.png)
From Approval to Impact: Repositioning Risk Appetite as a Board Tool
- Julien Haye
- Jul 26
- 17 min read
Updated: Aug 30
Why Risk Appetite Still Fails to Deliver
Risk appetite remains one of the most widely discussed yet poorly embedded concepts in enterprise risk management. Across industries, organisations continue to define it in policy documents, approve it at board level, and revisit it only after a breach or audit finding. Yet in practice, it often fails to guide decisions, shape trade-offs, or inform timely escalation.
In his book Thinking, Fast and Slow, Nobel laureate Daniel Kahneman explains how even robust frameworks can be undermined by how people actually make decisions. Under pressure or uncertainty, intuitive reactions often override structured thinking. Risk appetite, no matter how clearly stated, can be sidelined when instinct, bias, or political dynamics take over. This reflects a challenge of integration rather than intent.
This article presents a more effective approach. One that treats risk appetite as a strategic enabler rather than yet another risk management document. When well embedded, it provides leadership with a shared reference point for balancing ambition, capacity, and constraint. It supports timely decisions, stronger alignment, and organisational resilience.
At Aevitium LTD, we use a principle-based framework to help organisations embed risk appetite in ways that are scalable, practical, and outcome-focused. This article introduces that framework through a set of 12 guiding principles, supported by practical recommendations, governance roles, and emerging tools such as AI.
Whether you are a board director seeking stronger oversight, an executive leading transformation, or a CRO aligning risk with strategy, this guide is designed to help you turn risk appetite from theory into action.
TABLE OF CONTENTS
Risk Appetite, Tolerance, and Capacity: Clarifying the Core
Before designing an effective risk appetite framework, it is essential to clarify three foundational concepts that are often misunderstood or used interchangeably: risk appetite, risk tolerance, and risk capacity. While closely related, each plays a distinct and critical role in shaping how organisations manage risk in pursuit of their strategic objectives.
An effective risk appetite framework is a direct extension of the organisation’s risk strategy. Risk strategy defines how the organisation approaches uncertainty, prioritises risks, and balances ambition with protection. Risk appetite translates that intent into actionable boundaries that guide decision-making and resource allocation.
The appetite framework serves as a practical link between high-level risk principles and operational decisions. It ensures that strategy is implemented within well-understood limits, and that those limits reflect both ambition and capacity and aligned with business objectives.
Where risk strategy sets the direction, risk appetite sets the pace, scope, and depth of risk-taking in pursuit of strategic goals. Together, they help shape a consistent approach to risk—one that aligns leadership intent with day-to-day delivery.
🔹 Risk Appetite – What We Want to Take On
Risk appetite defines the amount and type of risk an organisation is willing to pursue or retain in the pursuit of its strategic goals. It reflects intent and acceptable level of risk. Appetite is shaped by the organisation’s purpose, business model, and leadership mindset.
Example: A digital bank with a growth strategy focused on rapid customer acquisition may have a higher risk appetite for credit or onboarding fraud than a traditional retail bank, provided controls and losses remain within defined expectations.
🔸 Risk Tolerance – What Variability We’ll Accept
Risk tolerance refers to the level of variation around appetite that an organisation is prepared to withstand before action must be taken. It is the buffer zone, the acceptable stretch within which normal fluctuations in risk exposure are allowed without triggering formal escalation.
Example 1: If the appetite for third-party cybersecurity risk is “low,” the tolerance might still allow for minor exceptions on specific supplier onboarding cases, provided certain controls are in place and exposure remains under predefined thresholds.
Example 2: If the appetite for investment risk is “high” at an asset manager, the tolerance for passive investment guideline breach, ie. the breaches triggered by market fluctuations, might still allow for minor exceptions to cater for market movements, provided certain controls are in place and exposure remains under predefined thresholds.
🔺 Risk Capacity – What We Can Afford to Bear
Risk capacity is the organisation’s absolute limit. It represents the maximum level of risk it can carry without jeopardising its financial viability, regulatory standing, or operational integrity. This is grounded in tangible constraints including capital, liquidity, funding, or technical capabilities.
