Home > Risk > Another look at the concept of Risk Appetite

Another look at the concept of Risk Appetite

The blog post that was read most often both in 2020 and all-time was written in 2011. Just what is risk appetite and how does it differ from risk tolerance? has been viewed nearly 80,000 times.

Another of my most-read posts in 2020 is more recent, shared in May of last year. COSO still believes in risk appetite statements. In it, I shared ten questions to challenge those who continue to believe they are not only necessary (for example to comply with regulator demands) but also useful in making business decisions.

But my most recent post on the topic was in October 2020, Are you hungry for a better approach to risk appetite? It is a review of an excellent thought leadership paper by Chris Burt.

The last two, especially, are useful if you have not read them before.

But let’s revisit the topic, as if from scratch.


What is risk appetite? It is defined by COSO as the “amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”

Before analyzing that nebulous statement, it is useful to consider why we are even thinking about risk appetite statements.


Basically, regulators and board members influenced by them want to prevent management from taking too much risk.

By that, I mean acting or failing to act in a way that puts the success, even the viability, of the organization in peril for no good reason and without the approval of the owners of the organization: the shareholders. In addition, these days it is recognized that the failure of an organization can affect others, including customers, creditors, and the community.

Ergo, the concept of risk appetite.


The concept has been broadly accepted in the financial services sector and is required by banking and insurance regulators.

But is it necessary and useful to come up with “an amount of risk that the organization is willing to accept”?


What did organizations do before there was talk about risk appetite? What do many still do in the absence of a risk appetite statement?

Do they let management run wild, taking all the risk they think would help their results and get them significant bonuses – while putting the organization in peril?


There are limits and policies that constrain management actions everywhere.

  • Limits on spending (budgets) and purchasing (purchase orders)
  • Limits on the granting of credit
  • Limits on the approval of discounts
  • Limits on the approval and signing of contracts and commitments, both purchase and sale
  • Trading limits
  • Approval requirements for the granting of system access rights
  • Health and safety policies
  • Ethics policies
  • Information security policies and standards
  • Hiring policies
  • Policies around the sale by management of the company’s shares
  • Limits on the number or value of assets held by the company (such as insurance policies, mortgages, inventory at specific locations, etc.)
  • And so on


Some have developed risk appetite statements that attempt to come up with a single number or value for all the sources of risk facing the organization. They seem to believe that they can aggregate disparate sources of risk, such as credit risk, operational risk, cyber risk, and so on.

I don’t think that is logically (or mathematically) sound.


Some have risk appetite statements (and previous COSO guidance has examples) that say things like “the company has a low tolerance for compliance risk”.

It is interesting that the COSO document I wrote about in May (see link above) seems to think this has meaning and value:

Echo Relief, a service organization to help people through disasters, will pursue new programs that enhance the delivery of services to those in need within our financial ability. We will accept moderate risk to the safety of staff and volunteers as we respond to disasters. In order to maintain good stewardship of donor funds, we have a low appetite for risks related to misuse of funds.

I don’t think that adds more than lipstick value.

It won’t affect any decisions.

So what does make sense?


If I were a CRO today (I retired from that wonderful position several years ago) I would consider developing a risk appetite statement of a different kind – even if I were in an organization bound by related regulations.

Its purpose would be twofold:

  1. To explain how management is guided to take the right risks, neither too much nor too little.
  2. To ensure there is sufficient guidance for decisions made by management (and the board as needed). (Every decision involves taking risk.)

I would certainly not try to come up with a single value for risk appetite, nor would I attempt to come up with single numbers for different types of ‘risk’.

I would also avoid flim-flam language that is not actionable, such as “we have a low appetite” for this or that.

How can you ever say that having a low or even no appetite for compliance or safety failures is meaningful? It is impossible to have a zero likelihood of a failure in either area.


My idea of a risk appetite statement would take each area of ‘risk’ and reference how management is guided when it comes to taking it. The document would explain what policies, procedures, and standards apply and whether there are specific limits. I would include how exceptions are handled.

