Management should clearly define the amount of risk that it is willing to assume in the pursuit of value and understand how governance, compliance and ethics risks fit into this overall picture. Defining and understanding the risk appetite helps management make important tradeoffs when pursuing a strategy that may include inherent risks.

It should be clear that no matter how great the risk appetite, an entity must not choose to ignore the law. An entity must take steps to ensure compliance with legal obligations. That said, an entity may consider allocating resources differently to address legal risks, or may choose to use more advanced approaches to respond to some risks, while using more basic approaches to respond to others.