Example: A global insurer may want to underwrite catastrophe risks (appetite) and may allow some loss volatility (tolerance), but its actual capacity will be defined by solvency rules, reinsurance coverage, and internal capital models.
🔄 How They Interact: A Strategic Continuum
One helpful way to visualise the relationship is through a continuum or layered threshold model.
Alternatively, think of nested circles:
At the centre: Risk appetite defines the preferred zone for decision-making.
Around that: Risk tolerance marks the range of acceptable variation.
The outer boundary: Risk capacity sets the absolute red line.
This layered view highlights a critical insight: your risk appetite must sit comfortably within your risk capacity. Your tolerances must be specific enough to signal when decisions or exposures are drifting toward the edges.
⚠️ Why This Distinction Is Foundational
In our fieldwork, we have observed that organisations tend to blur or oversimplify these terms. Very often the notion of risk capacity is not covered at all.
As a result, the risk appetite framework loses credibility and does not get embedded.
Decision-makers do not know when to escalate or intervene.
Boards approve risks without understanding if they are near critical limits or what they mean from a strategic stand-point.
Culture defaults to risk aversion or unmanaged risk-taking.
Clarity ensures that risk is taken intentionally, monitored effectively, and aligned to strategic priorities. It also creates the groundwork for meaningful thresholds, escalation protocols, and performance metrics all of which are explored in the guiding principles that follow.
Risk Appetite in Strategy Setting
Risk appetite plays a critical role in shaping strategic direction. It defines the boundaries within which the organisation is willing to operate, helping leaders select, prioritise, and pace strategic initiatives. When clearly articulated, appetite provides a shared reference point for evaluating opportunity, managing uncertainty, and deploying resources with confidence. It is also critical for orderly wind-down planning.
In practice, appetite informs trade-offs across a range of strategic decisions:
1. Growth and innovation
Appetite influences the level of investment in new markets, products, or technologies. A higher appetite for innovation risk may support early-stage experimentation, while a more cautious stance will favour proven models and incremental change.
2. Market positioning
Appetite helps define how aggressively the organisation competes, enters new geographies, or exits declining segments. It ensures that ambition remains aligned with financial capacity, operational readiness, and reputational considerations.
3. Portfolio and resource allocation
Appetite guides decisions on capital deployment, transformation priorities, and risk-weighted returns. It enables a more disciplined approach to balancing short-term performance with long-term sustainability.
4. Strategic resilience
Appetite for uncertainty, complexity, and disruption helps shape decisions on diversification, redundancy, and contingency planning. It supports proactive risk management in the face of change.
Organisations increasingly recognise the strategic importance of risk appetite. However, unlocking its full potential requires deliberate integration into business planning and decision-making processes. When appetite is actively referenced, linked to priorities, and supported by operational levers, it becomes a powerful enabler of strategy execution.
Several conditions support effective integration:
Alignment of timing between strategy cycles and appetite reviews
Shared ownership across risk, finance, and business leadership
Clear connections between appetite statements and business levers such as investment thresholds, product development, or innovation risk
Specific and relevant articulation of appetite that reflects actual trade-offs and decision scenarios
Embedding appetite early in strategic planning creates stronger alignment between ambition and execution. It encourages thoughtful resource allocation, sharper prioritisation, and better-informed transformation. By positioning appetite as a planning input, rather than a retrospective control, organisations can strengthen performance and resilience at the same time.
Strategic Themes That Shape an Effective Framework
Risk appetite is a core component of an integrated Enterprise Risk Management (ERM) approach. While ERM provides the structure for identifying, assessing, and managing risk, risk appetite defines how much risk the organisation is prepared to accept in pursuit of its strategic objectives. It serves as a reference point for connecting risk identification to business decision-making.
Within the ERM framework, appetite enables prioritisation, informs resource allocation, and establishes clear thresholds for action. It also links risk exposure to performance management, capital planning, and assurance processes. When integrated effectively, appetite transforms ERM into a tool for proactive decision support, rather than passive oversight.
