A friend of mine, Richard Anderson, has released a new paper on the topic of risk appetite. Richard is an expert on risk management, especially compared to me. True, I have implemented risk management at one company, run it at another, and assessed risks for management for many years as chief audit executive. But Richard not only has greater experience and insight but has been involved in major risk thought leadership for a long time. For example, he quotes from the BS31100 standard, which he developed, as defining risk appetite as the “amount and type of risk that an organization is prepared to seek, accept, or tolerate.”

I appreciate the number of people who have taken the time to visit and read my comments on governance. Quite a few have gone to the next level and shared their insights and perspectives with the community, enriching the discussion.

The traditional approach to building the audit plan, consistent with what is described in PwC’s new paper Maximizing Internal Audit is to identify the higher risks to the organization (including strategic, operational, as well as financial and reporting risks). The CAE then develops a plan to audit as many of those as he can given scarcity of resources and technical skills, etc.

 In my last blog, I promised a look at the elements of governance - a logical next step. Back in December 2007, in the "Governance Perspectives" column of Internal Auditor magazine, I wrote about auditing governance. The article included a sidebar that showed where I see the primary governance activities occurring. Today, I want to review that and go a little deeper. I will use a definition of governance as including the activities of the board and its committees, plus those of the internal audit function and an ethics/compliance officer.

I have been blogging about GRC (in my personal blog), and it has been interesting to see how many views there are on what governance, risk management, and compliance (GRC) is all about. If you are on LinkedIn, you can see 65 comments on the topic (referencing my blog above) in the "Governance, Risk, and Compliance Management" discussion group.

Not only have there been many different views on what GRC is, but there are different views on what the "G" stands for. The IIA developed a position paper, based on work by the IIA-UK, titled Organizational Governance: Guidance for Internal Auditors. In it, they said: “There is no single, comprehensive, universally accepted definition of organizational governance.” How can auditors assess governance processes and practices, with related controls, when the term governance is not defined? If we look at some authoritative sources, we can work this out.

For the last month or two, I have been working on an IIA Practice Advisory on how to define which controls to include in the scope of an audit (hopefully, to be issued in early 2010). It is based on the popular Guide to the Assessment of IT Risk (GAIT) methodology (available to members here).

Tim Leech and I have been sharing our own perspectives on this question and would like your views.

The International Organization for Standardization (ISO) recently released a new risk management standard: ISO 31000. It prompted me to think about what really matters — what makes an organization effective in managing risk.

If you ask auditors what they do, most will answer that they perform audits. They may vary on that theme by saying that they assess and test controls, add value, identify control weaknesses, or similar; but if they say or imply that their job is to perform audits, then they are mistaken.

When internal auditors assess the adequacy of controls, we should consider whether the level of risk to the organization is at an “acceptable level” (see IIA International Standard 2201). When that level of risk is “unacceptable” in the opinion of the auditor, there is an obligation to “discuss the matter with senior management” and the matter will be included in the formal audit report (quotes are from Standard 2600).