Defining Risk Appetite

Corporate governance is an ongoing process between management and the board to simultaneously create and protect enterprise value.  In order to strike the appropriate balance between creating and protecting value, management and the board consider an overall risk profile in order to develop expectations that are established by the risk appetite of the company.  The authors of this Protiviti white paper define risk appetite as acceptable parameters for risk taking opportunities that is consistent throughout the company, and reflects a mutual understanding between management’s and the board’s willingness to allow risk exposure in pursuit of core strategic objectives.  Conversely, managers see risk appetite as an impractical, one-time assessment that limits them when making decisions.  The authors conclude that even companies that adopt a theoretical notion of risk appetite are still able to articulate the risk appetite of their company based on actions made by management and the board of directors.

Initiating the Dialogue Through a Risk Appetite Statement

As management and the board interact and makes decisions, they are reflecting (whether knowingly or inadvertently) the overall risk appetite of the company.  However, are they consistent in the actions that they take?  The authors suggest that to start a conversation of having a clear policy of acceptable risk-taking, the company must align management’s execution of influencing the risk tone of the organization with the board’s strategic risk decisions.  This is best accomplished by developing a risk appetite statement.  The risk appetite statement is an aggregate summary of “assertions” that provides a basis for clarifying both risks the company is actively taking and risks that are purposely avoided.  These assertions are observations that initiate a continuous, strategic conversation between management and the board to align risk-taking with core competencies.  The risk appetite statement contains three key elements:

  1. Risks that are on-strategy (acceptable or within the risk appetite).
  2. Risks that are off-strategy (undesirable risks that are outside of risk appetite).
  1. Defined parameters (strategic, financial, and operating) to provide a framework within which risks are agreeably undertaken.

These three elements are used to develop a risk appetite statement that should be framed around the organization’s business model.  The authors proffer suggestions in framing the risk appetite statement in this context. 

The Relationship Between Risk Appetite and Risk Tolerance

Often, risk appetite is used interchangeably with risk tolerance.  Although related and similar, risk tolerance differs from appetite in one fundamental way.  Risk tolerances are a more specific subset of the risk appetite and dissect the assertions that make up the risk appetite statement.  Whereas risk appetite is considered in the context of strategic planning and objectives, risk tolerance is considered in developing tactical objectives.  That is, it addresses how much deviance from a specific objective the company is willing to allow. 

The Effect of Risk Appetite on Governance

Risks are focused on more when a company is struggling to meet targets or performance objectives, but are potentially looked over when experiencing periods of accelerated profits.  Conceptually, this is proof that risk appetite is strategically long term and dynamic rather than a single determination that rarely is assessed.  After implementing a risk appetite statement into the corporate culture, and management and the board of directors have developed a relationship of continuous conversation about existing and potential risks, the company then has the discipline to address high-level risks even when exceeding investor expectations.  The volatility in the current competitive environment demands such discipline.  As circumstances and opportunities change in the business environment, the company’s board and management should consider adapting the risk appetite to reflect those changes.  However, they should be mutually agreed upon and substantial enough to warrant altering the risk appetite statement.  A company that continuously changes parameters within their risk appetite conveys instability, lack of consistency, and short term focus to the board and investors.

Effectively Communicating Risk Appetite Using the Risk Appetite Statement

The importance between constant communication between the board of directors and management has already been discussed.  This top-down approach of communication should continue throughout the organization.  The authors present challenges with continuous, effective communication on an entity-wide basis.  Management influences the tone of risk-taking through their actions but how often do they explicitly communicate the company’s risk philosophy and to what degree?  How quickly are lower level managers and employees informed of changes in the risk appetite statement and overall risk profile?  These are critical questions for top-level executives to consider.  Communication channels should be opened and easily implemented so that all levels of the company are up to date on risk management issues.  Lower level employees tend to focus on specific limits defined in risk tolerance as opposed to the high-level strategic objectives and how they are aligned with risk-taking.  This white paper expands on this topic to consider communication to and between investors.

Maintaining the Risk Appetite Statement to Monitor Risk Profile Expectations

The authors proceed to discuss the governance process.  It is a process that creates value through strategy setting and protects value through a risk assessment process.  Developing a risk appetite falls within the scope of the risk assessment process.  The risk appetite statement is a mechanism for enhancing corporate governance by stimulating a conversation between management and the board and should be continuously reassessed.  The authors outline this iterative process in three steps:

  1. Determine the historical, inherent risk appetite of the company.
  2. Review and revise the risk appetite statement.
  1. Finalize risk appetite statement and review/modify tolerances to assure they are consistent with risk appetite.


Regardless of whether a company has a risk appetite statement, risk appetite itself is evident in any organization by observing management’s and the board’s decision to act upon, or not, an opportunity that arises.  An environment that encourages constant communication of risk-taking at all levels and between management and the board assures stakeholders that a consistent and clear enterprise risk management approach is being maintained.  Additionally, it provides a framework for the organization to select between strategic alternatives that better align with the risk appetite of the company.

Link: Protiviti Risk & Business Consulting

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2012-06-01