An effective appetite framework is embedded across governance, culture, and execution. It is not an isolated document, but a mechanism that shapes behaviours, trade-offs, and leadership judgement. Based on our work with boards and executive teams, we have identified six strategic themes that help organisations apply appetite in a way that supports business delivery and resilience.
These themes provide practical context for the 12 guiding principles that follow, and ensure appetite is applied not just in theory, but in how the organisation operates: strategically, culturally, and operationally.
📍 Strategic Alignment
A risk appetite framework must reflect the organisation’s purpose, business model, and long-term strategic goals. Without this alignment, friction often emerges between business ambition and control, or between leadership vision and operational delivery. This theme ensures that risk-taking remains intentional and clearly linked to strategy. In our experience, many organisations struggle to articulate risk appetite within this context, resulting in frameworks that lack a clear strategic anchor. This weakens usability and, in some cases, may lead to appetite statements that support decisions misaligned with the organisation’s strategic objectives.
🏛 Governance & Accountability
Appetite needs clear ownership at all levels. Boards must challenge and approve appetite statements. Executives must translate them into strategy and policy. Risk teams must monitor and escalate breaches. Without defined roles and accountabilities, risk appetite becomes a statement of intent, not a basis for decision.
⚙️ Operationalisation & Integration
For appetite to influence real decisions, it must be embedded into the day-to-day workings of the business: product approvals, investment decisions, change programmes, and front-line controls. This theme focuses on integration with planning, reporting, thresholds, and escalation pathways turning principle into practice.
💥 Resilience and Capacity
An organisation’s ability to take risk is not just about ambition; it is about what it can absorb. Appetite must be bounded by capacity whether financial, operational, or regulatory. This theme also considers how appetite supports resilience, including scenario planning and dynamic adjustment when external conditions shift.
🧭 Culture and Behaviour
Even the best-designed framework will fail if the organisation’s risk culture is misaligned. Appetite must reflect not just what leadership says, but what people actually do. This theme focuses on behavioural signals, incentives, speaking up, and psychological safety ensuring appetite is reinforced through culture, not contradicted by it.
If you're curious how your leadership environment supports or constrains risk visibility, try the Leadership Behaviour Insight Assessment. It’s designed to help you reflect on the behaviours that shape risk culture and psychological safety in practice.
🔄 Adaptiveness and Monitoring
Risk appetite is not static. It must be responsive to shifts in strategic direction, risk environment, and internal learning. This theme covers the mechanisms for reviewing, refreshing, and monitoring appetite, including KRIs, dashboards, and post-incident reviews. A living framework enables both agility and accountability.
These six themes form the foundation of a risk appetite framework that is well-constructed, actively applied, and fully aligned with the organisation’s strategy, decision-making processes, capacity, and culture. The following section introduces 12 guiding principles that bring this structure to life.
The Risk Within provides a roadmap for embedding psychological safety into risk management. It identifies critical touch points across the risk lifecycle and offers clear actions to align leadership, culture, and governance. It is designed to help risk functions integrate more deeply into the business and strengthen decision-making at every level.
The 12 Guiding Principles for an Effective Risk Appetite Framework
These principles are part of the Aevitium LTD's Risk Governance Principles Library, a structured framework developed to support effective and scalable integrated risk management across complex organisations. Within this library, the principles for risk strategy, appetite, and tolerance are part of the Core Governance Layer. This layer provides foundational guidance that applies across all risk domains and underpins how policies, frameworks, and standards are designed and governed.
At Aevitium LTD, these principles also inform our consulting work. We apply them when rolling out the Integrated Risk Framework, and use them to assess the design, integration, and maturity of our clients’ risk management capabilities. This approach is currently in use with an asset management client to align their risk appetite with strategic objectives and operational capacity.
Anchor in Strategy and Purpose: Appetite must reflect what the organisation is trying to achieve.
Clarify Appetite, Tolerance, and Capacity: Define what you want to take on, can accept, and must not exceed.
Prioritise Material Risks: Focus on what truly matters.
Set Clear, Actionable Statements: Appetite must be both meaningful and usable.
