COSO Releases Thought Leadership on Risk Appetite


Risk appetite must be flexible enough to adapt to changing conditions, helping an organization to remain relevant in the evolving landscape.

Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives? Added to this, regulators and other oversight bodies are calling for better descriptions of organizations’ risk management processes, including oversight by the board.

At its core, risk appetite is critical to organizational success. Articulating risk appetite for your organization will provide board members and senior management with important insight.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

The COSO Enterprise Risk Management—Integrating with Strategy and Performance defines risk appetite as:

The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.

Inherent in this definition are several key points. Risk appetite:

  • Is intentionally broad to apply across an organization, recognizing that it may differ within various parts of the organization while remaining relevant in changing business conditions.
  • Focuses on risk that needs to be taken to pursue strategies that enhance long-term success.
  • Recognizes that risk is more than individual decisions.
  • Links to value—it is tied to the choices the organization makes on how it creates and preserves value.

Strategy is the organization’s plan to achieve its mission and vision and apply its core values to drive performance and value. We hold the view that strategy precedes objectives. It follows, then, that strategy is directly linked to the decisions about how an organization creates value.

Objectives are those measurable steps an organization takes to achieve its strategy. Objectives cascade to the entity’s business units, divisions, and functions.

There are several issues I see in practice. One is management and the board don’t understand their responsibilities. COSO does a nice job of outlining the key responsibilities.

Management and Board Responsibilities

  1. Management establishes risk appetite: An organization cannot know how well it is managing risk unless it establishes ranges of acceptable risk it can take in pursuit of its objectives. In doing so, management must effectively and clearly communicate: Goals and objectives; Strategies; Metrics (to know whether objectives are being achieved); Relevant time periods for pursuing the objectives; and, Ranges of risk the organization is willing to take in pursuing the objectives
  2. Board oversees risk appetite: Oversight of the risk appetite (or acceptable ranges of acceptable risk) should be considered at the board level in conjunction with the senior management team.
  3. Applies throughout organization: Risk appetite needs to be applied regularly throughout all functional units of the organization. Culture is important: the organization must work to build the board’s view of risk appetite into the organizational culture.
  4. Aligns with stakeholders and managers: Because individuals are accountable for their results, every organization needs a robust governance process to ensure that compensation and incentive systems are aligned with the organization’s objectives and are managed to fall within the organization’s risk appetite.
  5. Manages risks and risk appetite over time: Organizations need to understand that risk appetites may change over time. Boards must be proactive on two levels: Communicating their articulation of risk appetite; and Monitoring organizational actions, processes, etc., to determine whether organizational activity has strayed outside the organization’s risk appetite.
  6. Monitors to ensure adherence to risk appetite: Adherence to an organization’s risk appetite, as well as to its risk management processes, should be monitored regularly. The results of the monitoring should be reported to the audit committee and/or board and to the relevant members of executive management.
  7. Supports culture: The tone at the top influences the culture of the organization. The tone can be either positive or negative in ensuring that risks are managed within acceptable limits. Ideally, prudent risk-taking is built into the organization’s culture in its public statement of core values.
  8. Considers resources: It takes effort to operate within the organization’s risk appetite. Resources must be available and dedicated to operating within this appetite.
  9. Communicates through strategies and objectives: Risk appetite is communicated effectively only if the organization can clearly communicate its major strategies and objectives at both the global level and the functional/operational level.
  10. Clearly communicates how much risk the organization is willing to accept at all levels: Risk appetite and risk tolerance are complementary concepts. They can be combined to determine acceptable ranges of risk for the organization.

Risk appetite is developed by management and reviewed by the board. COSO’s Enterprise Risk Management — Integrated Framework emphasizes the board’s important role in overseeing risk management. Oversight should begin with a studied discussion and review of management’s articulation of risk appetite relative to the organization’s strategies.

Pulling it Together

The following chart illustrates how the points come together into a well-articulated view of appetite and tolerance.

Closing Thoughts

The guidance from COSO is interesting, but it doesn’t speak to taking the right risks and executing on opportunities. I’m not saying the guidance is not useful; however, I was hoping for a balanced approach. Why? I have experienced a growing number of board members who are “locked on” risk being a negative!

I suggest organizations look at and discuss both the positives and negatives. What does your organization do?

If you dare nothing, then when the day is over, nothing is all you will have gained. N. Gaiman

I am happy to assist any organization and their board to better understand, implement, or enhance their enterprise risk management program, which includes developing a risk appetite that makes sense.

Get the complete COSO guidance here.


Jonathan T. Marks, CPA, CFE

Source: COSO

Please follow and like us:
%d bloggers like this:
Skip to toolbar