How well defined is your organization’s risk appetite?

Sword GRC Blog

How well defined is your organization’s risk appetite?

“Risk appetite is often referenced in organizations, without clearly defining what it is” states the Government Finance Function’s ‘Risk Appetite Guidance Note’. Our latest blog post explores the importance of developing and defining risk appetite and the role that it plays in helping organizations to establish a threshold of impacts that leadership is willing to absorb in pursuit of business objectives.

Risk teams are often tasked with helping leadership to gain a better appreciation of emerging or potential risks to inform decision-making. And in uncertain times this is all the more challenging. So how do you ensure that the concept of risk appetite means the same to all stakeholders? How clear are your risk appetite definitions? Are the definitions communicated consistently? And is everyone aligned with them so risk tolerances are understood? With so many questions to consider, it’s worth turning to the experts for insights. 


Why understanding risk appetite matters

In a thought paper authored by PricewaterhouseCoopers (PwC), risk appetite is defined as “the amount of risk an organization is willing to accept in pursuit of strategic objectives.”

Since risk appetite provides the framework from which risk professionals and leadership can make informed management decisions, a well-developed, well-defined risk appetite statement and processes offer many benefits:

  • Helps an organization understand its risk exposure
  • Supports informed, risk-based decision-making
  • Minimizes uncertainty
  • Improves consistency across decision-making and governance
  • Helps with the allocation of resources and budgets
  • Improves understanding of risk v benefit trade-offs
  • Helps provide transparency for stakeholders and regulators

According to “Understanding Risk Appetite” published by the Enterprise Risk Management Initiative, Poole College*, “Risk appetites are unique to each and every organization because they are based on specific strategies and attributes that influence organizational behaviors. A risk appetite statement should communicate the following:

  1. Corporate Values: What risks is the organization unwilling to take and what risks should be avoided?
  2. Strategy: What risks are inherent to the strategy?
  3. Stakeholders: How much and what kind of risk can they take on?
  4. Capacity: How much risk can the organization absorb?”


The paper continues, “In developing a risk appetite, management must analyze the following:

  • Risk profile: What are the top risks of the organization and the controls to mitigate those risks?
  • Risk capacity: How much risk can the organization absorb?
  • Qualitative risk assessment: What is the ranking and categorization of the company’s risk, taking into account controls and risk/reward relationships? 
  • Quantitative risk analysis: What types of analysis establishes boundaries within which management can operate? For example, there could be a limit on the amount of debt issued to one company or the organization may decide to grant credit to organizations with a certain credit rating.

After analysis of the above, management should be able to articulate the company’s risk appetite in writing.  The statement should guide company behavior and strategic decision-making.  It should start at a high level of the company and flow down to all levels.  In addition to the overarching risk appetite statement, there should be more granular tolerance levels.  These risk tolerance boundaries help lower-level managers seize opportunities and avoid unnecessary risks and are used for specific risks. And finally, formal training should be conducted so that decision-makers fully understand the company’s risk appetite.”


The IOR’s view and practical advice

The Institute of Operational Risk (IOR) concedes that designing and implementing an operational risk appetite and or tolerance framework is not without challenges. However, establish, communicate and act within the tolerances of your risk appetite, and the rewards can be ‘substantial.’

For invaluable insights, best practice guidance, and practical examples, download ‘Operational Risk Appetite and Tolerance’ the free IOR’s white paper now.



*Understanding Risk Appetite | ERM – Enterprise Risk Management Initiative | NC State Poole College of Management (