Page 695 - COSO Guidance
P. 695
6 | Enterprise Risk Management — Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Risk Appetite Statements
An organization’s risk appetite should be articulated to express how much risk is acceptable, while others may
and communicated so that personnel understand that be more succinct and still clearly communicate
they need to pursue objectives within acceptable limits. management’s appetite for risk. The aim is to balance
Without some articulation and communication, it is difficult brevity with the need for clarity.
for management to introduce operational policies that
assure the board and themselves that they are pursuing Characteristics of Effective
objectives within reasonable risk limits. A risk appetite Risk Appetite Statements
statement effectively sets the tone for risk management. A risk appetite statement is useful only if it is clear and
The organization is also more likely to meet its strategic can be implemented across the organization. As we
goals when its appetite for risk is linked to operational, noted earlier, risk appetite must relate to the pursuit of
compliance, and reporting objectives. organizational objectives and must start at the top. In
developing and evaluating a statement, the organization
The length of a risk appetite statement will vary by should ensure that risk appetite (Exhibit 3)
organization. Some statements require several sentences
Exhibit 3
Link to Time Frame,
Objectives Portfolio of Projects
Facilitate Operations Risk State With Communicate,
Monitoring of Risk Decisions Appetite Sufficient precision Monitor, Adjust
Facilitate People, Process, Determine Specific
Alignment Infrastructure Acceptable Risk Objectives
Tolerances
• directly links to the organization’s objectives; • facilitates monitoring of the competitive environment
and considers shareholders’ views in identifying
• is stated precisely enough that it can be communicated the need to reassess or more fully communicate the
throughout the organization, effectively monitored, and risk appetite;
adjusted over time;
• recognizes that risk is temporal and relates to the
• helps with setting acceptable tolerances for risk, time frame of the objectives being pursued; and
thereby identifying the parameters of acceptable risks
(discussed in the next section); • recognizes that the organization has a portfolio of
projects and objectives, as well as a portfolio of risks
• facilitates alignment of people, processes, and to manage, implying that risk appetite has meaning at
infrastructure in pursuing organizational objectives the individual objective level and at the portfolio level.
within acceptable ranges of risk;
Risk appetite should be descriptive enough to guide actions
across the organization. Management and the board should
determine whether compensation incentives are aligned with
risk appetite, not only for top management but throughout
the organization.
w w w . c o s o . o r g
