In internal auditing 3rd edition in chapter 3 it mentions risk appetite and risk tolerance in a broad sense, but never goes into detail on how risk is measured. Is risk measured more towards financial impact or some other form of impact, or does it vary on business to business?