Go To Search
Click to Home
What Is Risk Appetite and How Can We Audit It?

 Written by 
Alon Kohalny, Adv. (LLB), CRMA

13b Kohalny pic_thumb.png

As the risk management approach becomes increasingly dominant, the practice of identifying and assessing risks has become one of the most important practices in the public sector. One sign of this is that more and more regulators are issuing directives requiring the adoption of risk management models.

At a practical level, this forces management to confront risks and to make decisions about the risks to which the organization is exposed. These decisions are known as risk appetite and are the heart of how a board investigates the extent of the risks to which their organizations are exposed; determine which are acceptable, which should be mitigated, and which are unimportant.

However, risk appetite goes beyond that. The process, and the decisions it involves, may affect an organization's strategy and its decisions about how to mitigate risks, and which controls to put in place (with the associated, often substantial, costs).

In light of the importance of the issue of risk management, there is no doubt that internal auditors should be required to audit it, and indeed the IIA standard 2120 states that "the internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management process."

So what are the key principles of risk appetite, what challenges does it involve and can we establish a model for auditing risk appetite? Risk management may set challenges for internal auditors, but it also opens a window of opportunity to influence and provide added value to the organization.

What is risk appetite?

Before investigating the definition of risk appetite, let's take a look at the process of risk management. It is clear that the measures taken to mitigate the risk affect the residual risk. When management identifies a substantial risk, which is beyond its risk appetite, it will take measures to reduce this to an acceptable level.

Dealing with risks requires organizations to prepare themselves and to allocate resources to risk mitigation. In some cases, the costs are high and the likelihood of the event so low that the management decides to be indifferent to the risk. This decision over whether management is willing to take a particular risk is defined as risk appetite.

Risk appetite is determined by an organization's board. As with any other business decision, internal audit may need to assess how reasonable this decision is. Furthermore, the International Professional Practices Framework (IPPF) requires internal audit to report any unreasonable risk-taking to the audit committee. Internal auditors must be aware of the risk appetite of the organization so they can:

  • Plan a suitable audit program – this should focus on areas that have been defined as substantial risks and should assess the board's risk management decisions.
  • Supervise the risk management process.

COSO guidelines
In January 2012, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its thought leadership document on risk appetite. Although it is not an official authority, COSO's guidelines for control and risk management are well known and many organizations and regulators act or require others to act in accordance with them.

According to COSO, risk appetite is "the amount of risk, on a broad level, an entity is willing to accept in pursuit of value", whereby this decision is aligned with the organization's objectives. To do this, according to COSO, the following three stages are necessary:

1. Develop risk appetite
There is no single model of risk appetite that applies to all organizations. Rather, management and the board must choose their organization's risk appetite, understanding the trade-offs involved.

2. Communicate risk appetite

Several common approaches are used to communicate risk appetite. First, create an overall risk appetite statement that is broad

yet descriptive enough for organizational units to manage their risks consistently within it. Second, communicate risk appetite for each major class of organizational objectives. Third, communicate risk appetite for different categories of risk.

3. Monitor and update risk appetite
Risk appetite should be constantly reviewed. The board should monitor activities to check they are consistent with the organization's risk appetite and focus on creating a culture that is risk-aware.

Determining risk appetite requires a joint effort by management and the board to set the guidelines and align these with stakeholder expectations – so risk appetite is the level of accumulated risk the organization can withstand and successfully manage in the long term.

Organizational goals and objectives should be aligned with stakeholder demands. In order to determine risk appetite, it is necessary to identify the potential risks for each of the organization's objectives, and to define the limits of the risk that are tolerable and acceptable. To determine the acceptable level of risk, your organization needs to consider the range of risks which, if they were to occur, would damage its ability to achieve its objectives. Ultimately, the responsibility for this decision lies with the board.

A practical test for establishing the tolerance range for each risk has been proposed by Fred Tavan in his Enterprise Risk Management Specialty Guide (2006): 

  • High end: the level of risk you’re happy to live with before you do something about it.
  • Low end: the amount of risk you’re prepared to take that is high enough to produce the reward necessary to achieve company objectives.

