Board oversight of risk: Defining risk appetite in plain English

May 2014
  • Print-friendly version
Board oversight of risk: Defining risk appetite in plain English

At a glance

Risk oversight continues to be top-of-mind for directors. One area that’s particularly important for boards to better understand is the company’s risk appetite. This publication defines risk appetite as it pertains to the board's oversight of risk management.

The risk appetite process

A discussion of risk appetite should address the following questions:

  • Corporate values: What risks will an organization not accept?
  • Strategy: What are the risks an organization needs to take?
  • Stakeholders: What risks are willing to bear, and to what level?
  • Capacity: What resources are required to manage those risks?
It includes the following elements:
  • Risk profile: Management’s assessment of the company’s top risks and the internal controls and capabilities to manage those risks.
  • Risk capacity: The actual amount of risk the company could bear.
  • Qualitative risk assessment: Management’s categorization and prioritization of the company’s top individual risks relative to one another.
  • Quantitative risk analysis: This analysis can include rating scales and simple estimates, benchmarking, and sophisticated probability models.