iTTi Gloss: Risk appetite
“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”
Source: Dr. Rittenberg, Larry; Martens, Frank. “Enterprise Risk Management — Understanding and Communicating Risk Appetite”. COSO, January 2012.
“An organisation's IT risk appetite is a subset of its overall enterprise risk appetite and therefore cannot be developed in isolation. It is ultimately the responsibility of the board of directors to define an organisation's risk appetite based on input and recommendations of senior management. […] For each risk element identified, the amount of risk that is acceptable for that element needs to be defined. For instance, because the business depends on IT for frequent enhancements to its customer-facing systems, it requires projects to be delivered on time and on budget.”
Source: Simmons, Craig. “Organisations must define their IT risk appetite and tolerance” . CIO UK, 5 July 2010.
Risk appetite (or its opposite 'risk aversion') is a key issue in business models, strategies, policies and plans. COSO II, among others, treats it in detail.
Quite often one's eyes are bigger than one's stomach! The governing body shall set and communicate a clear stance on corporate risk appetite and shall ensure -by supervision- that the right procedures are in place and are enforced and monitored.
Related perspective(-s):
1.- iTTi Gloss: Corporate Governance of IT
2.- Origen y evolución del concepto "Gobierno Corporativo de TI"
3.- COBIT 5, a business framework?
Comments (0)