Page 498 - COSO Guidance
P. 498
26 | Risk Appetite — Critical to Success
APPENDIX A. Appetite and Enterprise Risk Management—Integrating
with Strategy and Performance
In 2017 COSO released Enterprise Risk Management— • Focusing on the level of risk requisite for performance.
Integrating with Strategy and Performance (the
“Framework”). The Framework renewed the conversation on • Viewing appetite through the lens of stakeholders.
appetite and clarified the relationship between appetite and
tolerance. It emphasized the importance of the following: • Linking higher-level guidance on decision-making with
business-focused metrics.
• Linking to mission and vision as the first anchor of
COSO Infographic with Principles
appetite. The diagram below illustrates the five Framework
components and their relationship with the entity’s mission,
• Applying appetite in the development of strategy. vision, and core values and the entity’s overall direction
and performance. Within these 5 components are a series
• Making appetite about strategies and objectives, not risk. of 20 principles that represent the fundamental concepts
associated with each component. Principle 7 specifically
• Using appetite in decision-making. focuses on defining appetite and is captured within the blue
ribbon in the illustration.
COSO Infographic with Principles
Figure 6. Risk Management Components
ENTERPRISE RISK MANAGEMENT
COSO Infographic with Principles
COSO Infographic with Principles
COSO Infographic with Principles
COSO Infographic with Principles
MISSION, VISION STRATEGY BUSINESS IMPLEMENTATION ENHANCED
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
FORMULATION
ENTERPRISE RISK MANAGEMENT
ENTERPRISE RISK MANAGEMENT
ENTERPRISE RISK MANAGEMENT
Governance MISSION, VISION Strategy & STRATEGY PerformanceBUSINESS Review IMPLEMENTATION Information, ENHANCED
VALUE
DEVELOPMENT
& Culture & CORE VALUES Objective-Setting OBJECTIVE & Revision & PERFORMANCE Communication,
FORMULATION
& Reporting
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Source: COSO Enterprise Risk Management—Integrating with Strategy and Performance
ENTERPRISE RISK MANAGEMENT
ENTERPRISE RISK MANAGEMENT
Oversight STRATEGY BUSINESS IMPLEMENTATION ENHANCED
and Technology
Change
Context
MISSION, VISION
11. Assesses Severity
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
of Risk
19. Communicates Risk
16. Reviews Risk and
2. Establishes Operating STRATEGY FORMULATION IMPLEMENTATION ENHANCED
7. Defines Risk Appetite
MISSION, VISION
BUSINESS
Information
Performance
Structures DEVELOPMENT FORMULATION & PERFORMANCE VALUE
OBJECTIVE
& CORE VALUES
12. Prioritizes Risks
8. Evaluates Alternative
Strategies
17. Pursues improvement
3. Defines Desired Culture
Information,
Strategy &
Governance
Assessing the severity of risk and prioritizing
Appetite is integrated throughout the enterprise risk 13. Implements Risk Performance Review 20. Reports on Risk,
in Enterprise Risk
& Revision
Objective-Setting
& Culture
Culture, and Communication,
Responses
9. Formulates Business
4. Demonstrates
management, as is captured in each of the five components. responses as noted in Performance.
Performance & Reporting
Management
Objectives
ENHANCED
STRATEGY
MISSION, VISION Commitment BUSINESS IMPLEMENTATION ENHANCED
BUSINESS
IMPLEMENTATION
STRATEGY
MISSION, VISION
14. Develops Portfolio
VALUE
VALUE
OBJECTIVE
& PERFORMANCE
6. Analyzes Business
1. Exercises Board Risk
to Core Values
OBJECTIVE
& PERFORMANCE
DEVELOPMENT
DEVELOPMENT
& CORE VALUES A few of those integrations relate to the following: View 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
& CORE VALUES
FORMULATION
FORMULATION
5. Attracts, Develops, Oversight Strategy & Context Performance 11. Assesses Severity Change Information, and Technology
Review
Governance
of Risk Reviewing risk and performance and pursuing
and Retains Capable 2. Establishes Operating 7. Defines Risk Appetite Review 16. Reviews Risk and 19. Communicates Risk
Objective-Setting
& Culture
& Revision
Communication,
Strategy &
Information,
Performance
Governance
improvements in enterprise risk management as noted
Applying judgment as noted in Governance
& Reporting
Individuals Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
Communication,
& Revision
& Culture
Objective-Setting
13. Implements Risk
1. Exercises Board Risk 3. Defines Desired Culture Strategies 15. Assesses Substantial 17. Pursues improvement 20. Reports on Risk,
18. Leverages Information
6. Analyzes Business
and Culture.
