It is amazing to me that one of my most popular blog posts every month is “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!…
Norman usually has good comments on the topics of risk management, internal controls and internal audit. If you are interested in these topics you should read his blog. If the following link works, here is the link to PWC’s publication, http://www.pwc.com/en_US/us/corporate-governance/publications/assets/pwc-risk-appetite-management.pdf
Not being critical of PWC, but I don’t find their publication to be very helpful. It’s too general. What does it really mean? Can a board member satisfy his or her risk oversight duties by asking the general questions that PWC provides? Perhaps. But the questions don’t go far enough of course. Not nearly enough inquiry, but it is a starting point.
Risk management is a continual, ongoing task. Identify the categories of risk, identify specific risk or areas of risk in the categories, evaluate for each risk the seriousness if the risk occurrs and likelihood of occurrence which should help provide you with guidance on “risk appetite” (those of you who have read my posts know that I don’t like the current definitions and uses of the terms risk appetite and risk tolerance), evaluate the risk management processes currently in place for each risk, design and implement risk management processes or improved risk management processes for each risk as deemed necessary, appoint the person/people responsible for and owning the risk area(s) and processes, set time deadlines, monitor, follow-up, improve, and on and on.
The board is responsible for oversight. If risk oversight is included in the audit committee’s charter, the audit committee had better know what it is supposed to do and what it is doing. Consider, should the board have a separate risk management committee? I prefer the term risk and uncertainty management, but whatever.
See on normanmarks.wordpress.com