Risk taking is an essential part of business today, as a company must make informed and rational decisions about the risks they want to take in pursuit of goals and objectives.  A thought paper developed by Ernst & Young Global Limited explores how organizations can define their risk appetite, risk tolerance, and risk targets to effectively align strategy execution and risk management processes to achieve a competitive advantage.  A company must understand how much risk it is willing to take and how it plans to balance risks and opportunities before designing and executing a set strategy.

The thought paper notes that a comprehensive discussion of risk appetite should become linked to defining the overall strategy of a company, involving both top management and the board of directors.  The board should take into account the risk expectations of shareholders, regulators, and other stakeholders.  The board and management must also consider the risk capacity of the company, including the amount and type of risk an organization is able to support based on capital structure, access to financial markets, and the flexibility of its workforce.  Additionally, the culture of the company and the capacity to manage risks should become an integral part of defining risk appetite.  One key ingredient to determining risk appetite includes focusing on risks the company can manage better than its competitors, clients, or suppliers, as it can be the ultimate link between risks and opportunities. For example, companies may be more equipped or experienced to deal with and manage certain risks than others; therefore, pursuing more profitable risks may lead a company to gain a competitive advantage.

Once risk appetite has been clearly defined by the board of directors and management, it becomes their responsibility to communicate the risk appetite throughout the organization to ensure that actions of the company on all levels are in line with the risk the company is willing to accept.  Furthermore, the risk appetite defined should be translated into:

  • Risk tolerance
  • The maximum risk that an organization is willing to take
  • Specific categories of risk – such as strategic, operational, financial, and compliance risks. 


Management can then set specific risk targets, based on desired return, risk appetite and capacity to manage risks, in order to determine the optimal level of risk that each business unit is willing to accept to pursue business objectives.

Risk appetite, tolerance, and targets must be updated constantly to adapt to changes in a company’s external environment, strategy, and performance.  Important risk targets can be monitored and managed by using key risk indicators linked to key performance indicators.  The integration of risk factors and risk management in a company’s performance management tool is an effective way to measure and monitor performance and risk at the same time.

Ultimately, companies will benefit from a comprehensive discussion, definition, and communication of risk appetite to focus in on what might create, sustain, and diminish value.  Additionally, a clear definition of risk tolerance and risk targets, used in conjunction with performance management tools, can be an outstanding basis for effective enterprise risk management in balancing opportunities and risks.

Click below to download article

Link: Ernst & Young Global Limited

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2010-07-01