Before a company can claim to have an effective risk management process, it must be able to identify or define its appetite for risk, yet many companies struggle on that point.

That inspired the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, to develop a “thought paper” to help companies through it, says COSO Chairman David Landsittel. COSO's Enterprise Risk Management – Understanding and Communicating Risk Appetite is the newest in a series of papers intended to provide enterprise risk management practitioners with some guidance on getting through the exercise.

COSO defines risk appetite as the amount of risk broadly that an organization is willing to accept in its pursuit of value. “That affects, for example, how much leverage a company might be willing to accept in capitalizations, or how aggressive it will be in pursuing acquisitions,” Landsittel explains. Companies need to identify and communicate how much risk it is willing to accept on a broad level, then that should cascade into business strategies throughout the organization, he says. “The amount of risk you are willing to accept overall might be different than the risk you are willing to accept as it relates to a safety issue or compliance with laws or regulations.”

In the paper, COSO says determining risk appetite is an element of good governance that management and directors owe to their stakeholders. It challenges the notion that defining risk appetite is too difficult, and therefore unimportant or irrelevant. COSO says management and the board need to develop a written statement that conveys clearly and succinctly the risk appetite that should be considered in developing business strategies through the entity. The statement should be specific enough so that it can be communicated throughout the organization, monitored effectively, and adjusted over time.

The paper also provides some practical tips on developing a risk appetite statement and some questions for management and the board to consider to help identify and define risk appetite. “Our aim is to give companies a better understanding of what is meant by ‘risk appetite,' and to give examples of how it might be implemented,” Landsittel said. “This is one of the areas we've identified where we thought organizations could benefit from additional guidance in their efforts to move their risk management processes up the maturity curve.”