The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.
I joke about what GRC means. Apart from the IIA (who talk about governance, risk, and controls), everybody knows that the acronym stands for Governance, Risk Management (or ERM), and Compliance.
Not-for-profits and internal controls often have an uneasy relationship. On the one hand, many not-for-profits, especially the smaller ones, lack the resources to implement robust internal controls. Yet internal controls are as critical in not-for-profits as in for-profit entities. In some respects, internal control failures can be more catastrophic for not-for-profits because the public, regulators, and others often hold them to a higher standard.