Sentoria

Risk Appetite Statement

|

A risk appetite statement is a governance and risk management document that explains how much risk an organisation is willing to accept, tolerate or avoid in pursuit of its objectives. At its simplest, a risk appetite statement asks: How much risk are we prepared to take, in which areas, for what purpose, and where are…

Risk Appetite Statement: A Practical Guide to Defining How Much Risk an Organisation Is Willing to Accept

A risk appetite statement is a governance and risk management document that explains how much risk an organisation is willing to accept, tolerate or avoid in pursuit of its objectives.

At its simplest, a risk appetite statement asks:

How much risk are we prepared to take, in which areas, for what purpose, and where are the limits?

That makes it useful for business planning, charity governance, public sector accountability, project management, financial control, property development, cyber security, health and safety, internal audit, board reporting and strategic decision-making.

The Institute of Risk Management defines risk appetite as “the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives”. It also notes that organisations will have different appetites depending on their sector, culture and objectives, and that appetite may change over time.

Used properly, a risk appetite statement helps organisations make clearer, more consistent decisions. It does not remove risk. It helps leaders, managers, trustees and boards decide which risks are acceptable, which need tighter control, and which should not be taken.

What is a risk appetite statement?

A risk appetite statement is a written explanation of the level and type of risk an organisation is prepared to accept.

It usually covers areas such as:

  1. Strategic risk
  2. Financial risk
  3. Operational risk
  4. Legal and compliance risk
  5. Reputational risk
  6. Health and safety risk
  7. Safeguarding risk
  8. Cyber and data risk
  9. People and culture risk
  10. Project risk
  11. Environmental risk
  12. Governance risk

A good risk appetite statement should explain:

  1. The organisation’s overall approach to risk
  2. The level of risk acceptable in different areas
  3. The risks that must be avoided
  4. The risks that may be accepted for strategic benefit
  5. The limits that should trigger escalation
  6. Who is responsible for monitoring risk appetite
  7. How risk appetite links to the risk register
  8. How often the statement should be reviewed

The purpose is not to create a complicated policy. The purpose is to guide decisions.

For example, an organisation might be willing to take a higher level of risk when developing a new product, entering a new market or piloting a new service.

The same organisation might have very low appetite for risks involving fraud, safeguarding, health and safety, legal compliance, data breaches or serious reputational damage.

That distinction matters.

Without a risk appetite statement, decisions may be inconsistent. One manager may be cautious. Another may be bold. One project may accept risks that another would reject. Trustees or directors may only realise the organisation has taken too much risk after something has gone wrong.

Risk appetite, risk tolerance and risk capacity

Risk appetite is often confused with risk tolerance and risk capacity.

They are related, but they are not the same.

Risk appetite

Risk appetite is the amount and type of risk the organisation is willing to take in pursuit of its objectives.

It is a strategic judgement.

For example:

The organisation has an open appetite for carefully selected innovation projects, provided financial exposure is limited and service quality is protected.

Risk tolerance

Risk tolerance is the acceptable variation around objectives, limits or performance.

It is often more specific than appetite.

For example:

The organisation will tolerate a project overspend of up to 5% before formal escalation is required.

The organisation will tolerate debtor days up to 45 days, but anything above that requires management action.

Risk tolerance helps turn broad appetite into practical limits.

Risk capacity

Risk capacity is the maximum amount of risk the organisation can actually bear.

This may be constrained by:

  1. Cash reserves
  2. Borrowing capacity
  3. Insurance cover
  4. Regulatory requirements
  5. Staff capacity
  6. Legal duties
  7. Reputation
  8. Systems
  9. Governance
  10. Market position

For example, a charity may have some appetite for funding risk, but its capacity may be limited by reserves. A property business may have appetite for development risk, but capacity may be limited by funding, planning exposure and cash flow.

A strong risk appetite statement should not describe what the organisation would like to risk. It should reflect what the organisation can responsibly afford to risk.

History and development of risk appetite statements

Risk appetite developed as part of wider enterprise risk management, governance and internal control practice.

As organisations became more complex, boards and leadership teams needed a way to connect risk-taking with strategic objectives. It was not enough to identify risks in a register. Organisations also needed to decide whether those risks were acceptable.

The Institute of Risk Management has described risk appetite as a core consideration in enterprise risk management, noting that organisations are increasingly expected by stakeholders to express clearly the extent of their willingness to take risk in order to meet strategic objectives.

In the public sector, HM Treasury’s Orange Book provides risk management principles and concepts for government organisations, and its supporting Risk Appetite Guidance Note helps organisations apply risk appetite in practice. The guidance recognises that it is not always possible to manage all risks to the most desirable level, but risk appetite helps organisations manage risks to a tolerable level.

Risk appetite has also become important in corporate governance, financial services, charities, healthcare, public bodies and regulated sectors. In these settings, stakeholders expect boards and management teams to show that risks are not only identified, but also understood, controlled and taken deliberately.

