Risk Appetite and Tolerance — The Line the Board Draws

It is not the front line that decides how much risk to take. It is the board. The total amount of risk pursued as strategy (risk appetite), and the swing an individual risk can bear (tolerance) — approving these two connects to the duties the board owes under Article 362 of the Companies Act. The line of "acceptable range" that a reviewer draws each day, traced back to its source, arrives here as well.

01Who Decides "How Much to Take"?

There is no management without taking risk. Developing a new drug, an aggressive sales plan — each stands only once uncertainty has been accepted. The question is not "take it or leave it," but who decides how much to take, and who operates within that decision.

so why — leave this to the front line, and each department draws its own line. Sales leans bold; quality assurance leans cautious. If everyone draws the line by personal feel, company-wide consistency breaks down, and somewhere an excessive risk goes unnoticed. So the total amount of risk and the range of tolerance are approved not below the level of execution but above it, by the board. It is the mechanism that lifts risk-taking from individual bravado to organizational will.

02Appetite and Tolerance — Direction and Threshold Are Not the Same

In practice the two are often conflated, but risk appetite and risk tolerance are different things. The former points to direction and total amount; the latter to an individual threshold.

so what — for a reviewer, this distinction bears directly on the work. The question "is this claim too aggressive?" — is it about direction (appetite), or about the threshold of a specific expression (tolerance)? Which one is being asked changes the standard you must hold it against. Direction shows up in management's strategy documents; the threshold shows up in the review standards themselves.

03Why the Board Approves — The Vessel of Article 362 of the Companies Act

Approving the risk appetite is not a discretionary custom of the board. The Companies Act provides a vessel for it. Article 362, paragraph 4, item 6 makes the establishment of a "system to ensure the propriety of operations" — that is, the internal-control system — a matter reserved exclusively to the board, and paragraph 5 of the same article requires large companies to make that decision.

so why — how the total amount of risk and the range of tolerance are set, and how they are monitored, is precisely part of this internal-control decision. When the board approves the amount, risk-taking is placed inside the system, and one can later trace back "who drew this line." The Corporate Governance Code, Supplementary Principle 4-3④, likewise asks the board to build a company-wide risk-management framework. The structure by which the board approves how much to take is treated in detail in The Board's View, Vol. 7.

04COSO ERM — Set Appetite as One With Strategy

So how should appetite be set? COSO ERM (2017 revision) presents the idea of setting risk appetite as one with the choice of strategy. Risk is not something managed in a separate box detached from strategy; rather, how much risk to take is woven into the very judgment of which strategy to choose.

so what — what makes the difference here is board oversight. COSO ERM places the setting of appetite within the governance function. Without the backing of oversight in the form of approval, no matter how refined the appetite document, the front line will not treat it as a standard to refer to. An appetite without approval does not function as a line. The aim is not the pursuit of zero risk, but the optimization of risk-taking in light of the objective.

05To the Materials-Review Floor — Hold the Acceptable Range Against the Appetite Document

Everything sorted out so far connects in a single line to the practice of review. The question a reviewer faces — "is this expression within the acceptable range?" — is, pushed to its end, a question answered by holding it against the company's own risk appetite and tolerance.

so why — if a reviewer is drawing the line by personal feel alone, that is exactly the scattered line-drawing seen in section 01. The basis of the acceptable range lies in the company-wide risk appetite the board approved, and in the review standards that give it concrete form. The review standards can be read as appetite brought down to the floor and made specific. The review line is not the reviewer's own; it is the front edge of the line the board drew. Understanding this, when you send back an aggressive piece of material, you can explain it not as "this is my judgment" but as "this falls outside the appetite the company approved" — in the language of the other side's decision-making.