In some cases, there will be specific limits, such as in the granting of credit. In other cases, such as employee safety, management judgment will be guided by related policies, etc.


It is essential, as COSO recognizes, that management be able to take the right risk when warranted – making informed and intelligent decisions.

Also recognized by COSO, limits (even those they refer to as risk appetite) should be exceeded when the business need or reward justifies it. A rigid limit has the effect of limiting success.


If risk management is to be meaningful, it needs to deliver actionable information to help people make informed and intelligent decisions – and take the right level of the right risks.

If you have a risk appetite statement or are developing one, don’t do it to comply with the regulations.

Do it so it means something!

Or, reconsider and focus instead on helping leaders make the right decisions.


I welcome your thoughts.

  1. January 4, 2021 at 11:17 AM

    Love it. Although I make a different conclusion, no risk appetite statements necessary as already should be covered by board charter, hedging policy, credit policy, investment guidelines and so on

  2. January 4, 2021 at 11:36 AM

    As a concept, all living things have a risk appetite. Those with a low risk appetite (they don’t take opportunities even where the benefits outweigh the costs) – starve, those with a high risk appetite – get eaten. Those which manage to take opportunities where the benefits just exceed the costs – evolve.
    Putting the concept into practice, that is to set a risk appetite where the probability that the benefits of any decision exceed the costs is literally a gamble, which depend on the circumstances.
    Thus a risk statement might be that ‘investment opportunities are taken which are likely to provide a return of 10 to 20 percent’. Though such a statement doesn’t cover all circumstances.

    • Luca Pacioli
      February 19, 2021 at 7:28 AM

      No true… Or bullshit if you prefer. All depends on context. The alligator might have low risk appetite and be always eaten because is on the top of food chain list.
      And why only 20%??? Tell to hedge funds about it, they will laugh.

  3. John Fraser
    January 4, 2021 at 1:58 PM

    As far as I could ascertain, RAS were required by the Financial Stability Board for financial institutions to make it look like look like they were taking action after the 2008 credit crisis, I have yet to see one that is meaningful, despite viewing many, all of were useless. They have been a boon for consultants. They could be of some benefit if boards and executives actually have conversations about them

    • Norman Marks
      January 4, 2021 at 2:02 PM

      Agree, John. I would lead a discussion that talks about the history and the intent – and then how our company addresses the need to make sure people are taking the right level, the Little Red Riding Hood level, of risk.

  4. Roger Estall
    January 4, 2021 at 2:31 PM

    “…acting a way ….. [that puts] …..the viability, of the organization in peril for no good reason”. Just trying to think why anyone would put the viability of the organisation in peril?
    And as to “Every decision involves taking risk.”….. I think you mean that there is never complete certainty about the outcomes that will flow from a decision. People understand this as all the words have their ordinary meaning. Tell someone they have ‘taken risk’ the pretty obvious response would be “oh really? What does it look like and where did I put it?”
    As is often said to children summoning the courage to swim: “It’s time to let go of the side of the pool!” You have rightly trashed so many of the absurd things that are said about ‘risk appetite’ but then you attempt to do the impossible – i.e. to bring meaning to this concocted and inherently meaningless expression. The words of the lovely song in Frozen, the children’s movie come to mind…
    Let it go, let it go
    Can’t hold it back anymore
    Let it go, let it go
    Turn away and slam the door…!

    All the best Norman, and Happy New Year!

    • Norman Marks
      January 4, 2021 at 3:14 PM

      Roger, thank you for your comment and the intention – even though we seem to live in different realities.

      Happy New Year and may your outcomes always be certain

    • January 5, 2021 at 2:04 AM

      Roger, you say, ‘Tell someone they have ‘taken risk’ the pretty obvious response would be “oh really? What does it look like and where did I put it?”. I disagree. For example, if I point out that someone is taking a risk crossing a busy road they are most likely to:

      -Justify their action – by stating their objective is important and justifying that the potential ‘cost’ is outweighed by the benefits (‘I must go and buy food from the shop over the road’)
      -specify how they are reducing the potential cost (‘I will look out both ways for traffic and only cross when there is a clear break’)

      or tell me to mind my own business.

      • Norman Marks
        January 5, 2021 at 7:07 AM

        well said

      • January 5, 2021 at 2:20 PM

        The point is David that if you say that, (1) there is no certainty that the person will understand because as we know, and as has been illustrated so often in these columns, the word risk has just so many meanings (2) the real question is “how certain are you that you can safely cross the road?” or, “are you sufficiently certain that you will get to the other side?”- plain language, focused on the actual issue and a reminder that there is always some uncertainty. Even if YOUR understanding of the word ‘risk’ includes consideration of uncertainty, then the actual response to you pointing out that what they are about to do involves risk (or as you would put it “taking a risk”) then surely the answer would be “duh!”. It’s like pointing out that they are experiencing gravity.

        • Norman Marks
          January 5, 2021 at 2:56 PM

          David is correct

          • January 8, 2021 at 6:42 PM

            So should we take from your comment Norman, that what I have said is NOT correct? In which case, could you elucidate for us please, regarding each of my observations 1 & 2.

            • Norman Marks
              January 8, 2021 at 6:50 PM

              I agree with David that taking a risk is common English and well understood, even in Australia

              • January 8, 2021 at 7:29 PM

                I suspect that I may have something of an advantage in knowing what is understood by the word ‘risk’ in Australia Norman. Just listening to this morning’s daily update on the pandemic by health and government officials provided all the evidence – even in a single sentence. In many but not all cases it was being used as as a synonym for likelihood. The same is the case every day and that’s without reference to the news bulletins that follow. Inevitably, whatever the authorities were trying to convey is inevitably mangled, principally by virtue of the use of the word ‘risk’ which the media then further misuse to induce anxiety and fear. My point (which you seem not to contest) is that telling someone they are ‘taking a risk in crossing the road’ conveys absolutely nothing whereas the words that I suggested (see 2) tell you everything…..which is one of the great advantages of plain language. In any event, you have conceded many times in these columns and in your other writings that ‘risk’ has many meanings (hard to deny as one need only open a dictionary let alone ISO’s thousands of standards, various statutes, common law applications and daily usage). I don’t think you can have it both ways! Even in the United States.

                • January 9, 2021 at 1:38 AM

                  The above disagreement arises in part because ‘we’ talk about ‘taking risks’ which is really shorthand for ‘pursuing an objective (crossing a road) which has potential threats (getting hit by a car) and benefits (buying food)’. Perhaps this shorthand is not generally in use throughout the English speaking world?

                  • January 9, 2021 at 6:03 AM

                    David. I’m not aware of any part of the English speaking world (and I’ve visited a few) which injects those words and ideas into the statement ‘you are taking a risk’ when crossing the road. By contrast, what I said (see [2]) are unmistakable as to meaning.

  5. Bongani Mbewu
    January 4, 2021 at 6:45 PM

    Hi Norman, i red your article with interest. In my view, there are risks which organisations justifiable don’t have appetite for. Examples include fraud risk. It’s understandable that an organisation wound have no appetite for fraud risk. Policies supporting this statement would state that any fraudulent act will be investigated and any stern action will be taken against any person found to have defrauded the organisation.

    Is there anything wrong with that?

    • Norman Marks
      January 4, 2021 at 6:49 PM

      That’s in line with what I have said. Show how this is addressed rather than making some trite statement that we have no tolerance for fraud.

      • January 10, 2021 at 2:21 PM

        Norman, I don’t think you and Bongani can have it both ways …… if it is trite for an organisation has no appetite/tolerance for fraud, the corollary, therefore, is that it has some appetite/tolerance for fraud, so why not say that? Such a statement is in fact true of any organisation that is exposed to fraud because otherwise it could not operate. Of course even though it is true, making such a statement is just as meaningless as the statement you label as ‘trite’ but more than that, the example again demonstrates just how pointless (and meaningless) are ‘risk appetite’ statements.