The development of COSO’s enterprise risk management framework also helped place risk appetite within wider strategy and performance thinking. COSO has described risk appetite as being linked to strategy, objectives and the amount of risk an organisation is willing and needs to take to succeed.

In simple terms, risk appetite statements developed because organisations need to answer a basic governance question:

Are we taking the right amount of risk for the objectives we are trying to achieve?

Why risk appetite statements matter

Risk appetite statements matter because risk-taking is unavoidable.

Every organisation takes risk when it:

  1. Hires staff
  2. Serves customers
  3. Holds data
  4. Enters contracts
  5. Spends money
  6. Delivers services
  7. Launches projects
  8. Uses suppliers
  9. Borrows funds
  10. Invests in assets
  11. Adopts technology
  12. Works with vulnerable people
  13. Enters new markets
  14. Changes systems
  15. Makes strategic decisions

The issue is not whether risk exists.

The issue is whether risk is understood, deliberate, proportionate and aligned with objectives.

A risk appetite statement helps organisations:

  1. Make more consistent decisions
  2. Align risk-taking with strategy
  3. Clarify board or trustee expectations
  4. Improve risk reporting
  5. Strengthen governance
  6. Guide escalation
  7. Avoid excessive caution
  8. Avoid reckless risk-taking
  9. Improve internal controls
  10. Support internal audit
  11. Improve project approval
  12. Strengthen accountability
  13. Improve communication between board and management
  14. Help staff understand acceptable boundaries
  15. Link risk management to real decisions

It also helps avoid two common extremes.

The first extreme is excessive caution. The organisation avoids all risk, misses opportunities, becomes slow, and fails to innovate.

The second extreme is unmanaged risk-taking. The organisation accepts exposure without understanding consequences, limits or controls.

A good risk appetite statement sits between those extremes. It helps the organisation take the right risks, in the right way, for the right reasons.

Typical risk appetite levels

Many organisations use descriptive appetite levels.

The wording varies, but a practical scale might include:

1. Averse

The organisation seeks to avoid risk wherever possible.

This is suitable for areas where failure would be unacceptable.

Examples include:

  1. Safeguarding
  2. Serious health and safety risks
  3. Fraud
  4. Bribery
  5. Legal non-compliance
  6. Serious data misuse
  7. Abuse of vulnerable people
  8. Deliberate misreporting
  9. Unauthorised financial activity
  10. Regulatory breach

An averse appetite does not mean there is no risk. It means the organisation is not willing to knowingly accept avoidable risk in that area.

2. Minimal

The organisation accepts only very limited risk.

This is suitable where some risk is unavoidable, but tight controls are expected.

Examples include:

  1. Payroll accuracy
  2. Statutory filings
  3. Tax compliance
  4. Data protection
  5. Financial approvals
  6. Insurance compliance
  7. Contract execution
  8. Safeguarding administration
  9. Health and safety procedures
  10. Regulated activity

A minimal appetite means mistakes should be rare, controls should be strong, and exceptions should be escalated.

3. Cautious

The organisation is willing to accept limited and carefully controlled risk.

This is suitable where moderate risk may be necessary, but only with evidence, approval and controls.

Examples include:

  1. New supplier appointments
  2. Smaller projects
  3. Operational changes
  4. Modest service changes
  5. Low-value investments
  6. Process redesign
  7. Minor system changes
  8. Recruitment decisions
  9. Contract renewals
  10. Local marketing campaigns

A cautious appetite means risk can be accepted, but not casually.

4. Open

The organisation is willing to take measured risk where there is a clear benefit.

This is suitable for areas where opportunity matters and the organisation has capacity to manage downside.

Examples include:

  1. Business development
  2. Service innovation
  3. New product testing
  4. Digital improvement
  5. Partnership development
  6. New markets
  7. Fundraising campaigns
  8. Property improvement
  9. Process automation
  10. Strategic pilots

An open appetite means the organisation is prepared to take risk, but expects proper assessment, controls and review.

5. Hungry

The organisation is prepared to accept significant risk for potentially significant benefit.

This is usually appropriate only in selected areas and with strong governance.

Examples include:

  1. Major strategic growth
  2. High-potential investment
  3. Transformational change
  4. Entering a new market
  5. Acquiring a business
  6. Major development project
  7. Large innovation programme
  8. Significant restructuring
  9. New technology-led business model
  10. Major capital project

A hungry appetite does not mean reckless behaviour. It means the organisation is prepared to accept higher exposure because the potential reward or strategic importance justifies it.

Common risk categories in a risk appetite statement

Strategic risk

Strategic risk relates to the organisation’s direction, choices and long-term objectives.

