COSO Contributes to Thought Leadership on Risk Appetite

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


My congratulations go to Professor Larry Rittenberg and Frank Martens of PwC on the Thought Leadership Paper Understanding and Communicating Risk Appetite, released today by COSO.

While I am not enthralled by the COSO definitions of risk appetite and tolerance, preferring the ISO 31000:2009 variants, this is a clear and well-written paper that makes a valuable contribution to thought leadership in this area.

It shouldn’t matter whether you like COSO ERM or hate it. I ask that you set aside the COSO language and terms — especially the dreaded "cube" — and see if the general advice is valuable.

Before getting in to the paper, let me refer you to prior posts and references on this topic:

Just what is risk appetite and how does it differ from risk tolerance?

An effective risk tolerance, appetite, criteria, etc. statement

New guidance on risk appetite and tolerance. I like some parts, disagree with others

A discussion of risk appetite by thought leaders

Here are some quotes from Rittenberg and Martens I like.

  • Organizations encounter risk every day as they pursue their objectives. In conducting appropriate oversight, management and the board must deal with a fundamental question: How much risk is acceptable in pursuing these objectives?
  • The COSO document Enterprise Risk Management — Integrated Framework explicitly states that organizations must embrace risk in pursuing their goals. The key is to understand how much risk they are willing to accept.
  • Further, how should an organization decide how much risk it is willing to accept? To what extent should the risks accepted mirror stakeholders’ objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization’s appetite for specific kinds of risk?
  • When properly communicated, risk appetite guides management in setting goals and making decisions so that the organization is more likely to achieve its goals and sustain its operations.
  • ERM is not isolated from strategy, planning, or day-to-day decision making. Nor is it about compliance. ERM is part of an organization’s culture, just as making decisions to attain objectives is part of an organization’s culture.
  • An organization must consider its risk appetite at the same time it decides which goals or operational tactics to pursue.
  • Risk appetite cannot be set once and then left alone. Rather, it should be reviewed in relation to how the organization operates, especially if the entity’s business model changes.
  • Management should monitor activities for consistency with risk appetite through a combination of ongoing monitoring and separate evaluations. Internal auditing can support management in this monitoring. In addition, organizations, when monitoring risk appetite, should focus on creating a culture that is risk-aware and that has organizational goals consistent with the board’s.
  • Risk appetite:

is strategic and is related to the pursuit of organizational objectives;

forms an integral part of corporate governance;

guides the allocation of resources;

guides an organization’s infrastructure, supporting its activities related to recognizing, assessing, responding to, and monitoring risks in pursuit of organizational objectives;

influences the organization’s attitudes towards risk;

is multi-dimensional, including when applied to the pursuit of value in the short term and the longer term of the strategic planning cycle; and

requires effective monitoring of the risk itself and of the organization’s continuing risk appetite. 

  • As an organization decides on its objectives and its approach to achieving strategic goals, it should consider the risks involved, and its appetite for such risks, as a basis for making those important decisions. Those in governance roles should explicitly understand risk appetite when defining and pursuing objectives, formulating strategy, and allocating resources. The board should also consider risk appetite when it approves management actions, especially budgets, strategic plans, and new products, services, or markets (in other words, a business case).
  • The point is that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. That consideration takes place throughout the execution of the strategy, and it is most important when strategy is being formulated with due regard for risk appetite.
  • An organization’s risk appetite should be articulated and communicated so that personnel understand that they need to pursue objectives within acceptable limits. Without some articulation and communication, it is difficult for management to introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits. A risk appetite statement effectively sets the tone for risk management.
  • The organization is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance, and reporting objectives.
  • A risk appetite statement is useful only if it is clear and can be implemented across the organization. Risk appetite should be descriptive enough to guide actions across the organization. Management and the board should determine whether compensation incentives are aligned with risk appetite, not only for top management but throughout the organization.
  • To be effective, risk appetite must be:

operationalized through appropriate risk tolerances;

stated in a way that assists management in decision making; and

specific enough to be monitored by management and others responsible for risk management.

