If strategy is doing the right things whereas operations is doing things right, then risk management is the capability of doing both effectively under uncertainty. Organizations face uncertainty in many forms. In addition to strategic and operational risks, they face financial, legal/compliance, and reputational risks. Enterprise risk management (ERM) is a global, widely accepted approach to identifying, assessing, measuring, and managing the key risks faced by an organization, including the critical interdependencies between the risks.

    During the global financial crisis of 2008, many companies around the world were caught off guard by unknown risks or under-reported risk exposures embedded in their businesses. Moreover, the financial losses and economic impact were magnified by the systemic risks associated with financial counterparties, business partners, and macroeconomic and intercountry linkages. In the aftermath, governments and regulators have imposed much higher regulatory standards and capital requirements. As a result, corporate boards and executives have accelerated their investments in ERM.

    An integral part of ERM is the development of key risk metrics, exposure limits, and governance and oversight processes to ensure enterprise-wide risks are within acceptable and manageable levels. A best-practice approach to addressing these requirements is to implement a clearly defined risk appetite statement (RAS). Corporate directors who are ultimately responsible for overseeing the risk management of their companies recognize this need. According to a 2013-2014 National Association of Corporate Directors (NACD) survey, only 26% of companies have a defined risk appetite statement.

    An RAS provides a framework for the board of directors and management to address some fundamental questions with respect to strategy, risk management, and operations, including