Examples include:

  1. Entering a new market
  2. Launching a new service
  3. Changing business model
  4. Making acquisitions
  5. Investing in growth
  6. Closing services
  7. Changing strategic focus
  8. Repositioning the organisation
  9. Taking on major projects
  10. Building partnerships

Many organisations have a moderate or open appetite for strategic risk because progress requires change.

However, strategic risk should be deliberate. It should be based on evidence, options appraisal and board approval.

Financial risk

Financial risk relates to income, cash, borrowing, costs, reserves, margins and financial sustainability.

Examples include:

  1. Cash flow pressure
  2. Borrowing exposure
  3. Over-reliance on one funder or customer
  4. Cost inflation
  5. Poor debt collection
  6. Budget overspend
  7. Investment loss
  8. Weak reserves
  9. Unfunded commitments
  10. Fraud or error

Risk appetite for financial risk depends heavily on reserves, cash flow, funding certainty and governance.

A startup may accept more financial risk than a charity with vulnerable beneficiaries. A property developer may accept controlled borrowing risk. A professional firm may have low appetite for uncontrolled work in progress and poor cash collection.

Operational risk

Operational risk relates to day-to-day delivery.

Examples include:

  1. Process failure
  2. Supplier failure
  3. Service delays
  4. Quality problems
  5. System downtime
  6. Staff capacity
  7. Poor handovers
  8. Production disruption
  9. Customer service failures
  10. Inadequate procedures

Most organisations accept some operational risk, but expect it to be controlled.

The risk appetite may be cautious where service quality, customer trust or statutory duties are involved.

Legal and compliance risk

Legal and compliance risk relates to laws, regulations, contracts, professional standards and formal obligations.

Examples include:

  1. Tax non-compliance
  2. Employment law breach
  3. Data protection failure
  4. Health and safety breach
  5. Contract breach
  6. Regulatory non-compliance
  7. Planning condition failure
  8. Charity law breach
  9. Professional standards failure
  10. Procurement breach

Most organisations should have low or minimal appetite for deliberate legal or regulatory non-compliance.

That does not mean errors never happen. It means the organisation expects strong controls, prompt correction and clear escalation.

Reputational risk

Reputational risk relates to loss of trust, credibility or public confidence.

Examples include:

  1. Poor customer treatment
  2. Public complaint
  3. Negative media attention
  4. Poor service quality
  5. Ethical failure
  6. Safeguarding concern
  7. Misleading communication
  8. Environmental damage
  9. Governance failure
  10. Social media criticism

Risk appetite for reputation is often low, but not always zero.

Some organisations may accept reputational challenge when making difficult but necessary decisions. For example, a charity may restructure to protect long-term sustainability. A council may implement an unpopular but lawful policy. A business may withdraw an unprofitable product.

The key is whether the organisation is acting ethically, transparently and consistently with its objectives.

Cyber and data risk

Cyber and data risk relates to information security, systems, privacy, data accuracy and resilience.

Examples include:

  1. Data breach
  2. Ransomware
  3. System outage
  4. Unauthorised access
  5. Poor backup recovery
  6. Phishing
  7. Weak passwords
  8. Data loss
  9. Supplier platform failure
  10. Inaccurate reporting data

Most organisations should have low appetite for avoidable cyber and data control weaknesses.

However, digital innovation may involve some controlled technology risk. The appetite should distinguish between innovation risk and poor basic security.

People and culture risk

People and culture risk relates to staff, leadership, conduct, capacity, wellbeing and organisational behaviour.

Examples include:

  1. Staff turnover
  2. Skills gaps
  3. Poor culture
  4. Bullying or harassment
  5. Weak training
  6. Low morale
  7. Key person dependency
  8. Poor supervision
  9. Burnout
  10. Recruitment failure

Organisations may accept some risk around change and growth, but should have low appetite for conduct failures, unsafe working conditions or cultures that undermine trust.

Health and safety risk

Health and safety risk relates to harm to staff, customers, contractors, visitors, tenants, service users or the public.

Examples include:

  1. Unsafe premises
  2. Poor risk assessments
  3. Machinery injury
  4. Fire risk
  5. Lone working
  6. Site accidents
  7. Manual handling
  8. Unsafe contractors
  9. Poor training
  10. Failure to report incidents

Most organisations should have very low appetite for uncontrolled health and safety risk.

Some activities are inherently risky, especially in construction, manufacturing, care and property. The appetite should focus on whether those risks are properly assessed, controlled and supervised.

Safeguarding risk

Safeguarding risk relates to protecting children, vulnerable adults and people at risk of harm.

Examples include:

  1. Failure to escalate concern
  2. Inadequate recruitment checks
  3. Poor supervision
  4. Weak case records
  5. Unclear safeguarding policy
  6. Training gaps
  7. Poor information sharing
  8. Failure to act on concerns
  9. Inadequate trustee oversight
  10. Unsafe volunteer practices

Organisations working with vulnerable people should have very low or averse appetite for safeguarding failure.

