Page 581 - COSO Guidance
P. 581
2. Strategy and objective-setting for ESG-related risks
The COSO ERM Framework defines strategy as the organization’s plan to achieve its mission and
vision and to apply its core values. 69
To effectively manage ESG-related risks, it is critical to understand
the strategic and operating plans of the business. Risk management Pro Paper & Packaging
and sustainability practitioners should not attempt to identify, assess
or respond to ESG-related risks in isolation from the entity’s strategic See Appendix VIII for
direction, business objectives or risk appetite. For example, the risk illustrative example of aligning
of bribery and corruption impacting the operations of a business unit risks to the strategy and
will be very relevant to an entity with a growth strategy into emerging business objectives.
markets (such as South America and Africa) as compared with a
European-based organization.
Risk appetite
The COSO ERM Framework defines risk appetite as the types and amount of risk, on a broad level, that an
70
entity is willing to accept or reject in pursuit of value. Tolerance is defined as the boundaries of acceptable
71
variation in performance related to achieving business objectives. Once set, risk appetite and tolerance
become the boundaries for acceptable decision-making. Boards and management typically set the risk appetite
for the entity when considering strategy and business context, as the two are often intertwined. Table 2.9
illustrates one approach to setting risk appetite.
Entities with effective ERM practices contemplate risk appetite in decision-marking. If an organization has an
aggressive growth strategy, it may be willing to accept more risk in general. In contrast, an entity in a mature
industry may be risk averse generally but willing to accept more risk in certain strategic areas.
Table 2.9: Example risk appetite application
Approach to setting risk appetite
• Risk appetite is:
- Defined at a high level (top down)
- Based on the entity’s core values and strategic ambition
- Rooted in the business context
• Risk appetite considers the types of risks (strategic, operational, financial, compliance) the entity needs to take, or avoid, in order
to achieve its strategic ambition.
• The organization typically is willing to take on a net total amount of risk, which can be allocated to each category of risk to align with
the organization’s core values and strategy.
• Risk capacity is the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.
It considers liquidity, stakeholder relationships, capabilities and other factors.
• Risk capacity provides a set of boundaries for defining meaningful risk appetite and tolerance.
Consideration of the organization’s risk appetite is instrumental when prioritizing risks and selecting risk
responses. It supports thoughtful deployment of resources and inhibits development of objectives that would
exceed the risk appetite. Risk management practitioners compare the severity of a potential risk against their risk
appetite. If the severity is within their appetite, then entities typically accept or pursue the risk. If the severity is
greater than the appetite, then they avoid, reduce or share the risk (see sub-chapter 3c).
Risk management and sustainability practitioners should consider risk appetite throughout the ERM process.
Some example questions include:
• What ESG-related risks are necessary and acceptable for achieving strategic ambitions?
• What ESG-related risks should the entity avoid?
• What levels of ESG-related risks are acceptable?
• How do current investments, operations and commitments compare to the entity’s risk appetite?
• Do incentives and performance targets align with the entity’s risk appetite?
34 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
