Alon Kohalny, Adv. (LLB), CRMA
At a practical level, this forces management to confront risks and to make decisions about the risks to which the organization is exposed. These decisions are known as risk appetite and are the heart of how a board investigates the extent of the risks to which their organizations are exposed; determine which are acceptable, which should be mitigated, and which are unimportant.
However, risk appetite goes beyond that. The process, and the decisions it involves, may affect an organization's strategy and its decisions about how to mitigate risks, and which controls to put in place (with the associated, often substantial, costs).
In light of the importance of the issue of risk management, there is no doubt that internal auditors should be required to audit it, and indeed the IIA standard 2120 states that "the internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management process."
So what are the key principles of risk appetite, what challenges does it involve and can we establish a model for auditing risk appetite? Risk management may set challenges for internal auditors, but it also opens a window of opportunity to influence and provide added value to the organization.
What is risk appetite?
Before investigating the definition of risk appetite, let's take a look at the process of risk management. It is clear that the measures taken to mitigate the risk affect the residual risk. When management identifies a substantial risk, which is beyond its risk appetite, it will take measures to reduce this to an acceptable level.
Risk appetite is determined by an organization's board. As with any other business decision, internal audit may need to assess how reasonable this decision is. Furthermore, the International Professional Practices Framework (IPPF) requires internal audit to report any unreasonable risk-taking to the audit committee. Internal auditors must be aware of the risk appetite of the organization so they can:
In January 2012, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its thought leadership document on risk appetite. Although it is not an official authority, COSO's guidelines for control and risk management are well known and many organizations and regulators act or require others to act in accordance with them.
According to COSO, risk appetite is "the amount of risk, on a broad level, an entity is willing to accept in pursuit of value", whereby this decision is aligned with the organization's objectives. To do this, according to COSO, the following three stages are necessary:
1. Develop risk appetite
There is no single model of risk appetite that applies to all organizations. Rather, management and the board must choose their organization's risk appetite, understanding the trade-offs involved.
2. Communicate risk appetite
Several common approaches are used to communicate risk appetite. First, create an overall risk appetite statement that is broad
3. Monitor and update risk appetite
Risk appetite should be constantly reviewed. The board should monitor activities to check they are consistent with the organization's risk appetite and focus on creating a culture that is risk-aware.
Determining risk appetite requires a joint effort by management and the board to set the guidelines and align these with stakeholder expectations – so risk appetite is the level of accumulated risk the organization can withstand and successfully manage in the long term.
Organizational goals and objectives should be aligned with stakeholder demands. In order to determine risk appetite, it is necessary to identify the potential risks for each of the organization's objectives, and to define the limits of the risk that are tolerable and acceptable. To determine the acceptable level of risk, your organization needs to consider the range of risks which, if they were to occur, would damage its ability to achieve its objectives. Ultimately, the responsibility for this decision lies with the board.
A practical test for establishing the tolerance range for each risk has been proposed by Fred Tavan in his Enterprise Risk Management Specialty Guide (2006):
Setting trigger points within these boundaries should provide an early warning that certain action(s) should be taken to avoid hitting the upper and lower limits. The risk appetite is the aggregate of these risk limits/tolerances.
Auditing risk appetite
The board determines the risk appetite at the highest organizational level, but how do board members know it is being implemented? Internal audit can provide independent feedback and can also help decision-makers to ensure that the risk appetite definition is detailed and comprehensive
Internal audit can also provide assurance for all of the organization's activities, including risk management processes (from planning to implementation). It can look at everything from whether the board/management has identified all the main risks (including estimating the effectiveness of controls in mitigating risk) to whether estimates and reporting of the risks and the controls are reliable. These tasks require considerable resources.
But how do you audit risk appetite, given that it is based on a decision which is sometimes declarative and sometimes refers to the future, or to processes that don't occur within the organization (such as competitors' behavior, regulation, political or security situations)?
First, since this is an executive decision, internal auditors have enough tools to investigate whether the decision is reasonable in terms of alignment with the organization's goals. However, this is not enough. Because of the importance of the decision it is necessary to conduct a comprehensive audit. There is not yet any accepted practice in this field, so this is a suggested model to provide structure for auditing risk appetite:
The basis for the decisions
The nature of the decision
Focus of the decision
Risk management is an important, if not the most important, management practice, as it forces decision-makers to examine risks in a structured way. The result of this intellectual effort is the "risk appetite", a decision on how the organization will relate to risks: will it be indifferent to them, or will it take steps to reduce the risks to the level defined by its risk appetite (the level of risk the organization is capable or willing to be exposed to)?
The IPPF requires internal auditors to audit the organizational risk management procedure, and risk appetite is a fundamental element of this. It is therefore necessary to develop tools to help this process. Internal auditors who address this critical issue will be doing an important service for their organizations and such tools will help them to give assurance on one of the most important and challenging processes facing management in the 21st century. n