This should be clearly stated.

Project risk

Project risk relates to delivery of change, investment, construction, systems or transformation.

Examples include:

  1. Cost overrun
  2. Delay
  3. Scope creep
  4. Poor governance
  5. Supplier failure
  6. Weak business case
  7. Poor benefits tracking
  8. Unrealistic assumptions
  9. Stakeholder resistance
  10. Poor change control

Risk appetite for project risk may vary.

A small internal improvement project may justify a cautious appetite. A major development or transformation project may require more risk, but only with strong governance, reporting and approval.

Risk appetite statements in different industries

SMEs and owner-managed businesses

For SMEs, a risk appetite statement should be simple and practical.

A small business may not need a long board-approved document. But it still benefits from clear boundaries.

An SME might say:

  1. We have low appetite for risks that threaten cash flow.
  2. We have minimal appetite for tax, payroll and legal compliance failures.
  3. We have cautious appetite for taking on large new customers where delivery capacity is uncertain.
  4. We have open appetite for new services where pilot costs are limited.
  5. We have low appetite for cyber risk where customer or financial data is involved.
  6. We have no appetite for fraud or deliberate misreporting.

For SMEs, risk appetite should guide decisions such as:

  1. Should we accept this large customer contract?
  2. Should we extend credit?
  3. Should we borrow to invest?
  4. Should we launch a new service?
  5. Should we rely on one supplier?
  6. Should we hire ahead of demand?
  7. Should we change software?
  8. Should we accept a low-margin project?

The value is in helping the owner or management team make consistent decisions.

Manufacturing

Manufacturing businesses need risk appetite statements that reflect safety, quality, supply chain, production and customer delivery.

A manufacturer might have:

  1. Averse appetite for serious health and safety failures.
  2. Minimal appetite for product quality failures affecting customers.
  3. Cautious appetite for supplier concentration.
  4. Open appetite for investment in automation.
  5. Cautious appetite for stock holding risk.
  6. Minimal appetite for environmental compliance failure.
  7. Open appetite for product development where testing controls are strong.

For manufacturing, appetite should link to:

  1. Health and safety
  2. Quality control
  3. Maintenance
  4. Supplier risk
  5. Stock levels
  6. Customer concentration
  7. Product development
  8. Capital investment
  9. Environmental compliance
  10. Production resilience

Retail and ecommerce

Retail and ecommerce businesses need to balance growth, margin, customer trust, stock risk and technology.

A retailer might have:

  1. Open appetite for testing new product categories.
  2. Cautious appetite for stock investment where demand is unproven.
  3. Minimal appetite for payment security failures.
  4. Low appetite for misleading product descriptions.
  5. Cautious appetite for discounting that weakens margin.
  6. Low appetite for website outage during peak periods.
  7. Open appetite for marketing experiments within budget limits.

For ecommerce, risk appetite should consider customer acquisition cost, platform dependency, return rates, reviews, payment systems, data protection and fulfilment reliability.

Professional services

Professional services firms need strong appetite statements around quality, deadlines, client acceptance, confidentiality and professional standards.

A firm might have:

  1. Minimal appetite for missed statutory deadlines.
  2. Averse appetite for breaches of client confidentiality.
  3. Minimal appetite for professional negligence risk.
  4. Cautious appetite for fixed-fee work where scope is uncertain.
  5. Open appetite for developing advisory services.
  6. Low appetite for accepting clients with high integrity or payment risk.
  7. Cautious appetite for technology adoption where client data is involved.

For accountants, solicitors, consultants, architects and advisers, risk appetite should guide client acceptance, pricing, engagement terms, quality review, file management and professional indemnity exposure.

Charities and voluntary organisations

Charities need risk appetite statements that reflect mission, beneficiaries, funding, safeguarding, reputation and reserves.

A charity might have:

  1. Averse appetite for safeguarding failure.
  2. Minimal appetite for misuse of restricted funds.
  3. Low appetite for weak financial controls.
  4. Cautious appetite for using reserves to fund short-term deficits.
  5. Open appetite for new service pilots where impact is strong and downside is managed.
  6. Cautious appetite for reliance on a single funder.
  7. Low appetite for reputational risk affecting public trust.

For charities, risk appetite should be approved and understood by trustees. It should link to reserves policy, funding strategy, safeguarding, service delivery and governance.

Public sector and local government

Public bodies need risk appetite statements that reflect statutory duties, public value, finance, service users, democratic accountability and legal obligations.

A public body might have:

  1. Averse appetite for failure to meet statutory duties.
  2. Minimal appetite for fraud or misuse of public funds.
  3. Low appetite for legal non-compliance.
  4. Open appetite for innovation that improves resident outcomes.
  5. Cautious appetite for digital transformation where inclusion risks exist.
  6. Minimal appetite for safeguarding failure.
  7. Cautious appetite for budget risk where savings plans are uncertain.

