There is no doubt that when it comes to risk, the internal audit profession is maturing. A few years ago, annual risk assessments were considered a leading practice but were not even required under our professional standards. Today, documented risk assessments are mandated at least annually. Many audit executives see a need for more frequent assessments, and a growing number of executives are shifting toward a continuous risk assessment model. We are spending more and more time and resources assessing risk — but unless there is a shared vision on risk appetite within the enterprise, the full benefit of any risk assessment is unlikely to be realized.
The Committee of Sponsoring Organizations of the Treadway Commission has defined risk appetite as "the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value." Delineation of an entity's risk appetite should be a collaborative effort on the part of management and the organization's board of directors. In the end, I believe the risk appetite must be aligned with the expectations of stakeholders.
I came across an article last week that stated investors' risk appetites were waning because of economic conditions. I don't actually know that appetites for financial risk are waning — the article offered only limited support for this conclusion. But one thing is clear: Risk tolerance changes over time. Even if the management, board, and other stakeholders at your organization held a shared vision of risk a year ago, they might not agree today.
|Our organizations' risk appetites should set clear tolerance levels and boundaries for various controls, including both the controls that we audit and the essential control of internal auditing itself.|
Why is all of this important for internal auditing? Simply put, risk appetite lies at the heart of how our organizations choose to do business — including how we make decisions regarding internal auditing. Without a clear consensus on risk appetite, our basis for budgeting and scheduling internal audit activities is weak.
I believe that all too often our approach to risk is entirely backwards. While we have become diligent about asking various members of management where the greatest risks lie, we often ignore risk appetite and create audit budgets that closely resemble those of the previous year, plugging in as many audit engagements as fit neatly within that budget. Our risk assessments may help determine which audits are most important, but they cannot be used to determine how many audits are justified because there is no consensus on risk appetite, or if there is, we have not explored it.
Ideally, this approach to risk should be reversed. The audit plan should be the basis for the budget, rather than the budget being the basis for the plan. A defined statement on risk appetite should help to determine which risks the organization is willing to take, which in turn helps define which areas need audit attention, which then should help determine the audit budget.
At many organizations, even the term risk appetite is undefined. There is no formal, written statement on risk appetite that includes both qualitative and quantitative factors. If such a statement exists, it may or may not be embedded into strategies and decision-making throughout the organization. How much cash flow are we willing to risk? What are the boundaries for acceptable levels of market risk, credit risk, or legal compliance risk? Without a clear statement on these and other types of risk, a well-supported audit recommendation might become no more than a subjective opinion.
Just performing an annual risk assessment is no longer enough. Where there is no consensus on risk tolerance, it is our duty to help our stakeholders develop a real hunger for understanding their own risk appetites. Without clear understanding and agreement on the organization's risk appetite, we will never know how best to focus our limited resources. I believe our organizations' risk appetites should set clear tolerance levels and boundaries for various controls, including both the controls that we audit and the essential control of internal auditing itself.