Risk Appetite with Examples

Governance Glossary

Published: June 6, 2024

Risk appetite

Understanding risk appetite is critical to the operations of a business or organisation. To set clear and manageable goals, an entity must understand its appetite and tolerance for risk. Every risk has potential downsides and upsides. Defining the risk appetite can inform messaging, resource allocation, and decision making, shaping the culture and future of an organisation.

Every company is different and factors such as organisational structure, the nature of the work, and the financial position and capacity can influence risk appetite. Knowing an appetite for risk can also improve the capacity to assess and manage risks more effectively.

What is Risk Appetite?

According to Australia’s Department of Finance, risk appetite is “the amount of risk that an entity is willing to accept or retain in order to achieve its objectives.” When compared to actual exposure to risks, risk appetite information can assist in the evaluation process and help determine if people are taking the appropriate amount of risk and balancing opportunities and threats.

The perception of risk can vary among different individuals within an organization, based on their experiences, knowledge, and attitudes. It is important for board members to understand and articulate the organisation’s risk appetite to increase its risk management capacity. Setting benchmarks that can be helpful for measuring and tracking success and is critical to developing a clear and realistic risk appetite. For example, a risk statement about cybersecurity might read: “We can manage up to two security threats a year with a financial impact of less than $200K in ransom payments.”

Why is Risk Appetite Important?

The amount of risk an organisation is willing to accept can have a direct impact on how it achieves its objectives and mission. Knowing the acceptable level of risk can provide clear guidelines for directors and staff on what actions they should take to reduce (or allow) risks. By having a well-defined risk appetite, board members can support risk taking at every level and improve their own decision making, providing the structure for risk related discussion.
Risk appetite can be useful in assessing which risks are desirable and can support growth and innovation. Developing a risk appetite statement can increase transparency and empower organisational leadership to prepare the organisation or company for potential risks while improving the risk assessment process. It can also assist is defining various levels of severity for each risk.

Risk Appetite Statement

A risk appetite statement describes both the risk appetite and risk tolerance of an organisation. While the format can vary depending on each company, the typical statement consists of:

  • A clear statement of endorsement of the senior executive, reinforcing the importance of informed risk taking.
  • A definition of what the risk appetite is and how it can be used.
  • The overall attitude toward risk taking within the organisation.
  • A statement for each of the risk categories identified, describing the level of tolerance for each risk.
  • The limitations in exercising risk tolerance.

The risk appetite statement is a key element of the risk management framework and is tailored to internal and external context of each organisation. An example of a risk statement related to financial misconduct might be: “We have a very low appetite for internal fraud, and fraud control requirements are in place to manage and reduce financial risk even if there is a negative cost-benefit.”

Risk Appetite and Culture

The board is responsible for setting the organisation’s risk culture and integrating a risk appetite statement into the risk framework. A poor risk culture can lead to excessive risk-taking beyond the company’s risk appetite and problems such as the underreporting of risks, a lack of transparency, chronic non-compliance, and other issues that threaten the mission. Effective risk governance considers external and internal factors when defining risk appetite. The board is responsible for confirming the risk appetite statement aligns with management’s risk decisions and for setting the tone and making expectations about risk clear.

Monitoring Risk Appetite

aving controls in place in case the risk tolerance is exceeded can provide individuals responsible for monitoring risks with the steps for monitoring compliance with risk appetite. The first step is to identify the organisation’s key objectives and ensure the risk appetite statement aligns with these goals. Next, define the appetite for each risk category, such as strategic, financial, operational, compliance, cyber, climate, and reputational.

Assign a risk level (high, moderate, low) and describe risk tolerance for each. The third step is to describe the preferred risk profile for the organisation, whether conservative, balanced, or aggressive and to establish the risk culture based on these characteristics. Fourth, define the risk limits using measurable benchmarks and identify who will monitor exposure to risk, enforce limits, and escalate breaches.

The next step is to set up a process for monitoring and reporting risks and reviewing the risk appetite. The sixth step is to communicate the risk appetite statement to staff and develop policies and controls that supports it, reviewing it annually.

Risk Appetite Statement Examples

Getting started writing your own risk appetite statment can be a challenge. Below are three examples to help you get started.

