12   |   Enterprise Risk Management — Understanding and Communicating Risk Appetite   |   Thought Leadership in ERM






        Most organizations have multiple operational objectives   Operations Tolerances
        related to profitability, some of which might create additional
        or complementary risks. For example, the managers of an   •  Near zero risk tolerance for product defects
        aerospace company might want to improve a product’s
        profitability but know the company has a low risk appetite   •  Low risk tolerance for sourcing products that fail to
        for not meeting client expectations. They know they cannot     meet the company’s quality standards
        reduce product costs if such changes would decrease
        performance. For example, the company might use new   •  Low, but not zero, risk tolerance for meeting customer
        technology, but it cannot use inferior components.    orders on time, and a very low tolerance for failing to
                                                            meet demands within x number of days
        To further illustrate, assume management and the board
        have set specific profit objectives by product line — for   •  High risk tolerance for potential failure in pursuing
        example, maintain a specific gross margin or return on     research that will enable the company’s product to
        capital for the product line. But they have communicated a     better control, and increase the efficiency of, energy use
        low risk appetite for product failure, for loss of customers
        because of product quality or delivery, and for potential   Reporting Tolerances
        lawsuits related to product design or performance. The
        articulation of risk tolerances helps guide the company’s   •  Low risk tolerance concerning the quality, timing, and
        operational development.                            accessibility of data needed to run the business

        Linking Risk Appetite and Risk Tolerance          •  Very low risk tolerance concerning the possibility of
        The following examples illustrate the relationship between     significant or material deficiencies in internal control
        risk appetite and related risk tolerances.
                                                          •  A low risk tolerance related to financial reporting quality
        Aerospace Supplier: This company translates its     (timeliness, transparency, GAAP, etc.)
        risk appetite statement into tolerances for operational
        implementation. A high-level objective is to grow by 8%   Compliance Tolerances
        a year (revenue and operating earnings) by working with
        customers to improve products and market share. Because   •  Near zero risk tolerance for violations of regulatory
        of the long-term nature of its supply arrangements and     requirements or the company’s code of ethics
        product development, the company has communicated the
        broad parameters of its risk appetite, which then cascade
        into risk tolerances relating to operations, reporting, and
        compliance, as shown below. While the company seeks to
        grow at this rate, acquisitions should not put the company’s
        capital structure at risk. There is a low risk appetite for
        allowing the capital structure to be so leveraged that it
        hinders the company’s future flexibility or ability to make
        strategic acquisitions.

























        w w w . c o s o . o r g