Embed Across Governance and Decision-Making: Appetite should influence real decisions, not sit in isolation.
Adapt to Risk Type Characteristics: Not all risks are equal; treat them accordingly.
Communicate by Audience: Different stakeholders need different levels of detail.
Link to Policies and Standards: Make appetite real by embedding it in controls and procedures.
Enable Monitoring and Escalation: Track exposure, act on breaches, and escalate with purpose.
Evolve with Context and Learning: Risk appetite is not static; it should evolve.
Reinforce Culture and Behaviour: Risk appetite must influence how people act and decide.
Connect to Performance and Incentives: Align rewards with responsible risk-taking.
Bringing It to Life: Common Gaps and Practical Recommendations
An effective risk appetite framework is one that shapes decisions, supports governance, and informs how resources are deployed. To achieve this, appetite must be clearly connected to practice and regularly reinforced through ownership and leadership engagement.
In our work with clients, we often observe a few recurring challenges that limit the practical impact of appetite frameworks.
⚠️ Common Gaps
Appetite not linked to defined limits: Risk appetite is sometimes expressed in general terms but lacks connection to specific metrics, KRIs, or control limits. This makes it harder for teams to understand how to respond to changing risk exposure.
Appetite not regularly revisited by the board: Some frameworks are approved but not routinely reviewed. Without ongoing alignment to strategic shifts or emerging risks, appetite can lose relevance and clarity.
Inconsistent signals between appetite and culture: Organisations may promote prudent risk-taking at the leadership level, but everyday decisions and incentives do not always reflect that. A consistent message across all levels reinforces credibility and commitment.
✅ Practical Recommendations
Link appetite to capital planning and decision-making: Integrate appetite into business planning, investment allocation, and transformation oversight. This ensures that risk-taking aligns with available capacity and strategic ambition.
Define clear escalation protocols with accountable ownership: Establish specific thresholds and response pathways for when exposure approaches or exceeds defined limits. Ownership at the right level enables timely and effective action.
Incorporate appetite into performance management: Use appetite-related behaviours and outcomes in performance evaluations and incentive design. This helps embed risk awareness into leadership, delivery, and operational culture.
Roles and Responsibilities in Risk Appetite Governance
A well-defined risk appetite framework depends not only on clarity of intent, but also on clarity of ownership. Each group across the organisation plays a distinct role in setting, applying, and maintaining risk appetite. For risk managers, enabling this alignment is central to ensuring that appetite is not just documented but actively used. This section outlines the core responsibilities across governance layers, helping risk teams support integration, consistency, and accountability in practice.
Board of Directors
Approve the organisation’s overall risk appetite
Ensure appetite aligns with purpose, strategy, and long-term objectives
Provide challenge and oversight over material risk-taking decisions
Review appetite in response to strategic shifts or breaches
Executive Management
Translate board-approved appetite into business planning and execution
Allocate resources in line with risk appetite and capacity
Monitor exposure levels across the organisation and initiate corrective action when needed
Ensure appetite is integrated into transformation, investment, and product decisions
Chief Risk Officer (CRO)
Lead the development and review of risk appetite statements
Ensure appetite reflects internal capacity, external context, and strategic ambition
Provide independent oversight and challenge
Report breaches and emerging concerns to executive and board governance forums
Risk Function
Develop metrics, KRIs, and thresholds aligned to risk appetite
Support risk owners in applying appetite across processes and functions
Monitor exposures against limits and support escalation protocols
Coordinate periodic review and calibration based on internal and external drivers
Business and Functional Leaders
Make decisions within defined appetite and tolerance levels
Own risk-taking within their areas and escalate deviations promptly
Incorporate appetite into planning, delivery, and operational controls
Participate in the development and refinement of risk appetite statements
Internal Audit
Provide independent assurance over the design and effectiveness of the risk appetite framework
Assess how well appetite is embedded in governance, controls, and decision-making
Identify gaps between stated appetite and observed behaviours or exposures
Establishing the Framework and Setting the Appetite Level
Designing a risk appetite framework is not just a policy exercise. It is a structured process that brings together strategic intent, business priorities, risk capacity, and operational insight. When approached systematically, it helps organisations clarify how much risk they are prepared to take, where trade-offs need to be made, and how those boundaries will be monitored and enforced.
