At its core, risk appetite is critical to organizational success. Articulating risk appetite for your organization will provide board members and senior management with important insight. We hope to improve that understanding and promote risk appetite as an integral part of decision-making.
The COSO Enterprise Risk Management—Integrating with Strategy and Performance 1 defines risk appetite as:
The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.
Inherent in this definition are several key points. Risk appetite:
- Is intentionally broad to apply across an organization, recognizing that it may differ within various parts of the organization while remaining relevant in changing business conditions.
- Focuses on risk that needs to be taken to pursue strategies that enhance long-term success.
- Recognizes that risk is more than individual decisions.
- Links to value—it is tied to the choices the organization makes on how it creates and preserves value.
This thought paper is intended to help directors and executives answer the following question:
How will a better understanding and communication of risk appetite help our organization succeed?
This paper is structured into the following sections:
1 Putting Risk Appetite into Context of the Business— Focuses on how organizations take on risk to innovate and grow, and shows that appetite must be flexible enough to adapt to changing conditions, helping an organization to remain relevant in an evolving landscape.
2 Linking Risk Appetite and Strategy— Emphasizes the importance of understanding strategy and objectives and that taking risks requires a sense of the type and amount of risk acceptable and necessary in pursuing strategies and objectives. It explores a key difference in adopting an objective-focused and a risk-focused approach.
3 Overview of Inputs to and Application of Risk Appetite— Provides an overview of how risk appetite is applied in the context of strategy and objectives, developed to support decision-making, and used to enhance performance. Each of these points is developed in the following sections.
4 Inputs to Risk Appetite— Considers the inputs that affect how risk appetite is applied. Among the more important are the organization’s mission and vision, board and management perspectives on appetite, the current strategy to pursue value, risk profile, and culture.
5 Developing Risk Appetite to Support Strategy and Objectives— Considers how an organization develops risk appetite in the context of overall strategy, and how it incorporates risk appetite into objective-setting. This section explores how organizations may use different approaches to build consensus and encourage more consistent decision-making.
6 Articulating and Communicating Risk Appetite to Support Decision-making— Considers how an organization can clearly and consistently articulate risk appetite to enhance decision-making, especially when boards and management may not agree. Being able to clearly communicate appetite improves when there is a commonly applied structure, one that considers the choice of language, the intended level of precision, and a focus on strategy and objectives rather than risks.
7 Using Risk Appetite to Enhance Performance— Considers how risk appetite is used to develop
tolerance, measures, and indicators, and to monitor performance in day-to-day practices.
8 Supporting the Use of Appetite— Offers our views on what organizations need to do to sustain risk appetite as part of an effective approach for enterprise risk management.
9 Final Thoughts— Wraps up our views that successful organizations take risk to succeed.
