If you have been reading this blog or my books, you know I have significant reservations about the concept of “an amount of risk” that would be acceptable in pursuit of objectives.
However, I recognize the need for limits and policies when it comes to risk-taking. They help guide decision-makers on what risks and outcomes are desirable to leaders of the organization. We could call them ‘risk criteria’ (ISO), while some refer to them as ‘risk appetites’ or ‘risk tolerances’ (COSO). I prefer to avoid those terms as they focus on ‘risk’ with the inevitable negative connotation (i.e., we must manage or mitigate risk) instead of guiding people to take the right level of the right risks in the circumstances (such as the potential for reward). Let’s use ordinary business language instead of risk technobabble.
For example, these are useful:
- Spending approval authorities
- Credit limits
- Policies on the level of credit that can be given to customers, with escalation to more senior individuals or even the board as needed
- Approval levels for capital expenditures, including reserving certain expenditures to the CEO or the board
- Policies of who can approve journal entries, purchase orders, inventory write-offs, etc.
- Policies with limits on the use of derivative instruments
- Policies on commodity or…
