Page 694 - COSO Guidance Book
P. 694

Thought Leadership in ERM   |  Enterprise Risk Management — Understanding and Communicating Risk Appetite   |    5






                   An organization has a number of goals and objectives it
                   can pursue. Ultimately, it will decide on those that best   One major problem that led to the current financial crisis was
                   meet stakeholder preferences for growth, return, safety,   that although objectives had been created, there was no
                   sustainability and its willingness to accept risk. The   articulation of risk appetite or identification of those
                   objectives, in turn, may be pursued using a number of   responsible when risks were incurred.
                   alternative strategies. As shown in Exhibit 2, the articulation
                   of a risk appetite provides bounds on the choice of
                   strategies and the operational decisions that are made to
                   pursue those objectives.

                   Exhibit 2


                    interrelationship of Strategy, Management Decisions, and Risk Appetite


                     Sets strategic            Formulates              Establishes              Makes decisions
                     goal and                  strategies              operations,              on how to manage
                     objectives                  •  Strategy 1         compliance,              risks relating to
                                                 •  Strategy 2         and reporting            the achievement
                                                 •  Strategy 3         objectives               of objectives
                                                 •   ...


                     Considers risk appetite in setting of strategies, objectives, and how to manage risks





                   Steps in Adopting Risk Appetite
                   Each organization must determine its own risk appetite; there    2.   This view of risk appetite is translated into a written
                   is no single universal risk appetite. But how does an organization        or oral form that can be shared across the organization.
                   get to the point of having a risk appetite statement that can be
                   communicated through the organization? And how does risk     3.   Management monitors the risk appetite over time,
                   appetite stay relevant over time?                       adjusting how it is expressed as business and
                                                                           operational conditions warrant.
                   To effectively adopt risk appetite, an organization must take
                   three key steps:                                  These three steps will be discussed in detail in later sections
                                                                     of this paper.
                     1.   Management develops, with board review and
                         concurrence, a view of the organization’s overall   In a recent survey, less than half of the respondents said
                         risk appetite.
                                                                       they had a formal process for developing and
                                                                       communicating risk appetite. 2





















                    2   Towers Watson, 2011 Risk and Finance Manager Survey
                                                                                                        w w w . c o s o . o r g
   689   690   691   692   693   694   695   696   697   698   699