COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Operating within risk tolerance provides management with greater confidence that the entity will achieve its objectives. Risk tolerance may be expressed in different ways to suit each category of objectives. For instance, when considering financial reporting, risk tolerance is typically expressed in terms of materiality, fn 10 whereas for compliance and operations, risk tolerance is often expressed in terms of the acceptable level of variation in performance.
Risk tolerance is normally determined as part of the objective-setting process, and as with setting objectives, setting tolerance levels is a precondition for determining risk responses and related control activities. Management may exercise significant discretion in setting risk tolerance and managing risks when there are no external requirements. However, when there are external requirements, such as those relating to external reporting and compliance objectives, management considers risk tolerance within the context of established laws, rules, regulations, and external standards.
As well, senior management considers the relative importance of the competing objectives and differing priorities for pursuing these objectives. For instance, a chief operating officer may view operations objectives as requiring a higher level of precision than materiality considerations in reporting objectives, and vice versa for the chief financial officer. However, it would be problematic for public companies to overemphasize operational objectives to an extent that adversely impacts the reliability of financial reporting. These views are considered as part of the strategic-planning and objective-setting process with tolerances set accordingly. This kind of decision may also impact the level of resources allocated to pursuing the achievement of those respective objectives.
Performance measures are used to help an entity operate within established risk tolerance. Risk tolerance is often best measured in the same unit as the related objectives. For example, an entity:
-
Targets on-time delivery at 98%, with acceptable variation in the range of 97% to 100%
-
Targets training with 90% of those taking the training attaining a pass rate, but accepts that only 75% may pass
-
Expects staff to respond to all customer complaints within twenty-four hours, but accepts that up to 10% of complaints may receive a response within thirty-six hours
fn 10 Regulators and standard-setting bodies define the term "materiality." Management develops an understanding of materiality as defined by laws, rules, and standards when applying the Framework in the context of such laws, rules, and standards.
| Generated November 9, 2014 22:46:48 |