If there is one element of a GRC framework upon which all else depends, it is the correct formulation of risk appetite, and the translation of appetite into tolerances, thresholds and limits that the organization must operate within. Without this, it’s simply impossible to manage risks effectively.
Risk appetite can be defined as the quantity and types of risk that an organization is willing to assume in pursuit of its strategic objectives. Boards are typically responsible for setting risk appetites, and executive teams then implement them into the business by translate those appetites into more granular risk-taking limits within the most fundamental operating processes.
This is a huge challenge, and most organizations struggle to do it effectively. Those who do it well know it is a bit of art, a bit of science, and a mix of qualitative and quantitative approaches.
Everything depends on the right formulation of risk thresholds –policy, controls and ultimately, what is expressed as a risk, or not.
However – with the right collaboration, and properly managed process, risk appetite and thresholds can be defined.
GRC teams can work with executive and management to establish meaningful thresholds, or tolerances of acceptable loss, compromise, disruption, disablement of key material business processes, people, or information. Tolerances describe, in tangible terms, the limits around which risk and compliance teams can manage their efforts.
Risk Appetite sets the bar – and the buck stops at the bar. You’ve got to work with the business to understand how much risk is the organization willing to take in a particular area. How high is the bar? Once set, policy, controls and reporting can be calibrated to feedback the right indicators that allow management to make decisions to avoid, treat or transfer risk – efficiently and effectively.
Read the full blog post at: Yo Delmar, GRC and Beyond