HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Risk Management
Risk Management

Risk Appetite: The Governance Concept Most Boards Get Wrong

Kamran Iqbal, CIA, CISA, CFE, CRMA May 2026 7 min read
Risk appetite is one of the most important governance concepts in modern enterprise risk management — and one of the most consistently misapplied. When a board approves a risk appetite statement that consists of generic aspirations and vague qualitative language, it has completed a compliance exercise without gaining any of the governance value the concept is designed to provide. Understanding what a genuine risk appetite framework looks like is the starting point for using it effectively.

What Risk Appetite Actually Is

Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives. It is a deliberate governance choice — a statement by the board and senior management about where the organisation is prepared to take risk, how much exposure it will tolerate in different risk categories, and where it draws the line.

This is fundamentally different from risk capacity, which is the maximum level of risk an organisation can absorb before it suffers existential consequences. Risk appetite sits below risk capacity — it is the level of risk the organisation chooses to accept, not the level it could theoretically survive.

Risk appetite is also different from risk tolerance, which describes the acceptable variation around the risk appetite level in specific situations. An organisation with a low appetite for regulatory risk might have a tolerance for occasional minor compliance variances while maintaining zero tolerance for material regulatory breaches.

Why Most Risk Appetite Statements Fail

The typical board-approved risk appetite statement reads something like: "The organisation has a moderate appetite for strategic risk, a low appetite for compliance and regulatory risk, a moderate appetite for operational risk, and a low appetite for reputational risk." This statement is technically complete in terms of format but provides no practical governance guidance.

What does "moderate appetite for strategic risk" mean in practice? Does it mean the organisation will pursue acquisitions in new markets? Will invest in unproven technology? Will accept three-year payback periods on major capital investments? Without specific, measurable definitions, no one can tell whether a proposed strategy, transaction, or operational decision falls within or outside the risk appetite.

The result is that risk appetite statements become filing cabinet documents — produced because governance frameworks require them, reviewed occasionally, but never actually used to inform decisions at the business level.

What an Effective Risk Appetite Framework Looks Like

An effective risk appetite framework translates board-level risk tolerance into operational decision-making parameters at every level of the organisation. This requires several elements working together.

Quantified appetite statements: Where possible, risk appetite should be expressed in measurable terms. "We are prepared to accept financial losses from operational risk events of up to X% of revenue before escalation to the board" is a usable governance statement. "We have a moderate appetite for operational risk" is not.

Risk category granularity: High-level categories like "operational risk" or "strategic risk" are too broad to drive decisions. Effective frameworks break these down into specific risk types — for example, distinguishing between supply chain risk, people risk, and process failure risk within the operational category — each with its own appetite statement.

Cascade to operational limits: Risk appetite must translate into specific decision-making authorities, transaction limits, concentration limits, and escalation thresholds at the business unit and process level. Without this cascade, the board-level appetite statement has no connection to day-to-day decision-making.

Risk appetite is not a strategy document for the boardroom. It is a governance mechanism designed to shape thousands of daily decisions across the organisation. If it does not reach those decisions, it is not working.

The Internal Audit Role

Internal audit has an important role in assessing whether the organisation's risk appetite framework is functioning as designed. This means examining whether the risk appetite is clearly defined and communicated, whether decision-making processes at the business level actually reference appetite thresholds, whether limit breaches are identified and escalated appropriately, and whether the board is receiving reliable information about the organisation's actual risk position relative to its stated appetite. Audit findings in this area tend to be consequential — they go to the heart of how well the board is exercising its governance function.

Share

Request Training

CTC Global delivers expert-led training on Risk Management topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Risk Assessment in Internal AuditA structured guide to incorporating risk assessment into the audit process.
Book
Internal Audit Quality Assurance in PracticeCovers risk management principles and audit quality in practice.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Risk Management and related topics.

← Back to All Articles & Insights