Getty Images/iStockphoto
How to write a risk appetite statement: Template, examples
A risk appetite statement defines acceptable risk levels for an organization. Here's what it includes and how to create one, with examples and a downloadable template.
It's said that with no risk, there's no reward -- and that's certainly true for businesses, which must take some amount of risk to innovate, pursue new opportunities and remain competitive in the market. But too much risk creates business problems, such as disrupted operations or damage to a company's brand.
As part of risk management programs, organizations need to define appropriate levels of risk based on their goals and priorities. That's the purpose of risk appetite statements. By formally describing an organization's willingness to accept risk, these statements help establish a strong foundation for keeping undue risks in check while providing room for ones that foster business growth and innovation.
This article details what a risk appetite statement includes, explains the process of writing one and provides examples of risk appetite statements for organizations in several industries, as well as a downloadable template that can be used to create a statement.
What is a risk appetite statement?
A risk appetite statement specifies the amount and types of risk an organization is willing to take -- its risk appetite, as the term indicates. In this context, risk refers to potential issues that can damage the business in strategic, operational, financial or other ways. The statements define the extent to which the organization will accept the possibility of these negative business outcomes.
Some statements also use the term tolerance when describing an organization's appetite for risks or uncertain outcomes. Risk tolerance, though, is commonly also viewed as a separate concept that's applied alongside risk appetite in risk management initiatives. From that perspective, risk tolerance expresses the amount of deviation an organization will accept from its risk appetite on specific risks.
Writing a risk appetite statement isn't a legal requirement. However, many organizations choose to document their risk appetite to help develop and implement an enterprise risk management (ERM) strategy. By officially stating the level of risk that business executives deem acceptable, an organization can more easily take steps to ensure that the risks it faces are managed accordingly.
Key components of a risk appetite statement
The structure and contents of risk appetite statements vary, and there's no official standard that a business needs to adhere to when developing one. In general, though, most risk appetite statements include the following components:
- A breakdown of the various risk domains and categories the organization needs to manage, such as financial risk, compliance risk and cybersecurity risk.
- A declaration of the level of risk the organization is willing to accept in each domain or category. Often, this falls into three levels: low, medium (or moderate) and high. Other variations on those terms are also used, and five levels are included in some cases.
- A concise justification for the defined level of risk, stating why it's appropriate based on the strategic objectives the business is pursuing.
- A short description of the risk management strategy or internal controls implemented to help ensure that risks remain at the target level.
Some risk appetite statements include additional content, such as the maximum financial losses deemed acceptable in each risk category or descriptions of other key risk indicators and metrics the business will use to track and manage risks. But again, businesses are free to include -- or not include -- whatever they want to when they write such documents.
For the same reason, some risk appetite statements are much longer and more detailed than others. It's not uncommon for organizations to write concise statements that are just a few sentences long. But others create multi-page documents to define their risk appetite. Such documents often include an introductory section about the organization's ERM program and the risk appetite statement, followed by an overview of its risk appetite and lists of appetite levels for specific risks in different categories.
5 steps for writing a risk appetite statement
Although risk appetite statements vary in content and form from organization to organization, the process of writing one commonly includes the following core steps:
1. Identify relevant risk domains
First, an organization must determine the types of risk it needs to manage. Some risk domains, such as financial risk, reputational risk, legal risk and cyber-risk, affect almost all businesses, while others apply only to certain businesses.
For example, potential supply chain issues are a key risk category for a company that depends on a complex global supply chain to make and sell its products. But not all organizations are beholden to such supply chains. Similarly, a business whose operations could be significantly disrupted by a natural disaster will want to factor that into its risk appetite statement. However, this isn't a major risk category for organizations with operations limited to areas that typically don't experience major weather events or other natural catastrophes.
2. Identify strategic goals that the risks could affect
After identifying the relevant risks, evaluate the organization's strategic objectives to help inform the risk appetite statement.
Here again, goals can vary widely between organizations. For example, new customer acquisition might be a top priority for one business, while retaining existing customers is more important for another company. Also, some businesses might choose to pursue multiple strategic goals of equal importance, while others have a hierarchy of goals with varying levels of emphasis or priority.
3. Compare the risks to the goals
Next, assess the relationship between the identified business risks and goals. This should be done in a granular fashion by considering how each risk domain could affect each strategic goal.
For example, if customer retention is a key goal, the assessment might look at the potential impact of cybersecurity incidents, supply chain disruptions and regulatory compliance issues on customer willingness to continue doing business with the organization. A comprehensive assessment could also examine the possible effect of individual risks within the various domains.
4. Define acceptable risk levels
Based on the comparison of risks to strategic goals, define an acceptable risk level for each risk domain.
