3. DETERMINE RISK CRITERIA
• What make an ERM implementation unique to
• Influenced by business objectives as well as
external & internal context.
• By definition: ”terms of reference against which the significance
of risk is evaluated”.
• Type of risk criteria:
– Governance risk criteria
– Assessment risk criteria
5. Risk Capacity
• Board and senior management must understand both individual
outcomes and aggregated outcomes from multiple events that could
cause organization to cease operations.
• Not only responsible determining business objectives, but also
ensuring organization survives.
Inadequate cash flow
Violations of laws &
6. Risk Attitude
• Organization’s approach to assess and eventually pursue, retain, take,
or turn away from risk.
• An organization’s risk attitude is essentially its cultural mindset with
regard to risk.
• Risk attitude must be instilled overtime
RISK ATTITUDE SPECTRUM
7. Risk Appetite
• Amount of risk, on broad level, an entity is willing to accept in pursuing
of value (COSO ERM)
• Element of risk appetite in shaping definition:
Risk appetite is an integral part of strategic planning
Not all risk outcomes are easily measurable; qualitative (type) and quantitative
Appetite may reflect the desire to pursue positive outcomes as well as to minimize
An organization must accept some level of risk to be successful
• Examples of risk appetite statements:
Invest at least 15 percent of revenues
Maintain a debt/equity ratio 1.5 or less
Put no more than 50 percent capital at risk
Not build key manufacturing plants in areas prone to floods or earthquakes
8. Risk Tolerance
• Readiness to bear the risk after risk treatment in order to achieve
• Risk-taking boundaries within which managers and employees are
expected to perform in pursuing of the organization’s strategic,
operations, reporting, and compliance objectives.
Annual operating results should be not be less than 90 percent of budget
Customer satisfaction rating should meet or exceed 95 percent.
9. Assessment Risk Criteria
• A measure of the size of potential risk
outcomes, should event occur.
• Impact types include, but not limited to,
environmental, and safety outcomes.
• Reflects an estimate of the possibility that
risk events will occur are result in the
assessed risk outcomes
10. Inherent Criteria