Accueil
Envoyer
Imprimer
Partager
My response was based on a few principles. I believe any guidance for evaluating risk levels (whatever you call it: risk appetite statement, risk criteria, or something different) has to meet certain requirements:
1. Managers making decisions need to understand the degree to which they (individually) are permitted to expose the organization to the consequences of an event or situation. Any ‘risk appetite’ or similar statement needs to be practical, guiding the manager to make what I call risk-intelligent decisions. So, guidance has to be effective at the level of the manager’s decision
2. Executives need to be able to understand the aggregated and interlinked ‘risk level’ so they can determine whether it is acceptable or not. So, guidance has to be effective at the aggregated level
3. The board and executive leadership need to understand the above for the organization as a whole. So, guidance has to be effective at the entity level
4. Risk appetite is not constant. It should change as the environment and business conditions change. Any guidance for managers and executives has to realize this. Anything approved by the board has to have some flexibility built in
5. Risk decisions need to be made with full consideration of reward. Guidance needs to help managers and executives take an appropriate level of risk for the business, given the potential for reward. Consider the ROI standard on capital projects: sometimes it is appropriate to SET a standard that the reward (likelihood and potential magnitude) has to be some multiple of the risk (likelihood and potential magnitude). Setting levels for risk without regard to reward is a recipe for failure
Do you agree with these principles? If not, how would you change them?
Link : www.theirm.org/publications/risk_appetite.html
Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/
1. Managers making decisions need to understand the degree to which they (individually) are permitted to expose the organization to the consequences of an event or situation. Any ‘risk appetite’ or similar statement needs to be practical, guiding the manager to make what I call risk-intelligent decisions. So, guidance has to be effective at the level of the manager’s decision
2. Executives need to be able to understand the aggregated and interlinked ‘risk level’ so they can determine whether it is acceptable or not. So, guidance has to be effective at the aggregated level
3. The board and executive leadership need to understand the above for the organization as a whole. So, guidance has to be effective at the entity level
4. Risk appetite is not constant. It should change as the environment and business conditions change. Any guidance for managers and executives has to realize this. Anything approved by the board has to have some flexibility built in
5. Risk decisions need to be made with full consideration of reward. Guidance needs to help managers and executives take an appropriate level of risk for the business, given the potential for reward. Consider the ROI standard on capital projects: sometimes it is appropriate to SET a standard that the reward (likelihood and potential magnitude) has to be some multiple of the risk (likelihood and potential magnitude). Setting levels for risk without regard to reward is a recipe for failure
Do you agree with these principles? If not, how would you change them?
Link : www.theirm.org/publications/risk_appetite.html
Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/
