I don't usually cross-post from my personal blog to this InternalAuditor.org blog, but the topic of risk appetite is important for internal auditors. If we are to assess whether risk management and related controls are effective, the issue is whether they manage risks to the levels desired by the company.
So, I ask that you read the post (here) and consider these questions:
- How do we, as internal auditors, advise management and the board to establish risk appetite/tolerance levels?
- Should we help them understand that it is OK to accept higher levels of risk when the potential for reward is higher?
- How do we determine whether managers making decisions as part of their daily tasks are accepting the right level of downside risk?