​​COSO Contributes to Thought Leadership on Risk Appetite

Comments Views

​My congratulations go to Professor Larry Rittenberg and Frank Martens of PwC on the Thought Leadership Paper Understanding and Communicating Risk Appetite, released today by COSO.

While I am not enthralled by the COSO definitions of risk appetite and tolerance, preferring the ISO 31000:2009 variants, this is a clear and well-written paper that makes a valuable contribution to thought leadership in this area.

It shouldn't matter whether you like COSO ERM or hate it. I ask that you set aside the COSO language and terms — especially the dreaded "cube" — and see if the general advice is valuable.

Before getting in to the paper, let me refer you to prior posts and references on this topic:

Just what is risk appetite and how does it differ from risk tolerance?

An effective risk tolerance, appetite, criteria, etc. statement

New guidance on risk appetite and tolerance. I like some parts, disagree with others

A discussion of risk appetite by thought leaders

Here are some quotes from Rittenberg and Martens I like.

  • Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives?

  • The COSO document Enterprise Risk Management — Integrated Framework explicitly states that organizations must embrace risk in pursuing their goals. The key is to understand how much risk they are willing to accept.

  • Further, how should an organization decide how much risk it is willing to accept? To what extent should the risks accepted mirror stakeholders' objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization's appetite for specific kinds of risk?

  • When properly communicated, risk appetite guides management in setting goals and making decisions so that the organization is more likely to achieve its goals and sustain its operations.

  • ERM is not isolated from strategy, planning, or day-to-day decision making. Nor is it about compliance. ERM is part of an organization's culture, just as making decisions to attain objectives is part of an organization's culture.

  • An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue.

  • Risk appetite cannot be set once and then left alone. Rather, it should be reviewed in relation to how the organization operates, especially if the entity's business model changes.

  • Management should monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate evaluations. Internal auditing can support management in this monitoring. In addition, organizations, when monitoring risk appetite, should focus on creating a culture that is risk-aware and that has organizational goals consistent with the board's.

  • Risk appetite:

    • is strategic and is related to the pursuit of organizational objectives;
    • forms an integral part of corporate governance;
    • guides the allocation of resources;
    • guides an organization's infrastructure, supporting its activities related to recognizing, assessing, responding to, and monitoring risks in pursuit of organizational objectives;
    • Influences the organization's attitudes towards risk;
    •  is multi-dimensional, including when applied to the pursuit of value in the short term and the longer term of the strategic planning cycle; and
    •  requires effective monitoring of the risk itself and of the organization's continuing risk appetite.
  • As an organization decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis for making those important decisions. Those in governance roles should explicitly understand risk appetite when defining and pursuing objectives, formulating strategy, and allocating resources. The board should also consider risk appetite when it approves management actions, especially budgets, strategic plans, and new products, services, or markets (in other words, a business case).

  • The point is that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. That consideration takes place throughout the execution of the strategy, and it is most important when strategy is being formulated with due regard for risk appetite.

  • An organization's risk appetite should be articulated and communicated so that personnel understand that they need to pursue objectives within acceptable limits. Without some articulation and communication, it is difficult for management to introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits. A risk appetite statement effectively sets the tone for risk management.

  • The organization is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance, and reporting objectives.

  • A risk appetite statement is useful only if it is clear and can be implemented across the organization. Risk appetite should be descriptive enough to guide actions across the organization. Management and the board should determine whether compensation incentives are aligned with risk appetite, not only for top management but throughout the organization.

  • To be effective, risk appetite must be:

    • operationalized through appropriate risk tolerances;
    • stated in a way that assists management in decision making; and
    • specific enough to be monitored by management and others responsible for risk management.

The paper talks extensively about the difference between risk appetite and tolerance. I have not quoted from it as I don't personally find that useful. As I said above, I prefer to think of risk appetite and tolerance using the ISO terms: appetite is the amount and type of risk that an organization is willing to pursue or retain, and tolerance is the organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. I also prefer the notion of risk criteria, which include but are not limited to risk appetite and tolerance.

But that shouldn't matter to whether this paper adds value or not.

What do you think?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3