Example 1: Small Not-For-Profit Club

Risk Appetite Statement


As the President of the Small Not-For-Profit Club, I endorse this Risk Appetite Statement. It is crucial for our club to make informed decisions that align with our mission and values while managing risks responsibly.

Definition and Use

Our risk appetite defines the level of risk we are willing to accept to achieve our objectives. It guides our decision-making process and ensures that we are prepared to handle uncertainties that may arise.

Overall Attitude

Our club adopts a cautious approach to risk-taking. While we recognize the need to take certain risks to fulfill our mission, we prioritize safeguarding our financial stability, reputation, and the well-being of our members.

Risk Categories and Tolerance

  • Financial Risk: We have a low appetite for financial risk. We aim to maintain a balanced budget and ensure all expenditures are justifiable and within our financial means.

  • Operational Risk: We have a moderate appetite for operational risk. We encourage innovative activities and events that align with our mission, provided they do not jeopardize the club’s core operations.

  • vReputational Risk*: We have a very low appetite for reputational risk. Maintaining a positive public image and trust with our stakeholders is paramount.

  • Compliance Risk: We have zero tolerance for non-compliance with legal and regulatory requirements. All activities must adhere strictly to applicable laws and regulations.


In exercising risk tolerance, any decision that could potentially harm our members, violate laws, or significantly impact our financial health will not be considered. Risk assessments must be conducted for all major initiatives.

Example 2: Large Superannuation Fund

Risk Appetite Statement


As the CEO of the Large Superannuation Fund, I fully support this Risk Appetite Statement. Our commitment to informed risk-taking is essential for safeguarding our members’ retirement savings and achieving sustainable growth.

Definition and Use

Our risk appetite defines the extent of risk we are willing to accept in our investment and operational activities to meet our objectives. It serves as a framework for strategic planning and decision-making.

Overall Attitude

We adopt a balanced approach to risk-taking. While aiming for competitive returns, we prioritize protecting our members’ assets and ensuring long-term sustainability.

Risk Categories and Tolerance

Investment Risk: We have a moderate appetite for investment risk. Our diversified portfolio strategy aims to optimize returns while mitigating undue exposure to market volatility.

Operational Risk: We have a low appetite for operational risk. Robust internal controls and procedures are in place to ensure efficient and secure operations.

Liquidity Risk: We have a low appetite for liquidity risk. We maintain sufficient liquidity to meet member withdrawals and other obligations without compromising our investment strategy.

Compliance Risk: We have zero tolerance for non-compliance. Adhering to regulatory requirements and industry standards is non-negotiable.

Reputational Risk: We have a very low appetite for reputational risk. Upholding our reputation for integrity and trustworthiness is critical.


Decisions that could significantly jeopardize our members’ savings, breach regulatory requirements, or damage our reputation are strictly prohibited. Comprehensive risk assessments are mandatory for all high-impact activities.

Example 3: Medium-Sized Technology Firm

Risk Appetite Statement


As the CEO of the Medium-Sized Technology Firm, I endorse this Risk Appetite Statement. Informed risk-taking is essential to drive innovation and growth while ensuring stability and compliance.

Definition and Use

Our risk appetite outlines the level of risk we are willing to accept to achieve our strategic goals. It guides our approach to innovation, investment, and operational management.

Overall Attitude

We are open to taking calculated risks, particularly in areas that drive innovation and competitive advantage, while maintaining strong controls to manage potential downsides.

Risk Categories and Tolerance

Innovation Risk: We have a high appetite for innovation risk. We encourage experimentation and investment in new technologies and solutions, accepting that some initiatives may not succeed.

Operational Risk: We have a moderate appetite for operational risk. While we strive for efficiency and reliability, we are willing to accept some risk in pursuing operational improvements.

Financial Risk: We have a low appetite for financial risk. We maintain a prudent financial strategy, ensuring stability and sustainable growth.

Compliance Risk: We have zero tolerance for non-compliance. Compliance with all relevant laws and regulations is mandatory.

Reputational Risk: We have a low appetite for reputational risk. Protecting our brand and maintaining stakeholder trust is critical.