Public sector risk appetite should help officers and members understand where innovation is encouraged and where tight control is required.

Property and construction

Property and construction organisations face risk around planning, funding, contractors, safety, tenants, utilities, market demand and cost.

A property business might have:

  1. Averse appetite for serious health and safety failures.
  2. Minimal appetite for uninsured property risks.
  3. Cautious appetite for speculative development.
  4. Open appetite for regeneration projects where planning and funding risks are managed.
  5. Low appetite for uncontrolled contractor risk.
  6. Cautious appetite for tenant concentration.
  7. Minimal appetite for legal title or lease documentation weaknesses.

For construction projects, appetite should link to cost contingency, programme delay, contractor procurement, health and safety, planning risk and funding exposure.

Technology and software

Technology businesses need appetite statements that balance innovation with security, reliability and customer trust.

A software business might have:

  1. Open appetite for product experimentation.
  2. Cautious appetite for early-stage feature launches.
  3. Minimal appetite for data breach.
  4. Low appetite for untested changes to critical systems.
  5. Cautious appetite for technical debt.
  6. Open appetite for AI adoption where governance is in place.
  7. Minimal appetite for weak access controls.

For technology businesses, appetite should distinguish between acceptable innovation risk and unacceptable security or customer harm.

Healthcare and social care

Healthcare and care organisations need risk appetite statements that prioritise safety, dignity, safeguarding, quality and regulatory compliance.

A care provider might have:

  1. Averse appetite for safeguarding failure.
  2. Minimal appetite for medication errors.
  3. Minimal appetite for poor care record keeping.
  4. Low appetite for unsafe staffing levels.
  5. Open appetite for service improvement where safety is protected.
  6. Cautious appetite for digital care tools where staff and service users are supported.
  7. Minimal appetite for regulatory non-compliance.

In this sector, risk appetite should never encourage unsafe shortcuts. It should support safe, person-centred and properly governed care.

Education and training

Education providers need appetite statements that cover safeguarding, learner outcomes, funding compliance, quality and innovation.

An education provider might have:

  1. Averse appetite for safeguarding failure.
  2. Minimal appetite for inaccurate funding claims.
  3. Low appetite for poor learner records.
  4. Open appetite for new course development where employer demand is evidenced.
  5. Cautious appetite for digital delivery where learner access varies.
  6. Minimal appetite for assessment quality failures.
  7. Low appetite for poor attendance monitoring.

For education, risk appetite should link to learner outcomes, inspection readiness, funding rules, safeguarding and employer engagement.

How to create a risk appetite statement properly

1. Start with objectives

Risk appetite should be linked to objectives.

Before writing the statement, ask:

  1. What are we trying to achieve?
  2. What strategic priorities matter most?
  3. What must be protected?
  4. What opportunities are we pursuing?
  5. What risks are unavoidable?
  6. What risks could damage the organisation?
  7. What risks could we accept for the right benefit?

A risk appetite statement that is not linked to objectives becomes abstract.

2. Understand current risk exposure

Review the current risk position.

Use:

  1. Risk register
  2. Risk matrix
  3. Internal audit reports
  4. External audit findings
  5. Issue logs
  6. Assumptions logs
  7. Business continuity review
  8. Incident reports
  9. Financial forecasts
  10. Board papers
  11. Customer complaints
  12. Staff feedback
  13. Compliance reports
  14. Project reports
  15. Insurance information

The statement should reflect real risk exposure, not just what the organisation wishes were true.

3. Identify risk categories

Group risks into useful categories.

Typical categories include:

  1. Strategic
  2. Financial
  3. Operational
  4. Legal and compliance
  5. Reputational
  6. People and culture
  7. Cyber and data
  8. Health and safety
  9. Safeguarding
  10. Environmental
  11. Project
  12. Governance

Categories allow different appetite levels for different areas.

This is important because an organisation rarely has one appetite for all risks.

4. Agree appetite levels

Choose a simple scale.

For example:

  1. Averse
  2. Minimal
  3. Cautious
  4. Open
  5. Hungry

Define what each level means.

Do not assume everyone understands the words in the same way.

For example:

Cautious might mean the organisation is willing to accept limited risk where benefits are clear, controls are in place, and exposure remains within agreed limits.

5. Apply appetite to each category

For each risk category, decide the appetite level.

For example:

Risk categoryAppetite levelSummary
SafeguardingAverseNo appetite for avoidable safeguarding failures
Legal complianceMinimalStrong controls and prompt escalation expected
InnovationOpenWilling to test new ideas where costs and impacts are controlled
Financial sustainabilityCautiousSome risk accepted, but reserves and cash limits must be protected
Cyber and dataMinimalLow tolerance for preventable data or access failures

This makes the statement practical.

6. Define tolerances and triggers

Broad appetite statements need practical limits.

