A document format allowing the organisation to document and evidence its approach to risk management.
The organisation’s risk appetite includes the qualitative statements as well as quantitative measures and is the amount of risk that the organisation is willing and able to bear, expressed as the combination of:
a) Enterprise Risk Objectives: statements that define the critical high level risk goals in line with the Organisation’s overall strategy.
b) Risk Category Objectives: specific statements for each category of risk within the organisation’s risk universe defining the amount of risk the organisation is willing to bear in each category of risk, in line with the Risk Objectives.
c) Risk Tolerances: the aggregate level and type of risk the company is willing to assume within its risk capacity to achieve its strategic objectives and business plan. Risk tolerances are expressed qualitatively and quantitatively.
d) Risk Limits: quantitative measures that allocate the companies aggregate risk appetite to business lines, specific risk categories and other items as appropriate.