The Hunger for Risk Appetite

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

There is no doubt that when it comes to risk, the internal audit profession is maturing. A few years ago, annual risk assessments were considered a leading practice but were not even required under our professional standards. Today, documented risk assessments are mandated at least annually. Many audit executives see a need for more frequent assessments, and a growing number of executives are shifting toward a continuous risk assessment model. We are spending more and more time and resources assessing risk — but unless there is a shared vision on risk appetite within the enterprise, the full benefit of any risk assessment is unlikely to be realized.

Our organizations’ risk appetites should set clear tolerance levels and boundaries for various controls, including both the controls that we audit and the essential control of internal auditing itself.

The Committee of Sponsoring Organizations of the Treadway Commission has defined risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.” Delineation of an entity’s risk appetite should be a collaborative effort on the part of management and the organization’s board of directors. In the end, I believe the risk appetite must be aligned with the expectations of stakeholders.

I came across an article last week that stated investors’ risk appetites were waning because of economic conditions. I don’t actually know that appetites for financial risk are waning — the article offered only limited support for this conclusion. But one thing is clear: Risk tolerance changes over time. Even if the management, board, and other stakeholders at your organization held a shared vision of risk a year ago, they might not agree today.

Why is all of this important for internal auditing? Simply put, risk appetite lies at the heart of how our organizations choose to do business — including how we make decisions regarding internal auditing. Without a clear consensus on risk appetite, our basis for budgeting and scheduling internal audit activities is weak.

I believe that all too often our approach to risk is entirely backwards. While we have become diligent about asking various members of management where the greatest risks lie, we often ignore risk appetite and create audit budgets that closely resemble those of the previous year, plugging in as many audit engagements as fit neatly within that budget. Our risk assessments may help determine which audits are most important, but they cannot be used to determine how many audits are justified because there is no consensus on risk appetite, or if there is, we have not explored it.

Ideally, this approach to risk should be reversed. The audit plan should be the basis for the budget, rather than the budget being the basis for the plan. A defined statement on risk appetite should help to determine which risks the organization is willing to take, which in turn helps define which areas need audit attention, which then should help determine the audit budget.

At many organizations, even the term risk appetite is undefined. There is no formal, written statement on risk appetite that includes both qualitative and quantitative factors. If such a statement exists, it may or may not be embedded into strategies and decision-making throughout the organization. How much cash flow are we willing to risk? What are the boundaries for acceptable levels of market risk, credit risk, or legal compliance risk? Without a clear statement on these and other types of risk, a well-supported audit recommendation might become no more than a subjective opinion.

Just performing an annual risk assessment is no longer enough. Where there is no consensus on risk tolerance, it is our duty to help our stakeholders develop a real hunger for understanding their own risk appetites. Without clear understanding and agreement on the organization’s risk appetite, we will never know how best to focus our limited resources. I believe our organizations’ risk appetites should set clear tolerance levels and boundaries for various controls, including both the controls that we audit and the essential control of internal auditing itself.

Posted on Jul 28, 2011 by Richard Chambers

Share This Article:    

  1. Richard, thank you for raising such an important topic and I agree with a great deal of what you have written. Some observations:

    • As internal auditors, we should be concerned about situations where the actual level of risk (the residual risk) is greater than the risk tolerance/appetite.
    • We should only recommend control enhancements where they bring the residual risk level in line with tolerance. If risks are already below tolerance, we are probably making the system more inefficient rather than adding value by asking that controls be tightened. Too many auditors recommend reducing risk without understanding what is the desired level of risk for the organization.
    • The risk tolerance level should not drive the plan directly. The risk-based audit plan should be based on a combination of (a) the difference between maximum exposure if controls fail (some call this inherent risk) and residual risk - because this is the effect of internal controls on the level of risk, and the higher it is the more impact a control failure will represent; (b) whether residual risk is higher than risk tolerance; and (c) the actual level of residual risk.
    • I agree that best practice is to audit today's risks, rather than the risks as they appeared when an annual assessment was performed. This requires that the auditor monitor risks frequently and have an agreement with the audit committee that the audit plan is flexible.
    • I also agree that risk appetite/tolerance changes. It is interesting to ask managers/process owners what their risk tolerance or appetite is. When they have no idea, there is a 'learning opportunity' for internal audit to leverage and add value. It also raises the question of how they can know whether their processes are effective in managing risk and running the business.


  1. I know how much you recognize the importance of risk management and that is essential for all internal auditors to learn and apply its principles in their professional practice. Thank you again for raising the topic.

  1. Absolutely agree with you my dear friends. But the risk appetite it is not an operation decision it’s rather a part of the strategic vision that is mean the definition of the risk appetite is prerogative of The Shareholders and only shareholders.

  1. I don’t really know if it’s true but I heard that there was an unofficial referendum and more than 50% of CEOs voted not to have an internal audit function cause its uselessness. Brrr…

  1. Where can I find a good comprehensive formal statement of some company's risk appetite?

  1. I absolutely agree with the notion that a comprehensive risk assessments are essential for determining the audit universe and that planning should reflect the outcomes of the risk assessments that is driven by a clear understanding of the risk appetite of the organization.  I believe Mr. Marks if absolutely correct that once the risk appetite is understood, both risidual and inherent risks must be considered.  That mix is most likely based on experience with the organization and how well controls have stood up in the past.  Mr. Chambers is absolutely correct in his assertion.  The board understands risk appetite, risk manager's understand risk appetite, senior auditors understand risk appetite, but that is about it.  Down in the depths of organization, where middle management and staff auditors reside, that focus is often lost.  Mr. Chambers is correct, we must do a better job of educating our stakeholders.  I happen to do try and do this during an entrance meeting (if time is allowed).  If I don't then I'm just the auditor calling management's baby ugly, without justification.  If I am understood then I have added value during a risk-based approach.   

