Based on my experience in assisting of risk management implementation, the dispute on how to set risk appetite and risk tolerance is come to my concern. Herewith brief explanation that i hope it could be shared and open to be discussed.
Based on COSO ERM Framework,
- Risk appetite is the broad-based amount of risk an entity is willing to accept in pursuit of its mission and vision.
- Risk tolerance is the acceptable level of variation relative to achievement of objectives.
Based on ISO IEC Guide 73,
- Risk appetite is amount and type of risk an organization is prepared to pursue or take.
- Risk tolerance is organization’s readiness to bear the risk after risk treatments in order to achieve its objectives.
In COSO ERM Framework, enterprise risk management (ERM) is broader than internal control cause ERM require the entity to consider composite risks from a portfolio perspective. From that perspective, the implementation of risk appetite should be done in the phase of strategy setting and selecting related objectives. At the other point of view on risk tolerance based on COSO ERM Framework, it serves as pre-condition to internal control, but not as a part of internal control itself.
In ISO 31000, risk appetite and risk tolerance is a part of risk attitude that reflect how an entity makes a decision based on the outcomes of risk analysis, is about which risks need treatment and the priority for treatment implementation.
As an entity that apply risk management, the question should be “Are we in the right track in implementing risk appetite and risk tolerance based on the chosen framework”?
DC | 01012012