Does your organization have a defined risk appetite? If not, current changes to the business landscape, resulting from the global COVID-19 pandemic, provide a great reason to define it, or to revisit (and update) your organization's existing risk appetite.
What is Risk Appetite?
The concept of risk appetite is still relatively new. The International Organization for Standardization (ISO), an independent, non-governmental international standard-setting body, defines risk appetite as “the amount and type of risk that an organization is prepared to pursue, retain or take.” This is an important concept that serves to guide an organization's approach to risk and to the management of that risk.
Members of an organizations board of directors are usually the ones responsible for setting an organization's risk appetite, which is articulated in a high-level statement that takes into account the levels of risk that management deems to be acceptable to the organization. A risk appetite statement assists the board of directors and senior executives to better understand and clearly communicate the organization's risk appetite. It also helps to provide a uniform and cohesive definition and understanding of risk across an organization, as well as awareness and increased transparency of that risk. If used correctly, a clearly defined risk appetite enables improved decision-making and contributes to an organization's overall success.
COSO's Risk Appetite Guidance
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a joint initiative of five private sector organizations that develops frameworks and guidance on enterprise risk management, internal control, and the deterrence of fraud. It is probably best known for its Internal Control — Integrated Framework, a guidance document which helps organizations design and implement internal controls. Just this month, COSO released new guidance on the importance of defining risk appetite, how to define and formulate risk appetite, as well as how to effectively put it into practice.
At a time when organizations are faced with new and emerging risks, such guidance is critical. Many businesses are simply trying to survive the economic fallout and have therefore prioritized other initiatives, such as business continuity. As a result, attention to compliance, enterprise risk management, and various associated internal controls has fallen to the wayside. While this may make sense in the very short-term, a long-term risk management strategy is crucial for survival.
COSO's recent guidance, titled Risk Appetite - Critical to Success, is well-organized, clearly presented, and informative. Furthermore, it provides a free, valuable resource at a time when it may be needed most. Board members, senior executives, and managers will find it to be a useful tool in their risk management arsenal. It can be easily accessed here.