You are on page 1of 6


Risk appetite can be defined as the amount and type of risk that an organization is willing to
take in order to meet their strategic objectives. Organizations will have different risk appetites
depending on their sector, culture and objectives. A range of appetites exists for different risks
and these may change over time.


A well-developed risk appetite statement and process can:

 Help a company better manage and understand its risk exposure.

 Help management make informed risk-based decisions.

 Help management allocate resources and understand risk/benefit trade-offs.

 Help improve transparency for investors, stakeholders, regulators and credit rating

Risk appetites are unique to each and every organization because they are based on
specific strategies and attributes that influence organizational behaviors. A risk appetite
statement should communicate the following:

1. Corporate Values: What risks is the organization unwilling to take and what risks
should be avoided?

2. Strategy: What risks are inherent to the strategy?

3. Stakeholders: How much and what kind of risk can they take on?

4. Capacity: How much risk can the organization absorb?

The board of directors is not the initial creator of a risk appetite statement. It is
ultimately management’s responsibility. The directors approve and confirm whether the
appetite is in line with the organization’s strategy and stakeholders’ perspectives of the
company. Management must first understand the company’s strategy, goals, risk taking
experience, risk culture and its stakeholder’s perspectives. Once management has an
understanding of the corporate values and risk taking culture, it can begin the risk
appetite process. In developing a risk appetite, management must analyze the following:

 Risk profile: What are the top risks of the organization and the controls to mitigate those

 Risk capacity: How much risk can the organization absorb?

 Qualitative risk assessment: What is the ranking and categorization of the company’s
risk, taking into account controls and risk/reward relationships?

 Quantitative risk analysis: What types of analysis establishes boundaries within which
management can operate? For example, there could be a limit on the amount of debt
issued to one company or the organization may decide to grant credit to organizations
with a certain credit rating.

After analysis of the above, management should be able to articulate the company’s risk
appetite in writing. The statement should guide company behavior and strategic
decision-making. It should start at a high level of the company and flow down to all
levels. In addition to the overarching risk appetite statement, there should be more
granular tolerance levels. These risk tolerance boundaries help lower level managers
seize opportunities and avoid unnecessary risks and are used for specific risks. And
finally, formal training should be conducted so that decision-makers fully understand the
company’s risk appetite.
The board is primarily responsible with overseeing the initial risk appetite development
process and in monitoring the organization to determine whether any changes should be
made to the risk appetite. Boards can monitor risk appetite by having management
report to the board when a risk tolerance level has been exceeded. The board should then
determine whether the risk tolerance was too low and needs to be changed (this could be
because of changes in the business environment, a new strategic initiative, or it was too
low to being with). The board should also determine whether the risk tolerance levels are
not being obtained. This could be because managers aren’t taking enough risk to
maximize shareholder value. To conclude, the board should determine whether the
organization has the following:

1. A risk assessment process and the risks identified should be in line with the
organization’s strategy?

2. Is this profile and assessment being updated frequently?

3. Does the company have the capacity to deal with the risks identified today and the
risks that are likely to impact future strategic initiatives?

4. Are the organization’s risk appetite and tolerance levels being continually evaluated
for accuracy and relevancy?

5. Are changes being communicated to the organization and key stakeholders?

Risk Appetite vs. Risk Tolerance

A risk appetite statement is a higher level statement that considers broadly the levels of risks that
management deems acceptable, while risk tolerances are narrower and set the acceptable level of
variation around objectives. A risk appetite statement example would be a company that says it
does not accept risks that could result in a significant loss of its revenue base. When the same
company says that it does not wish to accept risks that would cause revenue from its top 10
customers to decline by more than 10%, it is expressing risk tolerance. Awareness of residual risk
and operating within risk tolerances provides management greater assurance that the company
remains within its risk appetite. This reassurance, in turn, provides a higher degree of comfort that
the company will achieve its strategic objectives.

What is Residual Risk?

When crafting a best practice risk tolerance definition, it’s important to keep in mind that
tolerances should be specific to an individual company’s goals and require actionable parameters.
One way to measure this range is by monitoring residual risk.

Residual risk can be defined as the threat a risk poses after considering the current mitigation
activities in place to address it, and can be an important metric for assessing overall risk appetite.

A tolerance range for minimum and maximum levels of residual risk is typically set by the
committee responsible for risk management oversight and accepted by the board of directors. This
means that if a risk’s impact on the organization, times its likelihood of occurring, times the
effectiveness of current mitigation activities falls outside of the level deemed acceptable, then the
risk factor is out of tolerance. Business process owners must then adjust mitigation activities,
procedures, or controls in order to keep the residual risk within the defined risk.
Setting enterprise risk tolerances is a calibration exercise, meaning you need to collect a number of
risk assessments for areas known to have high and low risk. This provides an opportunity to
compare residual risk to measurements of known acceptability.

Translating Risk Appetite and Tolerance Statements into Reality

An organization–wide risk appetite statement can be a powerful tool that gives your risk or
compliance program direction. However, like any policy, risk appetite without accompanying action
is nothing more than an idea. With standardized risk assessment templates and intuitive risk
dashboards, risk managers can collect the information necessary to implement appropriate
tolerances at both an enterprise level and for individual business processes.

Every day front–line managers are making operational decisions about risk, far from an
organization’s risk appetite policies. The front line is where income is generated, where employees
interact with customers, and where emerging liabilities are first visible.

1.Tattam, David. "Risk Appetite: How hungry are you for risk?". Protecht Risk Management Insights. Retrieved

2. Thinking about Risk - Managing your risk appetite: A practitioner's guide November 2006 HM Treasury

3. Hassani, B.K. (2015). "Risk Appetite in Practice. The IUP Journal of Financial Risk Management.