The risk appetite process
A discussion of risk appetite should address the following questions:
- Corporate values: What risks will an organization not accept?
- Strategy: What are the risks an organization needs to take?
- Stakeholders: What risks are willing to bear, and to what level?
- Capacity: What resources are required to manage those risks?
It includes the following elements:
- Risk profile: Management’s assessment of the company’s top risks and the internal controls and capabilities to manage those risks.
- Risk capacity: The actual amount of risk the company could bear.
- Qualitative risk assessment: Management’s categorization and prioritization of the company’s top individual risks relative to one another.
- Quantitative risk analysis: This analysis can include rating scales and simple estimates, benchmarking, and sophisticated probability models.