The following steps provide a practical pathway for establishing an effective framework and setting appropriate appetite levels.
1. Align to Purpose and Strategy
Begin by anchoring the framework in the organisation’s strategic goals, business model, and long-term purpose. Appetite should support value creation, transformation, and innovation—while remaining grounded in what the organisation is set up to deliver.
2. Understand Risk Capacity
Assess the organisation’s financial, operational, and regulatory capacity to absorb risk. This includes capital adequacy, liquidity, resilience thresholds, and other constraints. Appetite must operate within these limits and reflect what is realistically sustainable.
3. Define Appetite by Risk Type
Tailor appetite statements for the risks that matter most—such as strategic, operational, financial, conduct, and compliance risks. Use categories that align with your risk taxonomy and ensure each statement reflects the specific nature of the risk.
4. Engage Stakeholders Across the Business
Collaborate with business leaders, functional heads, finance, and compliance teams to set appetite levels that are both ambitious and practical. Engagement builds ownership and ensures that appetite reflects how the business actually operates.
5. Use Both Qualitative and Quantitative Measures
Combine narrative expressions of intent with measurable thresholds. Qualitative statements help guide behaviour and judgement. Quantitative indicators, such as KRIs and limits, make appetite actionable and trackable.
6. Set Escalation Thresholds and Triggers
Define clear thresholds for when risk exposure requires attention or intervention. Establish who owns the response, how it will be managed, and how it links to governance forums. Escalation should support reflection, not just compliance.
7. Validate Through Scenarios and Stress Testing
Test appetite statements against realistic scenarios, emerging risks, and historical incidents. This step helps identify gaps, confirm assumptions, and improve readiness before the framework is finalised.
8. Formalise and Cascade
Once appetite levels are set, gain formal approval through risk governance committees and the board. Embed the framework into policies, planning processes, investment criteria, and transformation oversight. Provide guidance and tools to help teams apply appetite at operational level.
Evolving Your Framework with Context and Learning
A strong risk appetite framework reflects the current realities of the organisation and the environment in which it operates. To remain effective, it must adapt as those conditions evolve. Appetite should be reviewed regularly and refined in response to internal insights and external changes.
Strategic shifts, new business models, regulatory developments, and macroeconomic changes all present opportunities to revisit and adjust appetite. Regular reviews allow organisations to stay aligned with their objectives and maintain clarity on what risks are desirable, acceptable, and sustainable.
Internal events such as risk incidents, audit findings, and operational near misses also provide valuable input. Lessons learned from these events can reveal blind spots, test assumptions, and highlight where appetite statements need to be clearer or more actionable.
External feedback, including supervisory expectations, peer benchmarking, and industry developments, adds another layer of insight. Using these signals to calibrate appetite helps ensure continued alignment with market context and regulatory standards.
Embedding a review rhythm (quarterly at executive level, annually at board level, and after major events) supports a living framework that grows with the business. This approach fosters resilience, reinforces accountability, and ensures that appetite remains a practical guide for both strategic and operational decision-making.