For example, the organization might determine that cybersecurity events are likely to cause many customers to stop buying its products. If customer retention is a strategic goal, it likely would establish a low appetite level for cyber-risk. At the same time, if the company calculates that it can weather supply chain disruptions without experiencing major customer churn, it might accept a higher level of supply chain risk. Depending on how detailed the risk appetite statement is, different levels can also be set for the specific risks each domain includes.
5. Write and communicate the risk appetite statement
Write the risk appetite statement in clear, unambiguous wording to avoid any potential confusion or misinterpretation. After it's finalized, the statement needs to be communicated to the entire organization so it can be incorporated into the risk management process and applied as part of strategic planning and business decision-making.
The process of creating a risk appetite statement is typically led by the risk management team and overseen by the chief risk officer, if an organization has one, or another risk management leader if not. But business stakeholders from across the organization should be involved in all these steps to ensure that the statement reflects the appropriate risk appetite levels.
Examples of effective risk appetite statements
The following examples are hypothetical risk appetite statements for companies in specific industries. They're brief statements that don't include every potential risk type or category; instead, they highlight some key risk domains and provide sample explanations of how the domains correlate with an organization's strategic goals.
First, here's an example of a risk appetite statement for a financial services firm:
| Risk type | Risk appetite level | Alignment with strategic goals |
| Compliance risk |
Low |
We maintain a minimum appetite for risks that could trigger regulatory compliance violations, which could lead to fines and damage our brand's image. |
| Cybersecurity risk |
Low |
We maintain a minimum appetite for cybersecurity risks due to their potential to reduce revenue by disrupting key services. |
| Financial risk |
Medium |
Although it's crucial to evaluate investments critically and holistically before approving proposed plans, we accept moderate risk when necessary to pursue sound financial opportunities. |
The following statement is an example for a healthcare organization:
| Risk type | Risk appetite level | Alignment with strategic goals |
| Compliance risk |
Low |
We maintain zero tolerance for regulatory compliance risks, particularly those involving patient data. |
| Reputational risk |
Low |
Maintaining a stellar brand and ensuring trustworthiness in the eyes of our customers is critical to our competitive edge; therefore, we do not accept risks that could harm our reputation. |
| Operational risk |
Medium |
While it's important to maintain consistent operational processes, we accept a moderate level of risk to encourage innovations that can improve our internal efficiency. |
This is a sample risk appetite statement for a technology vendor:
| Risk type | Risk appetite level | Alignment with strategic goals |
| Cybersecurity risk |
Low |
As a vendor whose brand reputation and product quality ratings hinge in a large part on our ability to provide secure software and IT services, we have a minimal appetite for cybersecurity risk. |
| Product development risk |
High |
To bring new products and features to market faster than our competitors, we have a high tolerance for taking risks when designing and developing new products. |
| Natural disaster risk |
Medium |
To the extent possible, we avoid investments and processes that expose us to unnecessary natural disaster risks, such as deploying IT infrastructure in regions prone to severe weather events. However, we are willing to accept such risks when they support strategic goals. |
Click here to download
our free risk appetite
statement template.
Risk appetite statement template
The downloadable template linked to here includes a table like the ones in the examples above that can be used to create a simple, concise risk appetite statement. The table can be expanded or reduced based on the number of risk domains included in the statement. The column headings can also be modified as needed, and more columns can be added -- for example, to list relevant controls or key metrics used to manage risks.
The template also includes a separate outline of a more detailed risk appetite statement containing multiple sections and, if desired, granular lists of appetite levels for various individual risks within different risk categories. It can also be modified as needed to fit an organization's specific needs. Such statements, typically produced as PDFs, often include six or more pages, with a combination of general information and the risk appetite details, as well as logos, images and other visual elements.
How often should companies update risk appetite statements?
Business risks and strategic goals constantly change. The level of organizational risk a business deems acceptable one day might no longer align with its strategic goals the next day. For that reason, risk appetite statements should be updated regularly to keep them current with business objectives and priorities.
The following are the two basic approaches for when to review and update risk appetite statements:
- On a fixed timeline. Many organizations update their statements at fixed intervals, such as once per year. Often, the updates take place as part of annual business reviews or strategic planning meetings.
- In response to major changes. Alternatively, businesses might revisit their risk appetite statements whenever there's a major event or development -- such as a cybersecurity incident or a new compliance requirement -- that could affect their appetite for related risks.
Although it's common for organizations to adopt just one of these update strategies, using both in tandem is the best approach. Reviewing risk appetite statements at regular intervals helps businesses take proactive steps on emerging risks before a sudden change forces them to react. On the flip side, by revisiting the relevant parts of a statement when a major development occurs, acceptable risk levels can be reset immediately, if necessary, instead of having to wait until the next scheduled review.
Chris Tozzi is a freelance writer, research adviser, and professor of IT and society. He has previously worked as a journalist and Linux systems administrator.
