Setting Risk Appetite — How Much to Take Is Approved by the Board

No business runs without taking risk. The question is who decides how much to take, and who operates within that decision. This piece reads the framework of "risk appetite" that the board approves against the "acceptable range of expression" in materials review. Where, and by whom, is the line between offense and defense drawn?

01How Much to Take — The Limit Is Drawn by the Oversight Side

Business is built on top of risk. Developing a new drug, making a new claim — neither moves forward without accepting uncertainty. So the question is not "to take risk or not" but which kinds of risk to take, and how far. This kind and quantity of risk to be taken is what we call risk appetite. The body that approves it is the board. Execution moves inside the approved limit.

There is a reason to separate approval from operation. Entrust both the side that draws the line and the side that pushes inside it to the same hands, and the limit itself shifts to suit the floor's convenience. The board sets the limit; the representative director and the executive directors operate within it. The separation of oversight and execution works here too. Materials review reads the same way. The review criterion of "how far an expression is acceptable" is the concretization of appetite handed down to the floor. If who sets the criteria and who operates them is left vague, the review line gets pushed around by the numbers on the floor.

02Not Zero Risk — The Thinking Behind COSO ERM and ISO 31000

The idea of appetite is not to reduce risk to zero. COSO ERM (2017) and ISO 31000 set out frameworks that integrate risk into governance and strategy, and place the setting of appetite as part of the oversight function. The aim is to optimize risk-taking against one's objectives. Avoid risk too much and you miss the chance to grow; take it without order and you invite collapse. The approved limit is the line drawn between those two extremes.

The Corporate Governance Code points the same way. Principle 4-2 makes it the board's role to put in place an environment that supports appropriate risk-taking by senior management, and at the same time calls for proposals grounded in a sound entrepreneurial spirit to be examined fully from an independent, objective standpoint. It warns against excessive timidity and asks for a brake at once. The three elements below are what keep appetite from being "decided and done."

03Raise It When the Limit Is Crossed — Escalation and Materials Review

Deciding the limit and knowing whether the limit is kept are different problems. Without an escalation route that lifts signs of exceeding appetite from execution up to the board, the approved limit ends as a line on paper. Deviations may occur in operation, yet the oversight side cannot see them. Materials review is the same: whether there is a route to raise materials that exceed the acceptable range, or repeated deviations, to higher levels is what divides a functioning review from a hollow one. Holding criteria is not enough. You need a design in which moves that break the criteria reach the top.

This route is continuous with the operation of internal control itself. If the duty to build an internal control system is the stage of "making the structure," then appetite and escalation are the stage of "keeping the built limit in operation." Where to stop a deviation — on the floor, in the management departments, or in internal audit — overlaps with the division of roles in the three lines of defense, and the evidence that these are actually working becomes the review records taken up in materials review seen from the board. The approved limit, operation within the limit, and the route that raises deviations. Only when these three are in place does risk appetite become a tool of governance.