Page 692 - COSO Guidance
P. 692
Thought Leadership in ERM | Enterprise Risk Management — Understanding and Communicating Risk Appetite | 3
Overview
Risk Appetite is an integral
part of Enterprise Risk Management
COSO’s Enterprise Risk Management — Integrated As an organization decides on its objectives and its
Framework defines risk appetite as follows: approach to achieving strategic goals, it should consider
the risks involved, and its appetite for such risks, as a basis
The amount of risk, on a broad level, an entity is willing for making those important decisions. Those in governance
to accept in pursuit of value. It reflects the entity’s risk roles should explicitly understand risk appetite when
management philosophy, and in turn influences the defining and pursuing objectives, formulating strategy, and
entity’s culture and operating style. … Risk appetite allocating resources. The board should also consider risk
guides resource allocation. … Risk appetite [assists the appetite when it approves management actions, especially
organization] in aligning the organization, people, and budgets, strategic plans, and new products, services, or
processes in [designing the] infrastructure necessary to markets (in other words, a business case).
effectively respond to and monitor risks. 1
In working towards their objectives, organizations choose
This definition raises some important points. Risk appetite strategies and develop metrics to show them how close they
are to meeting those objectives. Managers are motivated to
• is strategic and is related to the pursuit of achieve the objectives through reward and compensation
organizational objectives; programs. The strategy is then operationalized by decisions
made throughout the organization. Decisions are made to
• forms an integral part of corporate governance; achieve the objectives (increase market share, profitability,
etc.). But achieving objectives also depends on identifying
• guides the allocation of resources; risk and determining whether the risks are within the
organization’s risk appetite.
• guides an organization’s infrastructure, supporting
its activities related to recognizing, assessing,
responding to, and monitoring risks in pursuit of
organizational objectives;
• influences the organization’s attitudes towards risk;
• is multi-dimensional, including when applied to the
pursuit of value in the short term and the longer term of
the strategic planning cycle; and
• requires effective monitoring of the risk itself and of the
organization’s continuing risk appetite.
1 COSO, Enterprise Risk Management — Integrated Framework, p. 19.
w w w . c o s o . o r g
