I like to think I have common sense.
If I read or am told something, I question it. Does it make sense?
I did just that when I read this, more than twenty years ago, in COSO’s ERM Framework:
Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.
I didn’t then and still don’t understand how you can have an “amount” of risk.
How does that make sense?
When it adds “on a broad level”, it implies you can quantify and aggregate, producing a single number (usually expressed in monetary terms) very different and unrelated sources of risk. For example, it can include risks pertaining to the safety of employees, compliance with applicable laws and regulations, currency fluctuations, ethical conduct, information security, product safety, physical security, energy supply, the actions of third (and fourth) parties, the supply chain, competitor actions, changes in import and other taxes, the economy, natural disasters, the hiring and retention of key employees, employee morale, the advent and adoption of new technology, the reliability of current technology, and many more.
I don’t think it is common sense to express the totality of risk as a single number, a value.
Some risk experts tell me that you have different risk appetites for each of the…