10. Identifies Risk
in Review and Revision.
& Reporting
Culture, and
Responses
and Technology
Oversight 4. Demonstrates 9. Formulates Business Change in Enterprise Risk
Context
11. Assesses Severity
1. Exercises Board Risk Commitment Objectives 15. Assesses Substantial Management
10. Identifies Risk
18. Leverages Information Performance
6. Analyzes Business
14. Develops Portfolio
7. Defines Risk Appetite
19. Communicates Risk
2. Establishes Operating
16. Reviews Risk and
Oversight Context of Risk Change and Technology
Performance
Review
Information,
Strategy &
Governance Structures to Core Values 11. Assesses Severity Performance Information
Strategy &
Review
Governance
Performance
View Information,
Communicating risk information as noted in
Defining appetite and evaluating alternative
8. Evaluates Alternative
12. Prioritizes Risks
& Culture 2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk
Objective-Setting 5. Attracts, Develops,
Communication,
& Revision
Communication,
& Culture
& Revision
Objective-Setting
20. Reports on Risk,
3. Defines Desired Culture
17. Pursues improvement
Strategies
Structures and Retains Capable 12. Prioritizes Risks Performance Information
13. Implements Risk
strategies, and formulating objectives as noted in
Information, Communication, and Reporting.
8. Evaluates Alternative
& Reporting
& Reporting
Culture, and
in Enterprise Risk
9. Formulates Business
4. Demonstrates
Responses
17. Pursues improvement
Strategies
6. Analyzes Business
10. Identifies Risk
13. Implements Risk
1. Exercises Board Risk 3. Defines Desired Culture Individuals 15. Assesses Substantial 18. Leverages Information 20. Reports on Risk,
Performance
Strategy and Objective-Setting.
Management
10. Identifies Risk
15. Assesses Substantial
18. Leverages Information
6. Analyzes Business
1. Exercises Board Risk
Objectives
Commitment
14. Develops Portfolio
in Enterprise Risk
4. Demonstrates
Oversight Context 11. Assesses Severity Change and Technology Culture, and
Responses
9. Formulates Business
Oversight
and Technology
Context
Change
11. Assesses Severity
to Core Values
Management
Performance
View
Additional guidance is available in Enterprise Risk
Objectives
14. Develops Portfolio
of Risk
7. Defines Risk Appetite
2. Establishes Operating Commitment of Risk 16. Reviews Risk and 19. Communicates Risk
19. Communicates Risk
16. Reviews Risk and
2. Establishes Operating
7. Defines Risk Appetite
5. Attracts, Develops,
View
Structures to Core Values 12. Prioritizes Risks Performance Information
Performance
Structures
Information
Management Integrating with Strategy and Performance:
8. Evaluates Alternative
and Retains Capable
8. Evaluates Alternative
12. Prioritizes Risks
Individuals
3. Defines Desired Culture 5. Attracts, Develops, 13. Implements Risk 17. Pursues improvement 20. Reports on Risk,
Strategies
3. Defines Desired Culture
Strategies
20. Reports on Risk,
17. Pursues improvement
13. Implements Risk
Compendium of Examples, specifically the examples on the
and Retains Capable
Culture, and
in Enterprise Risk
Culture, and
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk
Responses
9. Formulates Business
4. Demonstrates
Individuals
Performance
Management
energy company and the not-for-profit organization.
Commitment
Commitment Objectives 14. Develops Portfolio Management Performance
Objectives
14. Develops Portfolio
to Core Values View
to Core Values
View
5. Attracts, Develops,
5. Attracts, Develops,
and Retains Capable
and Retains Capable
Individuals
Individuals
c oso . or g