Examples include:

  1. Maximum acceptable project overspend
  2. Minimum cash reserve level
  3. Maximum debtor days
  4. Maximum customer concentration
  5. Minimum staffing level
  6. Maximum system downtime
  7. Maximum data recovery time
  8. Maximum unresolved high-risk audit actions
  9. Minimum safeguarding training completion
  10. Maximum supplier dependency
  11. Maximum delay before escalation
  12. Minimum insurance cover

These are the points that tell management when action or escalation is required.

7. Link to governance and escalation

The statement should explain what happens when risk moves outside appetite.

For example:

  1. Management review required
  2. Board or trustee notification required
  3. Audit committee review required
  4. Risk register update required
  5. Mitigation plan required
  6. Project pause required
  7. Further approval required
  8. External advice required
  9. Internal audit review required
  10. Incident report required

Risk appetite is only useful if it changes behaviour.

8. Align with policies and controls

The risk appetite statement should connect to existing policies and controls.

For example:

  1. Financial regulations
  2. Delegated authority limits
  3. Procurement policy
  4. Safeguarding policy
  5. Health and safety policy
  6. Data protection policy
  7. Cyber security policy
  8. Reserves policy
  9. Investment policy
  10. Business continuity plan
  11. Project management framework
  12. Internal audit plan

If the appetite statement says the organisation has minimal appetite for cyber risk, then cyber controls must be strong enough to support that position.

9. Approve at the right level

Risk appetite should usually be approved by the board, trustees or senior governing body.

This matters because risk appetite is a governance judgement, not just a management preference.

The board or trustees should challenge:

  1. Is the appetite realistic?
  2. Is it aligned with strategy?
  3. Is it consistent with values?
  4. Is it supported by controls?
  5. Is it affordable?
  6. Is it understood by management?
  7. Are escalation points clear?
  8. Are reporting arrangements adequate?

10. Review regularly

Risk appetite changes.

It may change because of:

  1. Financial position
  2. Market conditions
  3. Regulation
  4. Service demand
  5. Political environment
  6. Funding certainty
  7. Staff capacity
  8. Technology
  9. Recent incidents
  10. Audit findings
  11. Strategic change
  12. Economic conditions

COSO notes that risk appetite must be flexible enough to adapt to changing conditions.

A risk appetite statement should normally be reviewed at least annually, and sooner after major changes or incidents.

Common mistakes in risk appetite statements

Mistake 1: Using vague language

Statements such as “we have low appetite for risk” are not enough.

Low appetite for what?

Financial risk? Safeguarding risk? Innovation risk? Reputation risk? Cyber risk?

The statement should be specific.

Mistake 2: Having one appetite for everything

Organisations rarely have one risk appetite.

They may be open to innovation but averse to safeguarding failure. They may accept commercial risk but not legal non-compliance.

Different categories need different appetites.

Mistake 3: Not linking appetite to strategy

Risk appetite should support objectives.

If the organisation wants growth but has a very cautious appetite for all risk, there is a mismatch.

If the organisation wants stability but accepts high financial exposure, there is also a mismatch.

Mistake 4: Not defining tolerance limits

Risk appetite needs practical boundaries.

Without limits, people may not know when risk is outside appetite.

Mistake 5: Ignoring risk capacity

An organisation may want to take risk, but may not have the capacity.

Cash, reserves, people, systems, reputation, insurance and governance all matter.

Mistake 6: Not involving the board or trustees

Risk appetite is a governance matter.

It should not be written by one manager in isolation.

Mistake 7: Not communicating it

A risk appetite statement that only sits in board papers has limited value.

Managers and staff need to understand how it affects decisions.

Mistake 8: Not linking it to the risk register

The risk register should show whether risks are within or outside appetite.

If the two documents are not connected, appetite does not influence risk management.

Mistake 9: Setting appetite too low

If appetite is too low across everything, the organisation may become risk-averse and slow.

That can stop innovation, growth and improvement.

Mistake 10: Setting appetite too high

If appetite is too high, the organisation may take risks it cannot control or afford.

This can damage finances, people, reputation and governance.

Limitations and weaknesses of risk appetite statements

Risk appetite statements are useful, but they have limits.

They can become abstract

If the wording is too general, people may not know how to apply it.

Practical tolerances and examples help.

They can create false confidence

A statement does not control risk by itself.

Controls, reporting, ownership and action are still required.

They depend on judgement

Risk appetite is not a precise science.

It requires informed discussion and challenge.

They can become outdated

An appetite set during a stable period may be unsuitable during crisis, growth, recession or major change.

They may not reflect actual behaviour

An organisation may say it has low appetite for poor controls, but tolerate weak practice in reality.

Internal audit, governance and reporting help test whether behaviour matches the statement.

They can be misunderstood

Some people may think risk appetite means permission to take risk without controls.