Setting trigger points within these boundaries should provide an early warning that certain action(s) should be taken to avoid hitting the upper and lower limits. The risk appetite is the aggregate of these risk limits/tolerances.

Auditing risk appetite
The board determines the risk appetite at the highest organizational level, but how do board members know it is being implemented? Internal audit can provide independent feedback and can also help decision-makers to ensure that the risk appetite definition is detailed and comprehensive

Internal audit can also provide assurance for all of the organization's activities, including risk management processes (from planning to implementation). It can look at everything from whether the board/management has identified all the main risks (including estimating the effectiveness of controls in mitigating risk) to whether estimates and reporting of the risks and the controls are reliable. These tasks require considerable resources.

But how do you audit risk appetite, given that it is based on a decision which is sometimes declarative and sometimes refers to the future, or to processes that don't occur within the organization (such as competitors' behavior, regulation, political or security situations)?

First, since this is an executive decision, internal auditors have enough tools to investigate whether the decision is reasonable in terms of alignment with the organization's goals. However, this is not enough. Because of the importance of the decision it is necessary to conduct a comprehensive audit. There is not yet any accepted practice in this field, so this is a suggested model to provide structure for auditing risk appetite:

Decision-making process

  • Decision-making body – were the decisions made at the appropriate ranks?
  • The discussion – was there a thorough, detailed discussion?
  • The quorum – were most of the board members present?
  • Presence of functionaries – were central figures from the organization present?
  • Professionals – were risk management professionals involved or consulted?
  • Assessments and statement of opinion – was the discussion based on assessments, value estimations and professional statements of opinion?

The basis for the decisions

  • If a risk survey was conducted, was it conducted by an objective professional?
  • Was the risk appetite established in accordance with the risk map (as derived from the risk survey)?
  • Does the risk appetite relate to all of the existing risks (the risk universe)?
  • Were the decisions made in accordance with an established framework (such as COSO framework)?

The nature of the decision

  • The level of reference – is the risk appetite decision general, or does it refer in detail to each element?
  • The level of detail – is the level of reference to each element general or specific (for example, relating to the different aspects involved or affecting the level of risk exposure)

Focus of the decision

  • Does the risk appetite decision relate to the following?
    1. Market risks
    2. Interest risks
    3. Operational risks
    4. Environmental risks
    5. Reputational risks
    6. Legal risks
    7. Regulatory risks
  • Does the risk appetite decision relate to mitigation strategies such as:
    1. Procedures
    2. Control processes
    3. Physical protection
    4. Logistical protection
    5. Insurance
  • Does the risk appetite decision refer to residual risk, that is the risk which remains after the relevant controls and mitigation strategies are in place?


  • Fit to strategy – do the decisions match or fit the organizational strategy?
  • Fit to decisions/plans – do the decisions fit organizational plans or decisions? (For example, is the decision not to enter a certain market in sync with the organization's plans?)
  • Fit to budget – do the decisions fit the organization's budget?  (For example, with a decision to buy a specific insurance policy. Is there an approved budget source?)
  • Is the risk appetite clearly phrased, not vague or abstract?
  • Has the risk appetite been communicated to the organization's employees?
  • Is the risk appetite presented in such a way that it is clear which risks are relevant to which business unit so that the manager of each unit will know his or her responsibilities in terms of risk appetite?


  • Does the organization have monitoring systems for risk appetite?
  • Does management discuss the need to re-assess the risk appetite periodically?

Risk management is an important, if not the most important, management practice, as it forces decision-makers to examine risks in a structured way. The result of this intellectual effort is the "risk appetite", a decision on how the organization will relate to risks: will it be indifferent to them, or will it take steps to reduce the risks to the level defined by its risk appetite (the level of risk the organization is capable or willing to be exposed to)?

Since this is a holistic practice that affects the organization's goals and objectives, it is extremely important to audit the process of determining risk appetite and the reasonableness of the decisions derived from it.

The IPPF requires internal auditors to audit the organizational risk management procedure, and risk appetite is a fundamental element of this. It is therefore necessary to develop tools to help this process. Internal auditors who address this critical issue will be doing an important service for their organizations and such tools will help them to give assurance on one of the most important and challenging processes facing management in the 21st century. n

 Return to the Quarterly