1
Statement
Translate appetite into a simple, board-approved statement.
Risk appetiteexplained
Set clear boundaries for decision-making.
Learn what risk appetite means, how it differs from tolerance, and how boards communicate acceptable risk exposure across the organisation.
What is risk appetite?
Risk appetite is the amount and type of risk your organisation is willing to take in pursuit of objectives, before controls and mitigation.
3
Layers
Enterprise, category, and operational appetites keep decisions aligned.
↔
Tolerance
Define acceptable deviation around appetite before escalation.
WHY IT MATTERS
Why risk appetite keeps strategy focused
Guides decisions. Teams know when to escalate or proceed based on clear limits.
Aligns stakeholders. Boards and executives speak a common language about acceptable risk.
Supports transparency. Regulators and investors expect documented appetite statements, especially in finance and critical infrastructure.
FRAMEWORK
How to set and communicate risk appetite
- Link to strategy Connect appetite to outcomes—growth, innovation, compliance, or liquidity.
- Quantify when possible Use metrics (e.g., debt ratios, downtime targets) plus narrative guidance.
- Cascade Translate enterprise appetite into functional limits and decision trees.
CADENCE
How to monitor appetite vs reality
- Track KRIs Define indicators that signal when appetite is being approached or breached.
- Report breaches Require immediate escalation when tolerances are exceeded.
- Review annually Reassess appetite during strategy refresh or when external conditions shift.
- Educate teams Include appetite reminders in onboarding and planning workshops.
Risk appetite quick wins
Draft a one-page statement
Summarise appetite, tolerances, and escalation triggers.
Host a leadership session
Align executives on acceptable exposure for the coming year.
Embed in templates
Add appetite checks to investment memos and project briefs.
RISK APPETITE GLOSSARY SNAPSHOT
Risk appetite glossary snapshot
Risk appetite. The level of risk an organisation is willing to accept to achieve objectives.
Risk tolerance. The acceptable variation around appetite before escalation is required.
Risk capacity. The absolute maximum risk the organisation can bear before threatening viability.
FAQS
Risk appetite FAQs
Who sets risk appetite?
Boards approve appetite, executives implement it, and risk teams coordinate drafting and monitoring.
How detailed should it be?
Provide enterprise guidance plus category-specific thresholds (e.g., compliance, liquidity, operational).
What’s the difference between appetite and tolerance?
Appetite is the desired level; tolerance is the allowable deviation before action.
How do we communicate appetite?
Use onboarding packs, planning templates, dashboards, and regular reminders in leadership meetings.
Drova's RunGood platform ties appetite statements to registers, OKRs, and approvals.
Ready to embed risk appetite in decisions?
GRC 101 HUB
Explore related topics
Risk management basics
See where appetite fits in the framework.
Risk register template
Record appetite references for each risk.
Residual risk guide
Compare appetite to remaining exposure.
Inherent risk explainer
Establish baselines before deciding appetite.
Strategic risk overview
Align appetite with long-term decisions.
Compliance risk basics
Ensure regulatory obligations respect appetite.