  1. Timely article! Especially the reference to the importance of risk appetite to internal auditing.

    Std 2600, on Resolution of Management's acceptance of Risks, (together with the Glossary definition of risk appetite) is to me fundamental on how we approach internal auditing in that it specifies which risks may, if disagreement on their acceptance by management is not resolved through discussion with Senior Management, may be taken to the Board for resolution:- those on which the CAE believes management has accepted a level of residual risk unacceptable to the organisation. My understanding is that such belief would only be justified if the "level of residual risk unacceptable to the organisation" is specified through the risk appetite. If the residual risk rating is above the risk appetite, the issue may be taken to the Board if not resolved with Senior Management. If not, it may not be.

    The residual risk rating would in normal circumstances, (ashamed at even having to add this qualification) only be higher than the risk appetite if the inherent risk rating was higher than the risk appetite. This leads us to the definition of significant risks as being those with a higher inherent risk rating than the risk appetite and vice versa for insignificant risks. Common sense really, because a risk with an inherent risk rating lower than the risk appetite implies that, even in the absence of controls, its impact on the objectives of the organisational level it occurs in, is acceptable. Why then waste resources controlling it? Our job as internal auditors (and also of management) is to concern ourselves with significant risks at each level of an organisation.

  1. This leads to the view that, at each level, (from the top to the bottom), a risk appetite needs to be specified for each risk as it is identified, AFTER THE INHERENT RISK ASSESSMENT of such risk. By whom? By the level/body which would hold the level, where the risk occurs, accountable. The risk owner is not the appropriate person to specify the risk appetite, given its accountability implication, nor is it appropriate for the higher level to change the risk ratings of the risk owner, as this would undermine the risk owner. Through the risk appetite, a risk owner is being instructed to either do something or nothing about each particular risk, depending on whether it is higher or lower than the risk appetite. So, at every level of the organisation, a risk appetite should be specified for each risk (the risk may be a consolidation of risks) at the appropriate time in the risk management process.

    An unstated assumption throughout here has been that management at the respective levels know how to set the risk appetite. But what if they don't. I think this is where, like in any of the governance, risk management and control processes, that the consulting aspect of internal auditing should kick in.

    Where a risk appetite is correctly specified, each level simply uses it to distinguish between significant and insignificant risks for the level below it, the risk owning level utilises organisational resources to lower the residual risk rating of significant risks to below the risk appetite and internal auditors, are able to execute their consulting and assurance responsibilities in accordance with the standards and specifically, with reference to risk management, the interpretation to Std 2110.

    I could not agree more with Richard's words, "Simply put, risk appetite lies at the heart of how our organisations choose to do business - including how we make decisions regarding internal auditing."

  1. Richard, my apologies but your use of terminology prevented me from 'getting it' until just now.

    I believe the point is this:

    1. Internal audit should build the audit plan to address the more significant risks to the organization.
    2. That understanding of risk should be as current as possible, so we are auditing what is important now, not what was considered a major risk some months ago. This requires more continuous updating of the risk assessment and audit plan.
    3. When the organization has a higher risk appetite, and assuming that each risk area remains at the same risk level, then it is highly likely that fewer risk areas would qualify as "major risk areas".
    4. In principle, the higher the risk appetite, the smaller the audit plan.
    5. BUT, this is predicated on the organization having effective ERM in place. That is what will drive the determination of risk appetite AND is also required if the risk appetite is going to be compared in a meaningful way to the enterprise risk assessment. When internal audit has an independent risk assessment process going, it is HIGHLY unlikely that its assessment of risk levels can be compared in a meaningful way to the organization's risk appetite.So, internal audit should find a way to leverage the ERM. Internal audit should assess and provide a formal report on the adequacy of enterprise-wide risk management; if there is none, or it is immature, we should provide consulting support to help it mature - and report on its status to the board.

    Continued below

  1. Continued:
    1. BUT, it is not enough for us to encourage management to understand their risk appetite if they (a) don't understand risk levels, and (b) don't act to manage any excess.
    2. BUT, a change in risk appetite does not necessarily mean that the audit plan should change. After all, appetite may only change by a relatively small percentage of the risk level. In addition risk appetite is not necessarily the only criterion used to evaluate risk (which is why ISO 31000:2009 uses the term risk criteria instead of risk appetite).

    I would appreciate your comments on this interpretation of your post.


  1. I have to admit that my response did not address the central and core issue made by the President & CEO of the IIA in this post.

    I have been revisiting the post and eventually got it - the gist is in paragraphs 4 to 6.

    I had focussed on the use of the risk appetite to distinguish between significant and insignificant risks (at the inherent risk stage) and at the residual risk stage, between significant risks which have been adequately addressed from those which are not.

    Richard's suggestion, which he puts beautifully, is that, "The audit plan should be the basis for the budget, rather than the budget being the basis for the plan."

    As a fundamental principle, AGREED!

    But we know there will never be enough funds for the internal audit activity to cover ALL the significant risks in ALL the areas which need audit attention.

    This is where the "clear consensus on risk appetite" and due professional care come in.

    Per my earlier response, a clear consensus on risk appetite will lead to a focus on only significant risks and provide the criteria for assessing how well or badly these are managed.

    Due professional care, based on the application of the risk appetite at the residual risk stage, will ensure that the appropriate engagements are scheduled:

    Assurance engagements - Std 1220.A1 - "Internal auditors must exercise due professional care by considering the ... Cost of assurance in relation to potential benefits."

    Consulting engagements - Std 1220.C1 - "Internal auditors must exercise due professional care during a consulting engagement by considering the ... Cost of the consulting engagement in relation to potential benefits."

Leave a Reply