Others may think it means avoiding risk entirely.

Communication matters.

They do not replace risk assessment

Risk appetite helps decide whether risk is acceptable.

It does not identify or assess risks by itself.

They do not replace leadership

Boards and leaders still need judgement, challenge and decision-making.

A statement supports decisions. It does not make them automatically.

Risk appetite statement compared with other strategic and management tools

Risk appetite statement and risk register

The risk register records risks, scores, controls, owners and actions.

The risk appetite statement explains whether those risks are acceptable.

Use the risk register to monitor risk exposure.

Use the appetite statement to judge whether exposure is within acceptable limits.

Risk appetite statement and risk matrix

A risk matrix scores likelihood and impact.

Risk appetite helps decide what score is acceptable and what score needs escalation.

For example, a score of 12 may be acceptable for innovation risk but unacceptable for safeguarding risk.

Risk appetite statement and internal audit

Internal audit tests whether controls are working.

Risk appetite helps internal audit focus on areas where weak controls could put the organisation outside appetite.

Internal audit can also test whether actual practice aligns with stated appetite.

Risk appetite statement and business continuity plan

A business continuity plan explains how the organisation will continue during disruption.

Risk appetite helps decide how much disruption is tolerable and how quickly critical activities must recover.

Risk appetite statement and bow-tie analysis

Bow-tie analysis maps causes, consequences and controls.

Risk appetite helps decide whether the preventive and mitigating controls are sufficient.

Risk appetite statement and assumptions log

An assumptions log records what plans depend on.

Risk appetite helps decide which assumptions are too risky to leave untested.

Risk appetite statement and issue log

An issue log records current problems.

If an issue pushes exposure outside appetite, it should be escalated.

Risk appetite statement and OKRs

OKRs define objectives and key results.

Risk appetite helps ensure objectives are pursued within acceptable boundaries.

For example, an OKR to increase sales should not encourage unacceptable credit risk or poor customer treatment.

Risk appetite statement and Balanced Scorecard

The Balanced Scorecard tracks strategic performance.

Risk appetite adds a boundary around performance pursuit.

It helps ensure targets are not achieved by taking unacceptable risks.

Risk appetite statement and Business Model Canvas

The Business Model Canvas describes how an organisation creates, delivers and captures value.

Risk appetite helps assess whether the model’s dependencies, revenue streams, costs, partners and key activities expose the organisation to acceptable levels of risk.

Alternatives and complementary frameworks

Risk register

Use a risk register to record and manage risks.

The appetite statement helps decide which risks need action or escalation.

Risk matrix

Use a risk matrix to assess likelihood and impact.

The appetite statement helps interpret whether the score is acceptable.

Risk tolerance framework

Use tolerance limits to convert appetite into measurable thresholds.

This is useful for finance, operations, projects, cyber and service delivery.

Internal audit

Use internal audit to test whether controls are working and whether the organisation is operating within appetite.

Assurance map

Use an assurance map to show where assurance comes from across different risks and appetite areas.

Delegated authority framework

Use delegated authorities to define who can approve decisions at different levels of risk.

Business continuity plan

Use continuity planning to manage risks where the appetite for disruption is low.

Scenario planning

Use scenario planning to test whether appetite remains suitable under different future conditions.

Board risk reporting

Use board reporting to show whether key risks are within appetite, nearing tolerance limits or outside appetite.

A practical risk appetite statement template

A useful risk appetite statement should include:

  1. Purpose
  2. Scope
  3. Link to strategy
  4. Definitions
  5. Overall risk appetite
  6. Risk categories
  7. Appetite level for each category
  8. Explanation of each appetite level
  9. Tolerance limits
  10. Escalation triggers
  11. Roles and responsibilities
  12. Reporting arrangements
  13. Link to risk register
  14. Link to internal controls
  15. Link to internal audit
  16. Review date
  17. Approval date
  18. Owner
  19. Board or trustee approval
  20. Version control

Example:

Risk category: Financial sustainability

Appetite level: Cautious

Statement: The organisation is willing to accept limited financial risk where it supports strategic objectives, provided cash flow remains within approved forecasts, reserves do not fall below the agreed minimum, and any material variance is escalated promptly.

Tolerance limits:

  1. Reserves must not fall below three months of operating costs without board approval.
  2. Any forecast deficit above £25,000 must be reported to the Finance Committee.
  3. Debtor days above 45 days require management action.
  4. Any unbudgeted expenditure above delegated limits requires approval.

Reporting: Monthly management accounts and quarterly board risk review.

Example of a risk appetite statement

A simple risk appetite statement might read:

The organisation recognises that risk is unavoidable in delivering its strategy. It is willing to take measured and well-managed risks where they support growth, innovation, service improvement or long-term sustainability. However, it has very low appetite for risks that could cause harm to people, breach legal or regulatory duties, undermine safeguarding, weaken financial control, compromise data security or seriously damage public trust.