Risk tolerance is limited by our commitment to legal compliance, financial prudence, and reputational integrity. All significant projects must undergo thorough risk assessments to ensure alignment with our risk appetite.

Frequeny Asked Questions

What are the 5 levels of risk appetite?

  • Averse: Avoidance of risk and uncertainty. This level involves making decisions and taking actions that eliminate or significantly reduce exposure to risk. Typically chosen by organizations prioritizing stability and predictability over potential rewards.
  • Minimalist: Preference for very low-risk options with little potential for reward. Organizations with a minimalist risk appetite prefer safe, secure choices and only take on risks that are absolutely necessary.
  • Cautious: Preference for safe, low-risk options with a low degree of uncertainty. Such organizations are open to taking on some risk but only if it is well understood and managed.
  • Open: Willing to consider all options, with moderate risk and reward. These organizations balance potential benefits and risks, and are willing to engage in opportunities with a measured approach to risk management.
  • Hungry: Eager to pursue high-risk options with high potential rewards. Entities with a hungry risk appetite are aggressively looking for opportunities that could yield significant returns, even if they come with substantial risks.

What is an example of risk appetite and risk tolerance?

Risk Appetite: A technology startup may decide it is willing to invest up to 30% of its capital in experimental projects with high growth potential, demonstrating a high risk appetite by actively seeking opportunities that could lead to significant breakthroughs.

Risk Tolerance: The same startup might set a risk tolerance limit of no more than 10% loss in any single project. This means while they are willing to take significant risks, they have clear boundaries to manage potential losses and ensure overall financial stability.

What is another word for risk appetite?

Risk appetite, also known as risk preference, refers to an individual's or organization's willingness to take on risks in pursuit of their objectives. This concept considers the balance between potential rewards and negative consequences, as well as the available resources to manage those risks. Risk appetite is closely related to other terms such as risk inclination and risk propensity, which describe the overall tendency to either embrace or avoid risk when making decisions.

Other terms that might be used include risk capacity, risk attitude, risk propensity, risk preference, and risk perception. Although some sources use these terms interchangeably, others distinguish between them within more comprehensive risk appetite frameworks, assigning specific meanings to each term to create a more nuanced understanding of how individuals and organizations approach risk.

Is high risk appetite good or bad?

Whether a high risk appetite is good or bad depends on the context and the entity's capacity to manage risk. For innovative industries or startups, a high risk appetite can drive significant growth and lead to pioneering advancements. However, for more established companies or conservative sectors, it might lead to instability and potential losses if not properly managed. The key is ensuring that the level of risk taken aligns with the organization's overall strategy, capabilities, and market conditions.

How do you develop risk appetite?

  • Assess Current Position: Understand the current risk profile and capabilities of the organization. Conduct a thorough analysis of existing risks, controls, and risk management practices to establish a baseline.
  • Stakeholder Engagement: Involve key stakeholders, including executives, board members, and employees, to align on risk objectives and boundaries. Ensure everyone understands the importance of risk management and their role in it.
  • Define Objectives: Clearly articulate business goals and the level of risk required to achieve them. Establish specific, measurable, achievable, relevant, and time-bound (SMART) objectives that guide risk-taking behavior.
  • Develop Frameworks: Establish policies and frameworks to manage and monitor risk. This includes setting risk limits, creating risk assessment processes, and defining roles and responsibilities for risk management.
  • Continuous Review: Regularly review and adjust risk appetite in response to changing conditions and performance outcomes. Implement a feedback loop to monitor the effectiveness of risk management practices and make necessary adjustments to maintain alignment with strategic objectives.

Audit Report

Board of Directors

Risk Register

Addtional Resources

Effective Board Evaluation

Board Member Training Webinars

Strategic Planning Principles & Practices

Legal Obligations of NFP Directors



Better Boards connects the leaders of Australasian non-profit organisations to the knowledge and networks necessary to grow and develop their leadership skills and build a strong governance framework for their organisation.

Found this article useful or informative?

Join 5,000+ not-for-profit & for-purpose directors receiving the latest insights on governance and leadership.

Receive a free e-book on improving your board decisions when you subscribe.

Unsubscribe anytime. We care about your privacy - read our Privacy Policy .