A risk appetite statement is a statement made or approved by top level management to communicate the desired level of risk the organisation is willing to accept in the pursuit of its objectives. To be effective, a risk appetite statement must be clear, understandable, consistent across the organisation and communicated to all stakeholders concerned.
In GuardianERM, a more generic risk appetite statement attached to each risk category can be applied or an individual risk appetite statement can be used for each risk.
The Australian Prudential Regulation Authority issued a draft Prudential Standard CPS220 on risk management in May 2013 and has some guidelines for a risk appetite statement:
Risk appetite
The Board must establish the risk appetite of the APRA-regulated institution. The institution must maintain an appropriate, clear and concise risk appetite statement that addresses its material risks. The Board must approve the risk appetite statement.
An APRA-regulated institution’s risk appetite statement must, at a minimum, convey:
(a) the degree of risk that the institution is prepared to accept in pursuit of its strategic objectives and business plan, giving consideration to the interests of depositors and/or policyholders (risk appetite);
(b) for each material risk, the maximum level of risk that the institution is willing to operate within, expressed as a risk limit and based on its risk appetite, risk profile and capital strength (risk tolerance);
(c) the process for ensuring that risk tolerances are set at an appropriate level, based on an estimate of the impact in the event that a risk tolerance is breached, and the likelihood that each material risk is realised;
(d) the process for monitoring compliance with each risk tolerance and for taking appropriate action in the event that it is breached; and
(e) the timing and process for review of the risk appetite and risk tolerances.
See also:
Risk Category Maintenance (where risk appetite statements are attached to risk categories)
Risk Evaluation - Risk Details