Risk-taking must be evidence-based, proportionate and within agreed authority limits. Risks outside appetite must be escalated to senior management, the board or trustees. The risk appetite statement will be reviewed annually and whenever there is a significant change in strategy, financial position, operating environment or risk exposure.

This type of statement gives direction, but it should be supported by category-level appetite and practical tolerance limits.

Questions to ask when developing a risk appetite statement

Strategic questions

  1. What are we trying to achieve?
  2. What risks are necessary to achieve the strategy?
  3. What opportunities require risk-taking?
  4. What risks could threaten our purpose?
  5. Where do we need to be bold?
  6. Where do we need to be cautious?
  7. What risks would we never knowingly accept?
  8. What risks are we already taking?
  9. Does our appetite match our strategy?
  10. Does our appetite match our values?

Financial questions

  1. How much financial risk can we afford?
  2. What level of reserves must be protected?
  3. What cash flow risk is acceptable?
  4. What level of borrowing is acceptable?
  5. What customer or funder concentration is acceptable?
  6. What level of project overspend requires escalation?
  7. What investment risk is acceptable?
  8. What level of bad debt is tolerable?
  9. What financial controls are non-negotiable?
  10. What would threaten financial sustainability?

Operational questions

  1. What level of service disruption is acceptable?
  2. How much process variation can we tolerate?
  3. What quality failures are unacceptable?
  4. Which services must continue at all times?
  5. What supplier dependency is acceptable?
  6. What system downtime is acceptable?
  7. What staffing risk is acceptable?
  8. What operational risks need escalation?
  9. What controls must always operate?
  10. What level of residual risk is acceptable?

Compliance and governance questions

  1. What laws and regulations are critical?
  2. What breaches would be unacceptable?
  3. What level of policy non-compliance is tolerable?
  4. What decisions require board approval?
  5. What authority limits should apply?
  6. What conflicts of interest are unacceptable?
  7. What reporting failures are unacceptable?
  8. What assurance is needed?
  9. What role should internal audit play?
  10. How will the board know appetite is being followed?

People and culture questions

  1. What conduct risks are unacceptable?
  2. What level of staff turnover is tolerable?
  3. What culture do we want?
  4. What behaviours must not be tolerated?
  5. What key person dependencies exist?
  6. What training gaps are unacceptable?
  7. What wellbeing risks require action?
  8. What supervision standards are required?
  9. What people risks need board visibility?
  10. Does the appetite statement support the desired culture?

Cyber and data questions

  1. What data is most sensitive?
  2. What level of data loss is acceptable?
  3. What system downtime is tolerable?
  4. What cyber risks are unacceptable?
  5. What access controls are required?
  6. How often should backups be tested?
  7. What supplier data risks exist?
  8. What incident reporting is required?
  9. What recovery time is acceptable?
  10. What assurance is needed over cyber controls?

Review questions

  1. Is the appetite still appropriate?
  2. Has strategy changed?
  3. Has financial capacity changed?
  4. Have incidents occurred?
  5. Have audit findings identified weaknesses?
  6. Are risks within appetite?
  7. Are tolerances being breached?
  8. Are managers using the statement?
  9. Does reporting show appetite clearly?
  10. What needs to change?

The best way to think about a risk appetite statement

A risk appetite statement is not just a governance document.

It is a decision-making tool.

A good risk appetite statement should be:

  1. Clear
  2. Practical
  3. Specific
  4. Linked to strategy
  5. Approved by the board or trustees
  6. Understood by management
  7. Linked to the risk register
  8. Supported by tolerance limits
  9. Reflected in reporting
  10. Reviewed regularly

A weak risk appetite statement says:

“We have a low appetite for risk.”

A strong risk appetite statement asks:

“Which risks are we willing to take, which risks must we avoid, what limits apply, and when must risk be escalated?”

The key question is not simply:

How much risk do we accept?

The better question is:

How much risk are we willing and able to accept in pursuit of our objectives, and how do we make sure that risk-taking remains controlled, deliberate and aligned with our values?

Conclusion: a risk appetite statement turns risk-taking into a deliberate choice

A risk appetite statement remains useful because every organisation takes risk.

The problem is not risk itself. The problem is unmanaged, inconsistent or misunderstood risk.

Used badly, a risk appetite statement becomes a vague document that sits in a governance folder and has little effect on real decisions.

Used properly, it becomes a practical tool for leadership, governance and accountability. It helps boards, trustees, managers and teams understand where risk is acceptable, where caution is required, where controls must be strong, and where escalation is needed.

The real value is not in writing the statement.

The real value is in using it.

A strong risk appetite statement helps an organisation move from saying, “We are worried about risk,” to asking, “What risks are we prepared to take, what risks are outside our limits, and what decisions need to change as a result?”

Leave a Reply