Thought Leadership in ERM   |  Enterprise Risk Management — Understanding and Communicating Risk Appetite   |    9






                   University: The university’s main objective is to continue   is the university to accept risk related to each area?” In
                   as a preeminent teaching and research university that   thinking through the process, members of management
                   attracts outstanding students and is a desired place of   used a continuum (Exhibit 4) to express risk appetite for
                   work for top faculty.                             the university’s major objectives (teaching, research,
                                                                     service, and operational efficiency). They placed various
                   The university’s risk appetite statement acknowledges   risks along the continuum as a basis for discussion at the
                   that risk is present in almost every activity. The critical   highest levels.
                   question in establishing the risk appetite was “How willing
                   Exhibit 4


                        Acceptable                                                                not Acceptable




                                      Increased                 Reduced
                                     costs due to             security of IT
                                    incompatibility                                      Reduced
                                      with legacy               Reduced                  research
                                      computer                  teaching                reputation
                                       systems                 reputation




                   From an operational viewpoint, for example, management   •  exhibited a low risk appetite for significant breaches of
                   assigned a high risk appetite to the cost of computer     security or unauthorized access to classified records
                   incompatibility, a more moderate risk appetite to issues     (the new system was viewed as better controlled than
                   of teaching excellence, a low risk appetite to information     the legacy system, thus supporting the decision to
                   system security, and a very low risk appetite to its     approve the new system);
                   reputation as a leading research organization.
                                                                     •  expressed a moderate risk appetite for teaching
                   The university found that ordering its risk appetites across     quality; and
                   the continuum helped it shape a risk statement. Putting this
                   into practice, the university                     •  expressed a very low risk appetite for risks that would
                                                                       significantly reduce its research reputation.
                   •  exhibited a higher risk appetite when approving a new
                     computer system that offered greater processing
                     capacity but also had potential compatibility issues with
                     legacy systems;


























                                                                                                        w w w . c o s o . o r g