20    |   Enterprise Risk Management — Understanding and Communicating Risk Appetite   |   Thought Leadership in ERM



        Monitoring and Updating Risk Appetite

        Once an organization’s risk appetite is developed and
        communicated, management, with board support, must
        revisit and reinforce it. Risk appetite cannot be set once and       Develop/
        then left alone for extended periods. Rather, it should be            Revise
        reviewed and incorporated into decisions about how the
        organization operates. This is especially important if the
        organization’s business model begins to change.                        Risk
                                                                             Appetite
        Management cannot just assume that responsible
        individuals will implement risk management within the    Monitor                Communicate
        appropriate risk appetite. Therefore, some organizations will
        review the application of risk appetite through a series of
        monitoring activities. Management should monitor the
        organization’s activities for consistency with risk appetite
        through the specifics identified with risk tolerances. Most   Creating a culture is one way of reinforcing overall risk
        organizations have key performance risk metrics that they   appetite. The approach is best used when the organization
        use to measure performance. It is easy to integrate risk   has a well-communicated risk appetite and associated risk
        tolerances into the monitoring process used to evaluate  tolerances, to the point at which the following outcomes exist:
        performance. Internal auditing can provide independent
        insight on the effectiveness of such processes.   •  Consistent implementation across units
        Creating a Culture                                •  Effective monitoring and communication of risk and
        For many organizations, monitoring risk tolerances requires a     changes in risk appetite
        culture that is aware of risk and risk appetite. Management,
        by revisiting and reinforcing risk appetite, is in a position to  •  Consistent understanding of risk appetite and related
        create a culture whose organizational goals are consistent     tolerances for each organizational unit
        with the board’s, and to hold those responsible for implementing
        risk management within the risk appetite parameters.  •  Consistency between risk appetite, objectives, and
                                                            relevant reward systems
        Many organizations are effective at creating a risk-aware
        culture: a culture that emanates from senior management,   This approach draws on ongoing and separate evaluations
        cascades through the organization, and is supported by  conducted as part of the organization’s monitoring. The
        the board. In an effective culture, each member of the   individuals doing the monitoring consider whether the
        organization has a clear idea of what is acceptable, whether   objectives being set and the risk response decisions being
        in relation to behaving ethically, pursuing the wrong objectives,   made are consistent with the organization’s stated risk
        or encountering too much risk in pursuing the right objectives.  appetite. Any variation from the stated (or desired) risk
                                                          appetite is then reported to management and the board as
                                                          part of the normal internal reporting process.



























        w w w . c o s o . o r g