Tech Accelerator What is risk management? Importance, benefits and guide

Prev Next

Definition

What is risk appetite?

Alexander S. Gillis

By

Alexander S. Gillis, Technical Writer and Editor

Published: May 16, 2025

Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value. It can also be described as an organization's risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been implemented.

Risk tolerance, by contrast, is the amount of deviation from its risk appetite that an organization is willing to accept to achieve a specific objective, based on parameters that include industry and vertical standards.

Organizations can use risk appetite to determine the amount of risk they are taking to pursue their goals, but investors can also use it to determine how much financial gain or loss they are willing to accept. A risk appetite framework is typically represented by a written document that describes an organization's risk-based decisions. The risk appetite statement is how an organization informs its staff and stakeholders of its risk appetite. Risk appetite is a key part of an effective risk management process.

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be influenced by the following factors:

The organization's culture.
The organization's industry.
The organization's competitors.
Types of initiatives the organization pursues.
The organization's current industry position and financial strength.
The organization's goals and business objectives.
Stakeholder expectations.
Economic and political environment.

Risk tolerance is subject to the same factors that determine risk appetite. However, the amount of risk tolerance an organization accepts can vary, depending on factors such as the nature of a project, its time frame and the experience level of the people involved. Risk tolerance can change over time as industry standards, regulations and accepted practices change.

This article is part of

What is risk management? Importance, benefits and guide

Image of a speedometer representing risk appetite at 0-70 mph; risk tolerance at 70-80 mph; and unacceptable risk 80 mph and above. — Risk appetite is the capacity for risk, while risk tolerance is the risk taken after deviating from the risk appetite.

Determining your risk appetite

Organizations can determine their risk appetite by considering the following parameters:

Business objectives. This identifies the organization's immediate and long-term goals and values based on internal and external factors, such as culture and market conditions.
Risk assessment. This includes identifying potential threats to the organization, assessing the likelihood of these risks occurring and determining which risks are most critical. This also includes examining the organization's history of risk-taking and past actions.
Risk capacity and exposure. This measures the potential for loss from a specific event and establishes the maximum amount of risk the organization can realistically withstand without jeopardizing its financial or long-term goals.
Analysis of long-term objectives. This tracks the organization's risk levels and performance against its long-term objectives to ensure the risk appetite statement is relevant and current.

Three types of risks described through tolerance levels are also commonly used when discussing investment risk appetite: conservative, moderate and aggressive.

Conservative risk

Conservative risk deals with anything that carries large amounts of risk. Investors with conservative approaches avoid any potential areas of risk. For an organization, this could be projects with sensitive or mission-critical data and government contract work. A cautious risk management level is needed for this approach.

Moderate risk

Moderate risk involves weighing the potential benefits of security measures against the level of risk involved. Investors with a moderate risk tolerance accept some level of risk while specifying an acceptable percentage of losses. This level of risk appetite is adopted by organizations that are not open to taking many risks and have mitigation strategies in place in case of a disaster.

Aggressive risk

Those investors who want to risk revenue for the potential of gaining greater profits adopt aggressive risk as a high-risk, high-reward investment. For an organization, this could mean taking on a job that requires a large upfront investment but could provide a large profit upon completion.

Risks can also be thought of as inherent and residual. Inherent risk refers to the risks taken to achieve an objective, while residual risk refers to the remaining level of risk after the project's development and implementation. Any risks that remain after efforts to identify and eliminate all other risks are considered residual.

An image showing a funnel in which inherent risks are fed in and become controls and residual risks. — Inherent risk is the risk taken to achieve an objective, while residual risk is the remaining level of risk after development and implementation.

How to write a risk appetite statement

Organizations can build a risk appetite framework by creating a document that helps guide their organizational risk management activities.

This document should ideally include risk-taking approaches, risk mitigation topics, and implemented and planned risk avoidance measures. It should also be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices.

The following considerations should be examined before writing a risk appetite statement:

Include all necessary stakeholders and analyze the risks to strategic objectives, tactics, operations and compliance.
Create a diverse group of key stakeholders to include different perspectives on the organization's risk appetite.
Consider the organizational culture and overall focus regarding risk tolerance and risk appetite in specific scenarios and within the industry.
Note any risk that threatens the organization's efforts to achieve its goals and prepare mitigation strategies to address these risks.
Define the acceptable level of uncertainty or volatility in any risk appetite statements and decisions.
Ensure the risk appetite statement is applicable to the organization as a whole or emphasize where or how precisely it applies.
Include a summary and make the document accessible so it can be read by any relevant parties.

Risk appetite examples

Risk appetite varies by industry, with some highly regulated fields being more conservative versus other industries that take a more moderate approach to risk. The following are examples of risk appetite from different industries:

Healthcare. Healthcare organizations are traditionally conservative or risk-averse because they focus on critical areas of patient safety and data security. They have a legal obligation to protect sensitive patient information under regulations such as the Health Insurance Portability and Accountability Act. However, healthcare organizations that are doing research and development might be willing to take moderate risks to pursue innovative treatments.
Financial services. Industries such as finance tend to be conservative because of legal and compliance issues. However, banks might have a higher risk appetite for emerging markets but a lower appetite for real estate.
Technology. Technology innovation is often driven by organizations willing to take more aggressive risks. However, evolving cyberattacks, data breaches and the ethical implications of AI and machine learning have made some companies more risk-averse.
Manufacturing. Manufacturing companies often balance their risk appetite with the needs of current vs. future production. For example, they might have a higher risk appetite for new technologies to improve efficiency but a more conservative risk appetite for disruptors, such as supply chain management or cybersecurity threats.

Overall, an organization's risk appetite should focus on what the organization is willing to do in pursuit of its objectives, keeping environmental and cultural factors in mind.

Learn more about the differences between risk appetite and risk tolerance.

Continue Reading About What is risk appetite?

How to define cyber-risk appetite as a security leader

Traditional vs. enterprise risk management: How do they differ?

Explaining risk maturity models and how they work

Implementing an enterprise risk management framework

Cyber insurance: What does a CISO need to know?

Dig Deeper on Threats and vulnerabilities

Search Networking

What is a rogue DHCP server?
Rogue DHCP servers can throw DHCP infrastructures out of balance. These servers cause numerous network problems but are easy to ...
How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...

Search CIO

State AI law moratorium shapes congressional debate
While some policymakers argue that protecting consumers from AI-related harms means regulation, others say existing rules offer ...
Court to weigh divestiture in Google ad tech antitrust case
Forcing Google to divest assets in the DOJ's advertising market antitrust case against it will present a challenging issue to the...
Early-stage tech companies comb through data, software code
Software startups participating in the 2025 MIT Sloan CIO Symposium's Innovation Showcase take on the challenge of picking out ...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

M&S cyber attack disruption likely to last until July
M&S says it has moved into recovery mode after a ransomware attack, but expects some disruption to persist throughout the coming ...
Sapphire 2025: SAP mints business AI flywheel with Palantir on board
SAP CEO Christian Klein put economic and geopolitical uncertainty at the centre of the opening keynote at the supplier’s global ...
NCSC: Russia’s Fancy Bear targeting logistics, tech organisations
The NCSC and its partner agencies have blown the whistle on an extensive campaign of malicious cyber attacks orchestrated by the ...

Close