The paper talks extensively about the difference between risk appetite and tolerance. I have not quoted from it as I don’t personally find that useful. As I said above, I prefer to think of risk appetite and tolerance using the ISO terms: appetite is the amount and type of risk that an organization is willing to pursue or retain, and tolerance is the organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. I also prefer the notion of risk criteria, which include but are not limited to risk appetite and tolerance.

But that shouldn’t matter to whether this paper adds value or not.

What do you think?

Posted on Jan 20, 2012 by Norman Marks

Share This Article:    

  1.  COSO often gets bad publicity that is really undeserved. COSO is a management system like ISO 9001, but it is misused, mainly by auditors who make a great deal of money by looking at way too many sets of data. The SEC developed a new auditing standard (#5) to replace AS # 2. #5 is a top down, risk based standard that concentrates on the risks to the organization and looks at information down to the operational level based on those risks.

    As I indicated COSO is a management system similar to ISO 9001. I published a paper in the September 2005 ASQ Quality Progress magazine comparing 9001 and COSO.  

    COSO is 20 years old and is being revised and brought up to date. I'm the quality management representative on the Institute of Management Acvcountants (IMA) team supporting the revision. The revision has expanded the risk element of the guidance.

    I'll be happy to answer questions about the revision.

  1.  Thank you, Norman, for all your enlightening comments on ERM, internal audit and related issues. You’re really an enabler, bringing the development forward with your inspiring timely activity and creativity.

    I think you’ve already answered your previous blog’s questions regarding ERM’s involvement in objectives and strategy setting as well as in performance management yourself. Personally, I appreciate the term Risk Governance, since risk is an integral part of the whole governance system. Risk should be there when the nomination committee agrees on board composition (in addition to the financial literate person, maybe there should be a risk literate person as well – at least board members should be prepared to challenge the ideas and assumptions presented by management). A longer term risk-reward management perspective should be part of the remuneration committee’s objectives, avoiding incentives to maximize profits for the next quarter (with potentially great losses ‘round the bend). And then of course there are the risk responsibilities of the audit committee (which tends to have a bias towards financial and accounting risks). Nothing, however, can deprive the full board of its responsibility for overseeing strategic development and risks to the well being and survival of the organization – i.e. risk oversight.

    During the recent week I’ve read one survey after the other explaining that ERM has failed to meet expected results. Some claim that ERM has become merely a box ticking exercise. This is a leadership failure. The risk champion or CRO must be an ambassador for bringing risk-awareness into the organization’s core decision-making processes.


  1.  I remember when companies employed Chief Quality Officers who introduced Total Quality Management, Quality Assurance etc (like risk management, known under several names). Their job was to inspire the organization and get the quality improvement process going. Delivering quality in products and services became a state-of-mind. Just like bringing risk more clearly into decision-making. Most companies let go of their Chief Quality Officer once the right perceptions and attitudes where in place. ERM is nothing more than improved quality in decision making (TQDM). This requires real change management; changing attitudes and behaviors. Only boards, chief executives and a highly devoted risk champion can bring ERM forward. 2012 should be the year of behavioral economics and risk inspired decision-making. How to become an inspiring leader? Take a look:

    A risk appetite statement is the fundamental framework or reference point to lead ERM. We say that we can’t identify risks without clear objectives. But how can we evaluate risks without a ruler? How can a CRO or a Risk Committee live without a Risk Appetite Statement? This should be required in the dialogue with the board (foremost by the CEO, but also by the CRO and CAE).


  1.  This brings me to the COSO-paper on Risk Appetite, called a Thought Leadership Paper (!). During the last five years the big four and many other organizations have engaged themselves in trying to define risk appetite and related vocabulary. Some better than others. The Institute of Risk Management in London has recently produced a white paper on the issue ( after a lot of research and a period of open consultation.

