What's new

P1.T1.405. COSO's risk appetite

Nicole Seaman

Chief Admin Officer
Staff member
AIMs: Define risk appetite and explain the role of risk appetite in corporate governance. Describe considerations a firm must make in determining its risk appetite, and explain how an organization’s risk appetite can differ for various risk factors. Describe the objective and characteristics of an effective risk appetite statement.


405.1. According to COSO, each of the following is true about an organization's risk appetite except which statement is LEAST accurate?

a. Risk appetite guides the allocation of resources
b. Risk appetite has meaning at the portfolio and individual objective level
c. Risk appetite recognizes that risk is temporal and relates to the time frame of the organization's objectives
d. A high risk appetite is a symptom of a lack of risk management controls; in part to coordinate with regulatory capital, risk appetite should fall within a low to medium range

405.2. In the COSO paper, a health care organization has specific objectives related to (1) quality of customer care, (2) attracting and retaining high-quality physicians and health researchers, and(3) building sustainable levels of profit to provide access. The start of the organization's risk appetite statement is quoted as follows: "The Organization operates within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products,
equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives."

According to COSO, this risk appetite statement is effective for each of the three reasons below EXCEPT:

a. Expresses a low risk appetite in pursuing all the organization’s objectives
b. Demonstrates uniformity by calibrating an identical level of precise risk appetite for all of the organization's objectives and (as cascaded down) to all levels
c. Communicates, with sufficient precision, that the organization wants to sustain its business over a long period of time
d. Expresses a very low appetite for risks associated with employee safety and compliance

405.3. Which of the following is necessarily a characteristic of an effective risk appetite statement?

a. It is brief
b. It is not too precise (as it must apply globally)
c. It is sufficiently precise (to enable monitoring, alignment and adjustment)
d. It builds from the bottom up (to reflect an operational perspective)

Answers here: