Risk Appetite: Contributions to Thought Leadership from COSO

By Norman Marks (@normanmarks) Feb 1, 2012

A recent thought paper on risk appetite by COSO prompts guest writer Norman Marks to explore the place risk appetite and its management have in the day-to-day strategic plans of organizations.

My congratulations go to Professor Larry Rittenberg and Frank Martens of PwC on the Thought Leadership Paper "Understanding and Communicating Risk Appetite," recently released by COSO.

While I am not enthralled by the COSO definitions of risk appetite and tolerance, preferring the ISO 31000:2009 variants, this is a clear and well-written paper that makes a valuable contribution to thought leadership in this area.

It shouldn’t matter whether you like COSO Enterprise Risk Management (ERM) or hate it. I ask that you set aside the COSO language and terms — especially the dreaded "cube" — and see if the general advice is valuable.

Before getting into the paper, let me refer you to prior posts and references on this topic:

Here are some quotes from Rittenberg and Martens I like.

Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives?

How Much Risk to Take On?

The COSO document "Enterprise Risk Management—Integrated Framework" explicitly states that an organization must embrace risk in pursuing its goals. The key is to understand how much risk it is willing to accept.

Further, how should an organization make this decision? To what extent should the risks accepted mirror stakeholders’ objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization’s appetite for specific kinds of risk?

When properly communicated, risk appetite guides management in setting goals and making decisions so that the organization is more likely to achieve its goals and sustain its operations.

ERM is not isolated from strategy, planning or day-to-day decision making. Nor is it about compliance. ERM is part of an organization’s culture, just as making decisions to attain objectives is part of an organization’s culture.

Risk Appetite Needs Ongoing Review

An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue.

Risk appetite cannot be set once and then left alone. Rather, it should be reviewed in relation to how the organization operates, especially if the entity’s business model changes.

Management should monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate evaluations. Internal auditing can support management in this monitoring. In addition, when monitoring risk appetite, organizations should focus on creating a culture that is risk-aware and that has organizational goals consistent with the board’s.