In recent years, many companies have scrambled to meet the stringent post-recession regulatory requirements by instituting new ERM plans or augmenting existing programs. However, regulatory compliance is not enough. In order for ERM to create value, companies must seamlessly integrate risk practices into the organization's day-to-day business processes at every level. A key lever for this is to implement a comprehensive risk policy that establishes metrics, exposure limits, and governance processes to ensure enterprise-wide risks are within acceptable levels.
At the heart of such a policy is the risk appetite statement (RAS). An RAS is a concise document that provides a framework for the board of directors and management to address fundamental questions with respect to strategy, risk management, and operations, including: