Considering Fraud Risk and Appetite

Risk appetite, as defined by COSO, describes the amount of risk an organization is willing to accept in pursuit of value. In practice, translating that abstract concept into fraud management is fraught with challenges. Executives often default to monetary figures, yet real‑world decisions hinge on percentages, trends, and the incremental cost of controls. This shift from dollar‑based thresholds to relative metrics reflects a deeper need for flexibility, allowing firms to adapt to dynamic threat landscapes while maintaining strategic focus.

The article’s three anecdotes underscore how businesses navigate this tension. A U.S. firm kept a fraudulent head of sales because his client relationships were deemed indispensable, revealing that revenue dependence can outweigh a formal zero‑tolerance stance. In contrast, Tosco’s Circle K stores adopted a concrete shrink target of 1‑1.5% of sales, using that benchmark to calibrate security investments and trigger managerial action when trends deviated. Meanwhile, a software company’s vice‑president leveraged side‑letter discounts, exposing how personal influence can complicate enforcement of anti‑fraud policies. Each scenario illustrates that effective risk appetite must blend quantitative thresholds with qualitative judgment.

For governance professionals, the takeaway is clear: a robust fraud risk appetite should be anchored in measurable, percentage‑based limits tied to revenue streams, while also incorporating cost‑benefit analyses of control mechanisms. Boards and audit committees need dashboards that track shrinkage, fraud incidence, and control spend in real time, enabling swift adjustments when thresholds are breached. By moving beyond blanket “no tolerance” statements toward data‑driven, scalable metrics, organizations can better align fraud mitigation with overall business objectives, protecting both the bottom line and stakeholder trust.