Definition

risk appetite

Alexander S. Gillis

By

Alexander S. Gillis, Technical Writer and Editor

What is risk appetite?

Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.

Risk appetite can also be described as an organization's risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been put in place.

Risk tolerance, by contrast, is the amount of deviation from its risk appetite that an organization is willing to accept to achieve a specific objective, based on parameters that include industry and vertical standards.

Organizations can use risk appetite to determine the amount of risk they're taking on in pursuit of their goals. But investors can also use it to determine how much financial gain or loss they're willing to accept. Risk appetite is typically represented by a written document that describes an organization's risk-based decisions. The risk appetite statement is how an organization informs its staff and stakeholders of its risk appetite. Risk appetite is a key part of an effective risk management process.

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be influenced by a wide variety of factors:

The organization's culture.
The organization's industry.
The organization's competitors.
Types of initiatives the organization pursues.
The organization's current industry position and financial strength.

Risk tolerance is subject to the same factors that determine risk appetite. However, the amount of risk tolerance an organization accepts can vary on a case-by-case basis, depending on factors such as the nature of a project, a project's timeframe and the experience level of the people involved. Risk tolerance can change over time as industry standards, regulations and accepted practices change.

This article is part of

What is risk management and why is it important?

Download this entire guide for FREE now!

Meter showing risk appetite vs. risk tolerance. — Risk appetite is the capacity for risk, while risk tolerance is the risk taken after deviating from the risk appetite.

Determining your risk appetite scale

For organizations seeking to determine their risk appetite scale, it's important to consider the probability of a risk and its impact. Once risk probability and impact are used to drive an organization's risk priorities and focus, risk appetite can be evaluated through analysis of the following parameters:

Acceptable risk boundaries and actions. What exactly is the organization willing to do within the acceptable risk appetite level?
Risk exposure. Based on a desired set of actions and outcomes, does the risk exposure increase, decrease or stay the same? The level of risk exposure influences the risk appetite for any specific project or approach and possibly the overall direction an organization takes.
Analysis of long-term objectives. Organizations should ultimately line up risk appetite considerations with their longer-term objectives and where they should be headed to accomplish strategic goals.

Three types of risks described through tolerance levels are also commonly used when talking about risk appetite for investments: conservative, moderate and aggressive.

Conservative risk deals with anything that carries large amounts of risk. Investors with conservative approaches avoid any potential areas of risk. For an organization, this could be projects with sensitive or mission-critical data and government-contract work. A cautious risk management level is needed for this approach.

Moderate risk has the potential benefits of security measures weighed against the level of risk involved. Investors with a moderate risk tolerance accept some level of risk while specifying an acceptable percentage of losses. This level of risk appetite is adopted by organizations that aren't open to taking many risks and have mitigation strategies in place in case of a disaster.

Those investors that want to risk revenue for the potential of gaining greater profits adopt aggressive risk as a high-risk, high-reward investment. For an organization, this could mean taking on a job that requires a large upfront investment but could provide a large profit upon completion.

Risks can also be thought of as inherent and residual. Inherent risk is the risks taken to achieve an objective, while residual risk is the remaining level of risk after development and implementing the project. Any risks that remain after efforts to identify and eliminate all other risks are considered residual.

Inherent risk and residual risk. — Inherent risk is the risk taken to achieve an objective, while residual risk is the remaining level of risk after development and implementation.

How to write a risk appetite statement

Organizations can express their risk appetite by creating a risk appetite statement, a document that helps guide their organizational risk management activities.

This document should ideally include risk-taking approaches, risk mitigation topics as well as implemented and planned risk avoidance measures. The statement should ideally be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices, which also means it needs to be updated on a regular basis.

To write a risk appetite statement, do the following:

Consider and include all necessary stakeholders and analyze the risks to strategic objectives, tactics, operations and compliance.
Create a diverse group of key stakeholders to include different perspectives on the organization's risk appetite.
Consider the organizational culture and overall focus regarding risk tolerance and risk appetite in specific scenarios and within the industry.
Take note of any risk that threatens the organization in its effort to achieve its goals and prepare mitigation strategies to address these risks.
Define the acceptable level of uncertainty or volatility in any risk appetite statements and decisions.
Ensure the risk appetite statement is applicable to the organization as a whole or emphasize where or how precisely it applies.
Include a summary and make the document accessible so it can be read by any relevant parties.

Examples of risk appetite in practice

Some examples of risk appetite include the following:

An organization states that it won't accept risks that could result in a significant loss of its data or revenue base. This could, for example, apply to an organization that depends on government-contract work to stay profitable.
Organizations might be comfortable with the risk of putting personal data into a cloud environment but are less willing to put financial data into the same cloud based on the provider and other risk factors.

Overall, an organization's risk appetite should focus on what the organization is willing to do in pursuit of its objectives, keeping environmental and cultural factors in mind.

Learn more about the differences between risk appetite and risk tolerance.

This was last updated in October 2023

Continue Reading About risk appetite

How to define cyber-risk appetite as a security leader

Traditional vs. enterprise risk management: How do they differ?

Explaining risk maturity models and how they work

Implementing an enterprise risk management framework

Cyber insurance: What does a CISO need to know?

Dig Deeper on Threats and vulnerabilities

Networking

Palo Alto Networks SASE Converge updates boost security, UX
With the announcement of its latest SASE portfolio updates and the acquisition of Talon, Palo Alto Networks connects the dots ...
5G Advanced features include accurate timing, AI support
5G Advanced is the latest 5G specification, aiming to deliver enhanced massive MIMO, 5G integration with AI and accurate location...
How to build a private 5G network architecture
A private 5G network could provide organizations with greater control over their wireless environments. But cost and complexity ...

CIO

8 blockchain security risks to weigh before adoption
Blockchain and smart contracts have their own unique vulnerabilities. But poor code testing, cryptographic keys and generic ...
How AI is radically changing business process management
Deploying AI's discovery and automation capabilities in BPM powers advancements in front-office processes, process data analysis,...
Former OpenAI CEO gains strong legal backing with Microsoft
Should ousted OpenAI CEO Sam Altman be involved in any federal investigations going forward, he now has the legal backing of ...

Enterprise Desktop

What IT admins and office workers get in MS 365 Copilot
Microsoft 365's Copilot assistive AI features come with a big price tag, but experts are bullish that they could return the ...
Observations from the intersection of UCC and EUC
End-user computing tends to overlap with numerous other business technologies, such as cloud computing, security and mobility. ...
Chip giant Nvidia takes on Intel with Arm CPUs for Windows PCs
Nvidia plans to jump into the Windows Arm CPU fray along with Qualcomm, AMD and purportedly Microsoft as chipmakers bet that AI ...

Cloud Computing

Evaluate serverless computing best practices
Serverless computing strategies require enterprises to evaluate tools, features and costs, while understanding application ...
Hybrid cloud connectivity best practices and considerations
Private and public clouds stress networks in different ways and don't always play well together. Here's what to know to set up a ...
Use resource tagging to optimize cloud costs
When it comes to cost management in cloud computing, tags and additional metadata can help with reporting, allocation and ...

ComputerWeekly.com

Law enforcement dismembers major ransomware operation in Ukraine
A joint law enforcement operation between the Ukrainian authorities, Europol and Eurojust has seem five ransomware operators ...
Paula Vennells’ email fuelled Post Office Horizon cult, inquiry told
Faced with serious questions about the robustness of its core computer system, the Post Office doubled down on reliability myth, ...
Aerodyne taps AWS to power drone platform
The Malaysia-based startup is running its Dronos platform on AWS to expand its footprint globally and support a variety of drone ...

Close