I just finished a great article on risk appetite. Now that isn’t something you here everyday, but you may here someone mention risk appetite or risk tolerance fairly regularly these days. The article was in the current issue of CSO magazine entitled “How to determine your company’s real risk appetite“.
Since I have never been a fan of re-blogging entire articles, I won’t do it here. But since I did find the article to be very useful and I did want to encourage every organization to give it a read.
Definition of Risk Appetite
For those that may not be familiar with the term, risk appetite, the general definition of risk appetite refers to the level of risk an organization is willing to accept.
The definition of risk appetite can be more specific to include not only the level of risk but also the types of risks an organization is willing to accept.
Understanding Risk Appetite
I thought the article did a very nice job of laying the foundation for why every organization should understand its risk appetite in very specific and articulated terms.
I also thought the advise offered on considering who can make a risk acceptance in an organization was profoundly important. The article points out that although the officers of an organization set the risk appetite, too often it is the mid-level managers who are making the risk acceptance decisions or altering the risk appetite of the organization without executive oversight.
Constructing a Formal Risk Appetite
The article offers some solutions on constructing a formal risk appetite. Because this is CSO magazine, the focus is on IT related risks and how ERM applies to IT. There are mentions of using COSO and ISO 31000 and other risk assessment frameworks.
The advise to include participation from the C-suite when constructing a formal risk appetite is of course the most important kernel of advise you should take away from this article.
So give the article a read and set up time to plan out your strategy for constructing and articulating your organizations risk appetite – at least when it comes to its IT risk appetite.