A twist on risk appetite
The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.
compliance
Upgrade to effective GRC
I joke about what GRC means. Apart from the IIA (who talk about governance, risk, and controls), everybody knows that the acronym stands for Governance, Risk Management (or ERM), and Compliance.
Is there an effective risk culture?
If you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.
