          established tolerance levels are exceeded, either too   These phases are interactive, with the board and
          high or too low; for instance, asking whether some form   management revisiting each one as needed. The board
          of misunderstanding of appetite existed when decisions   serves in an oversight role by checking in with management
          were made or resulted in this level of performance.   periodically and probing to see when appetite may need
                                                          revising. Management revisits appetite periodically,
                                                          adjusting as business and operational conditions warrant. At

                         EX AMPLE 8                       a minimum, management and the board should revisit these
                      A company’s challenge               stages whenever strategy is changing.

           Management of a company asked the insightful
           question, “How often are we operating outside         We suggest organization set a specific
           of the set tolerance?” In exploring this question,     time period for revisiting these stages
           they noted that at any given time, as much as 5%           to ensure that risk appetite
           of its performance measures were outside the                    remains current.
           established boundaries, and a further 10% were
           approaching those boundaries. Management
           understood that where performance never
           approaches the boundaries, it likely has less
           consideration in decisions. Yet, if performance
           is frequently outside of tolerance, do these
           boundaries curtail management judgment, or
           does it mean that they are making decisions
           without understanding the underlying risk?
           Management was faced with the challenge of
           determining whether this level of performance
           versus appetite indicated that appetite and
           tolerance formed a healthy level of feedback
           on decisions or whether established levels
           needed revisiting.






























           c oso . or g
   489   490   491   492   493   494   495   496   497   498   499