    COSO seems to have issued their paper in a hurry, maybe to keep pace with the rest of the world. In my opinion it unfortunately doesn’t bring the issue forward a single step. Read the Accenture report instead, it's more inspiring:


  1.  Another interesting paper has been presented by David Hillson and Ruth Murray-Webster . They bring the human element into the picture and have created a good vocabulary.

    What I lack in the COSO-paper is the overall definition of Risk Capacity; which not only means how much the organization can afford to lose before becoming insolvent, but also the capabilities of the organization have to cope with a more aggressive risk appetite. Even if the company has great financial resources, that doesn’t mean it has the talent and capabilities to take on great new ventures in the short term. The Risk Appetite should normally be less that the Risk Capacity (as discussed regarding Economic Capital in the COSO-report).


  1.  Another thing I find lacking is a discussion of stakeholders’ interests. Who are the organization’s stakeholders, in the broadest sense? What will they tolerate? (Remember that there are silent stakeholders like the environment/atmosphere and coming generations.) Various aspects of risk appetite and risk tolerance must, if not being aligned with, at least be adjusted with regard to critical stakeholder concerns.

    Likewise, on communicating the risk appetite, the COSO-paper mainly discusses how appetite and tolerance should cascade down through the organization. The message you convey to shareholders, bondholders, suppliers, customers, NGOs and others are likewise important, to maintain trust.

    My experience from ERM-workshops is unfortunately that business area management in cases disagree on which their main objectives are. Once agreement is reached, the next step is to improve the clarity of each objective. If this is the case, how will the rest of the organizations know what’s to be done? This is a basic risk. Most companies that fail do so due to the fact that 1) the board and management have agreed on the wrong strategy, but more frequently, 2) the board and management fail to execute the agreed strategy. Not knowing otherwise, the herd maintains its old momentum.

    Thus, be sure to communicate objectives and strategy in such a way that they are well understood by the organization. When that is done, it’s time to describe the boundaries.


  1.   I’m sorry, but I’m very disappointed by the COSO-paper. If COSO wants to regain “thought leadership” they need to do a lot more.

  1. Per, thank you for your very thoughtful comments. Interesting and valuable!

    I especially like the link to the Accenture piece, as it discusses the relationship between risk capacity (the same as tolerance per ISO?) and appetite.

    Here are two earlier posts relative to the IRM paper:

    One consideration in evaluating risks if the potential for reward. As a generality, the higher the potential for reward, the higher the desire to take risks. Thoughts?

  1. I would like to lodge my commentary on here but there is not enough room for my comments which will t ake several postings to articulate. They will be posted however elsewhere across the web and I will communicate these directly to COSO. 

    Overall this was a poorly written document in so many different respects and will not at all help the understanding of risk management. To my way of thinking, the release of this document seems to have been politically motivated to try and keep the status quo here in the US when we already know that leading risk management guidance has been introduced all around the globe in ISO 31000 with accompanying guidance already on the subject of risk criteria. I am sorry that internal auditors will have to be exposed to this COSO risk appetite guidance but hopefully with some initiative, they will get a copy of the other materials and get up to speed shortly


  1. I have to agree with the critical comments. This was a poor document that seemed to be playing catch-up with better work elsewhere. The writing was sloppy. On the one hand we were told "We all know the costs of failing to manage risk. Examples include... the social cost of government budgets in Greece, Spain, Ireland and Portugal." Excuse me, but I don't see much similarity between government budgets in Greece and Ireland, or even why they need to be mentioned in this paper. On the other hand the paper was vague about the respective roles of the board and management, frequently referring to tasks performed by "management and board" without explaining their relationship. When the relationship was explored in more detail, it always downgraded the role of the board to being reviewers of management decisions, without articulating what a board needs to do in order to be competent to oversee management. The stock answer was "discussion" and "conversation". On behalf of investors, it's time to expect more from boards than regularly chatting to management about how well management sets targets for risk and how well management monitors performance against the targets they set for themselves. Boards need to be able to form opinions on desirable levels of risk as derived from stakeholder expectations, without being so reliant on management.

Leave a Reply