Risk Appetite Review Triggers and Likely Impacts
Trigger | Description | Likely Impact on Risk Appetite |
Strategic change | New business model, market entry, exit from a segment, M&A, or restructuring | Appetite may need to be expanded in some areas (e.g. growth, investment risk) and tightened in others (e.g. operational complexity, integration risk) |
Capital or resource constraint | Reduced capacity due to financial performance, liquidity pressure, or budget cuts | Appetite may need to be reduced to reflect lower risk-bearing capacity, especially for large-scale initiatives or high-volatility areas |
Significant risk event or near miss | Internal incident, external failure, or systemic issue impacting the organisation or sector | Appetite may be refined for specific risk types (e.g. conduct, cyber, third-party) with clearer tolerances and escalation thresholds |
Regulatory or supervisory feedback | Findings from inspections, thematic reviews, or changing regulatory expectations | Appetite statements may be revised to ensure alignment with regulatory risk focus, governance expectations, or emerging compliance obligations |
Audit or assurance findings | Internal audit or control reviews highlighting weaknesses in risk management, controls, or execution | Appetite may shift to emphasise tighter controls or more cautious tolerance levels, particularly where gaps were previously underestimated |
Market or economic environment shift | Volatility in financial markets, geopolitical instability, or macroeconomic stress | Appetite may be adjusted to reflect greater uncertainty, with increased attention to liquidity, credit, and business continuity risks |
Reputational sensitivity or stakeholder pressure | External scrutiny from media, investors, or clients impacting risk tolerance in sensitive areas | Appetite may narrow in areas such as ESG, conduct, or third-party risk to protect trust and brand integrity |
Appetite breach or tolerance threshold exceeded | Formal trigger for review following breach of appetite statement or KRI threshold | Framework may be revised to improve clarity, strengthen escalation, or recalibrate limits where assumptions were exceeded or ineffective |
Enhancing the Framework with AI: From Static Limits to Insight-Driven Governance
As organisations navigate increasing complexity, volume of data, and speed of change, traditional risk appetite frameworks can struggle to keep pace. AI technologies offer new capabilities to improve how appetite is set, monitored, and adapted helping shift from static thresholds to dynamic, insight-driven governance.
When applied thoughtfully, AI can support a more responsive, contextual, and actionable risk appetite framework. It enables earlier detection of emerging risks, stronger alignment with operational reality, and more consistent decision-making across the business.
1. Calibrating Appetite with Better Risk Intelligence
AI can analyse internal and external data to inform the setting of appetite levels. It can benchmark exposure trends across business units, assess correlations between risk events and outcomes, and provide evidence-based inputs to tolerance ranges. This supports more precise and defensible appetite calibration.
2. Strengthening Monitoring with Early Warning Signals
AI models can detect anomalies, trend shifts, and emerging issues before traditional dashboards flag a breach. By integrating structured and unstructured data including emails, market data, complaints, or third-party signals, AI enhances foresight and enables timely intervention.
3. Supporting Scenario Analysis and Stress Testing
AI can generate realistic, data-rich scenarios that test how different appetite settings would respond under stress. This helps validate thresholds, improve resilience planning, and support more meaningful discussions with executive teams and the board.
4. Translating Appetite into Operational Guidance
Generative AI tools can help frontline teams interpret and apply appetite in context. This includes generating tailored decision prompts, suggesting escalation actions, or translating high-level appetite statements into scenario-specific guidance.
5. Enabling Continuous Review and Governance
AI can streamline governance by automating data aggregation, surfacing themes across breaches and near misses, and recommending adjustments to appetite statements based on evolving patterns. This enables a living framework that grows with the business.
AI should not replace judgement or governance, but it can significantly improve visibility, timeliness, and consistency. When integrated into the risk appetite framework, it supports a more agile and responsive approach to managing risk—one that strengthens execution, enhances resilience, and empowers informed risk-taking across the organisation.
Conclusion: Appetite as a Strategic Capability
A well-structured risk appetite framework empowers leaders to make confident, informed decisions that align with the organisation’s goals, values, and capacity. It provides clarity on how much risk can be taken in pursuit of strategic objectives and ensures that those boundaries support sustainable performance and long-term value creation.
Risk appetite connects ambition with execution. It supports strategic planning, enables effective governance, and fosters a culture of accountability and informed risk-taking across all levels of the organisation.
The 12 guiding principles introduced in this article provide a practical foundation for strengthening and embedding risk appetite as part of everyday decision-making. They support alignment between leadership intent, operational delivery, and the organisation’s ability to adapt and grow.
This is an opportunity to view your current framework through a strategic lens:
Ensure alignment with purpose and priorities
Reinforce ownership and visibility across teams
Build confidence in how risks are assessed, escalated, and acted upon
When embedded effectively, risk appetite becomes a source of strength. It enhances resilience, supports transformation, and enables leaders to pursue opportunities with clarity and conviction.
About the Author: Julien Haye
Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.
