Question asked by Sharon White
COSO ERM Understanding and communicating risk appetite identifies 1) general statement, 2) by org objectives, or 3) by risk types identified by the org. What organizational characteristics would benefit from each of these methods? (e.g. education level of employees, complexity of org, variety of programs administered)
AFERM Experts Say...
Risk appetite denotes the level and nature of risk that is acceptable. Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand. Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should flow downward from the top of the organization to the various lower levels of management, with actual risk information flowing from the lower levels of the organization, upward.
Should risk appetite and risk tolerance statements be documented by organizational objective or by risk classes?
Depending on the agency, risk appetite and risk tolerance statements can be documented by organizational objective or by risk classes, and in some agencies, risk appetite and risk tolerance statements can both be documented at the same time. Some agencies manage complexity large enough to have to deal with differentiated risk classes within each organizational objective, and some agencies manage programs where a single set of risk classes can apply across the enterprise.
The most important thing to remember is that risk appetite and risk tolerance statements enable the ERM program and officers to respond to risk in a dynamic and direct way. In other words, an Agency should make sure it does not create risk appetite and risk tolerance statements that constrain behavior (unless by design) and delay risk response actions.