        • Norman Marks
          January 10, 2021 at 2:30 PM

          Glad to see that you agree with me that risk appetite statements (in the traditional sense) have no value.

          • John Fraser
            January 10, 2021 at 2:41 PM

            RA statements make lots of sense if you are a consultant ‘helping’ a company prepare one….

          • January 10, 2021 at 3:36 PM

            As much as I would like to, I’m not sure we do ‘agree’ Norman!! My view about risk appetite statements having no value, is not qualified as relating to ‘traditional’ forms. My view has been that whatever the form, RA statements have no value period ….. although, having now read John Fraser’s very astute (and accurate point), I will now qualify my assessment of risk appetite statements having no value, by adding ‘to the organisation for which they have been prepared’. Indeed I have to acknowledge making a bit of money myself from RA statements in the past…….by rescuing organisations that have found themselves burdened by such statements, from their clutches! I didn’t feel too bad about it though because the looks of relief as they shed the millstone was evidence of having delivered value!

  6. January 5, 2021 at 1:37 AM

    Great article. Definitely makes sense. Unfortunately most RAS are there purely as a tick box exercise for regulators and auditors. On their own they don’t really generate much discussion at Board level because they are so flakey. Which is why it doesn’t make sense to monitor against these qualitative statements. However in defence of my CROs in the Financial
    Service Sector, they have tried to operationalise these statements through policies, limits and key risk indicators. These components guide management on how to take risk and what risks can be taken. This what the Board needs to be made aware of not whether we are red, Amber or green against some very high level risk appetite statement.

  7. January 5, 2021 at 3:55 AM

    Risk appetite and tolerance – two concepts which COSO and ISO have decided to define opposite of each other. Too bad, it should not be that complicated.

  8. Anonymous
    January 5, 2021 at 5:30 AM

    A properly organized and managed Board of Directors sets parameters; management runs the organization within those parameters. In terms of risk management, Norm’s approach is correct. There is no “magic number” for Risk Appetite (and also Risk Tolerance for that matter). The key is proper and consistent, timely reporting of the organization’s risk profile.

  9. Patrick Claude
    January 6, 2021 at 6:47 AM

    Thank you, Mr. Marks and the other contributors, for this post and comments. Working for an organization that is not subject to a regulator when it comes to risk management, everything we put in place must first and foremost serve the management and the owners of the company. We can therefore ignore the vocabulary of experts and not talk about risk appetite.
    So let’s call it: Help guide for the decision-makers .
    Points to consider:
    • Aligned to strategy setting
    • Balance the requirements of various stakeholders (not just shareholders).
    • Can be presented as a “Balanced Scorecard” of Mr. Kaplan. Better, if the organization is using balanced scorecard, integrate the elements of risk appetite into it. (financial perspective, customers view, continuous improvement…
    • Be sure that short-term and long-term views are considered
    • Broad communication of this help-guide for decision-makers in an organisation (beyond senior management) – (not highly restricted)
    • It is changing over time under the pressure of some internal and external factors. It is also dynamic: decisions made today have an impact on the decisions we will make tomorrow.
    • Measure risk materialisation versus criteria set in the help-guide (backward – losses) and risk exposure versus the criteria (forward – risk portfolio – transparency is needed).

    • Norman Marks
      January 6, 2021 at 7:05 AM

      I like this – if you can factor in the need to take risk when the reward justifies it. A help guide that stresses a careful weighing of both pros and cons would be valuable. It would be even more valuable if it had a checklist for decision-makers, including the points I make in my book about effective decision-making.

  10. January 8, 2021 at 5:02 AM

    In section 1.12 and appendix K of my book 1 (Internal Audit – an introduction http://www.internalaudit.biz) I have included some audit questions on decision making, derived from this blog (acknowledged on page 2)

    • Norman Marks
      January 8, 2021 at 6:53 AM

      Thank you

  1. January 6, 2021 at 10:39 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: