Key Takeaways
| # | Takeaway |
| 1 | A risk appetite statement is the board-approved document that defines the aggregate level and types of risk the organization is willing to accept in pursuit of its strategic objectives. |
| 2 | Risk appetite (how much risk you want to take) differs from risk tolerance (the acceptable variation around that target) and risk capacity (the maximum risk you can absorb before insolvency). All three must be defined. |
| 3 | COSO ERM (2017) requires risk appetite to be set in the context of strategy. ISO 31000:2018 embeds appetite within the risk criteria that guide the entire risk assessment process. |
| 4 | An effective risk appetite statement combines a qualitative narrative (the board’s philosophy) with quantitative metrics and thresholds (the measurable limits that operationalize the philosophy). |
| 5 | This guide provides eight board-ready risk appetite statement examples across strategic, financial, operational, compliance, cyber, third-party, ESG, and reputational risk categories. |
| 6 | Risk appetite must cascade: Board statement → risk category tolerances → business-unit limits → KRI thresholds → day-to-day decision-making. A statement that stays in the boardroom is decorative. |
| 7 | Review and refresh the risk appetite statement annually, after major strategic changes, and after significant risk events. Static appetite in a dynamic environment creates governance gaps. |
What Is a Risk Appetite Statement?
A risk appetite statement is the formal, board-approved document that articulates the aggregate level and types of risk the organization is prepared to accept, seek, or tolerate in pursuit of its strategic objectives.
The statement translates the board’s abstract risk philosophy into concrete, measurable boundaries that guide every risk decision across the enterprise.
The COSO ERM Framework (2017) defines risk appetite as “the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.” ISO Guide 73:2009 defines risk appetite as the “amount and type of risk that an organization is prepared to pursue, retain, or take.”
ISO 31000:2018 integrates appetite into the broader concept of “risk criteria” (Clause 6.3.4), which are used to evaluate the significance of risk.
The risk appetite statement is not optional. Without one, the organization has no benchmark against which to evaluate risk exposures.
Risk assessments produce scores, but scores mean nothing unless the board has defined what level of risk is acceptable. The statement is the bridge between strategy and risk management.
Risk Appetite vs. Risk Tolerance vs. Risk Capacity: The Three Concepts Explained
These three terms are frequently confused. They represent three distinct but related concepts that together form the risk boundaries of the organization.
| Concept | Definition | Standard Source | Analogy | Example |
| Risk Appetite | The amount and type of risk the organization is willing to accept in pursuit of its objectives; the target risk profile | COSO ERM (2017); ISO Guide 73:2009 | The speed limit you choose to drive at on the highway | The organization accepts up to $5M aggregate annual operational loss as the cost of maintaining current service levels. |
| Risk Tolerance | The acceptable variation around the risk appetite; the boundaries within which performance can fluctuate before corrective action is required | COSO ERM (2017); ISO Guide 73:2009 | The margin above and below your chosen speed before the speed alarm sounds | Operational losses may fluctuate between $3M and $7M before triggering management intervention. Losses exceeding $7M trigger board escalation. |
| Risk Capacity | The maximum amount of risk the organization can absorb before its viability, solvency, or license to operate is threatened | IRM Risk Appetite and Tolerance Guidance | The speed at which the car physically cannot maintain control | The organization’s capital reserves, insurance coverage, and liquidity buffers can absorb a maximum of $25M in aggregate losses before solvency is impaired. |
| Risk Threshold | The specific trigger point at which a KRI or risk metric breaches the tolerance band and triggers a defined escalation action | ISO 31000:2018 (risk criteria) | The exact speed at which the alarm sounds | When operational losses exceed $7M (tolerance ceiling), the CRO notifies the Board Risk Committee within 48 hours. |
The hierarchy flows: Capacity > Appetite > Tolerance > Threshold. The board must define all four. An organization that defines appetite without capacity risks accepting more risk than the balance sheet can absorb.
An organization that defines appetite without tolerance has no escalation triggers. Our detailed guide on risk appetite vs. risk tolerance provides the full framework.
The Structure of a Board-Ready Risk Appetite Statement
An effective risk appetite statement has two layers: a qualitative narrative and a quantitative framework. Both are essential.
| Component | Purpose | Content | Audience |
| 1. Strategic Context | Connects risk appetite to the organization’s strategic plan, mission, and value proposition | Summary of the strategic objectives the organization is pursuing; the risk-return tradeoffs inherent in the strategy; the competitive environment | Board; executive leadership; regulators |
| 2. Overarching Risk Philosophy | States the board’s general posture toward risk: risk-averse, risk-neutral, or risk-seeking, and under what conditions | A 2–3 sentence narrative: “The organization takes a [conservative / balanced / growth-oriented] approach to risk. We accept risk only when [conditions].” | Board; all employees (simplified version) |
| 3. Risk Category Appetite Statements | Defines appetite per risk category: strategic, financial, operational, compliance, cyber, third-party, ESG, reputational | One narrative paragraph + one quantitative metric per category; states what the organization will accept, will not accept, and the measurable boundary | Board; CRO; risk owners; auditors |
| 4. Quantitative Metrics and Tolerances | Translates the narrative appetite into measurable KRIs with Green/Amber/Red thresholds | Table: Risk Category | Appetite Metric | Green (Within Appetite) | Amber (Approaching Tolerance) | Red (Tolerance Breach) | Capacity Ceiling | CRO; risk owners; KRI dashboard |
| 5. Escalation Protocol | Defines what happens when a tolerance threshold is breached | Escalation matrix: metric breach level → who is notified → within what timeframe → what action is expected | CRO; risk owners; Board Risk Committee |
| 6. Governance and Review | Specifies who owns the statement, how often the statement is reviewed, and what triggers an ad-hoc refresh | Annual review by the Board Risk Committee; ad-hoc review after major strategic changes, M&A, regulatory changes, or significant risk events | Board Secretary; CRO |
| 7. Approval and Effective Date | Formal sign-off by the Board | Board resolution reference; effective date; next scheduled review date; version number | All stakeholders |
The statement should be no longer than 5–8 pages. Boards do not read 30-page risk appetite documents.
Lead with the philosophy, follow with the category statements and metrics, and close with governance. Attach the detailed tolerance tables and KRI specifications as appendices.
Eight Board-Ready Risk Appetite Statement Examples
Below are eight risk appetite statement examples, one per major risk category. Each example includes the qualitative narrative, the quantitative metric, and the Green/Amber/Red tolerance bands.
Customize these to your organization’s context, scale, and regulatory environment.
1. Strategic Risk Appetite
Narrative: The organization pursues measured growth through organic expansion and selective acquisitions.
We accept strategic risk when the expected return exceeds the risk-adjusted cost of capital and the initiative aligns with our five-year strategic plan.
We have zero appetite to enter markets or product lines that would require capabilities outside our core competencies without a 12-month capability-building roadmap.
| Metric | Green (Within Appetite) | Amber (Approaching Tolerance) | Red (Tolerance Breach) | Capacity Ceiling |
| Revenue concentration: largest single client as % of total revenue | ≤ 15% | 16–20% | > 20% | 30% (contractual and regulatory limit) |
| Market share change (YoY) | ≥ 0 percentage points (stable or growing) | Loss of 0.1–1.0 points | Loss > 1.0 point | Loss > 3 points triggers strategic reassessment |
| New-market entry without Board-approved business case | Zero occurrences | N/A | Any occurrence | N/A — hard limit |
2. Financial Risk Appetite
Narrative: The organization maintains a conservative financial risk posture that prioritizes liquidity, balance-sheet strength, and stable earnings.
We accept managed exposure to credit risk, interest-rate risk, and foreign-exchange risk within defined limits. We have zero appetite to leverage beyond the covenant thresholds in our credit facilities.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Days of operating cash coverage | ≥ 60 days | 45–59 days | < 45 days | < 30 days triggers liquidity-contingency plan |
| Debt covenant headroom | ≥ 25% above trigger | 15–24% | < 15% | Covenant breach = event of default |
| Adverse budget variance (actual vs. plan) | ≤ 3% | 4–7% | > 7% | 15% triggers Board re-forecast and potential restructuring |
| Single-counterparty credit exposure as % of equity | ≤ 5% | 6–8% | > 8% | 15% (regulatory large-exposure limit) |
3. Operational Risk Appetite
Narrative: The organization accepts a controlled level of operational risk as inherent to running complex business operations.
We invest in process controls, system resilience, and staff training to maintain operational losses within predictable ranges.
We have zero appetite to accept operational risks that could result in loss of life, serious injury, or complete shutdown of mission-critical services beyond the approved Maximum Tolerable Period of Disruption (MTPD).
| Metric | Green | Amber | Red | Capacity Ceiling |
| Aggregate annual operational losses | ≤ $3M | $3.1M–$5M | > $5M | $10M (insurance deductible + reserve exhaustion) |
| High-severity operational incidents per quarter | ≤ 2 | ≤ 4 | > 4 | Any incident causing loss of life or serious injury = zero tolerance |
| System uptime (critical systems) | ≥ 99.5% | 99.0–99.4% | < 99.0% | < 98.0% triggers DR activation |
| Business continuity exercise RTO success rate | ≥ 90% | 80–89% | < 80% | < 70% triggers immediate BCP overhaul |
4. Compliance and Regulatory Risk Appetite
Narrative: The organization has zero appetite to accept material non-compliance with applicable laws, regulations, and license conditions. We invest proactively in compliance programs, regulatory monitoring, and staff training.
Minor compliance observations identified internally and remediated within agreed timelines are within appetite. Enforcement actions, material fines, and license restrictions are outside appetite under all circumstances.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Regulatory finding closure rate (within agreed timeline) | ≥ 95% | 90–94% | < 90% | < 80% triggers Board Audit Committee emergency session |
| Regulatory change items overdue past effective date | Zero | 1–2 items | > 2 items | Any overdue item with > $1M penalty exposure = immediate escalation |
| Material regulatory fines or enforcement actions | Zero | N/A | Any occurrence | Any fine > $500K or license restriction = Board notification within 24 hours |
| Mandatory training completion rate (by deadline) | ≥ 98% | 95–97% | < 95% | < 90% triggers disciplinary process |
5. Cyber and Information Security Risk Appetite
Narrative: The organization has very low appetite to accept cyber risk that could result in unauthorized access to customer data, disruption of critical services, or material financial loss from a cyber event.
We invest in defense-in-depth, continuous monitoring, and incident-response readiness. We accept that zero cyber incidents is not achievable, but we require detection within 24 hours, containment within 4 hours, and full recovery within the approved RTO.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Critical CVEs unpatched > 30 days | ≤ 2 | 3–5 | > 5 | Any unpatched critical CVE on an internet-facing system > 7 days = zero tolerance |
| Mean time to detect threats (MTTD) | ≤ 24 hours | 25–48 hours | > 48 hours | MTTD > 72 hours = SOC capability overhaul |
| Phishing simulation click-through rate | ≤ 5% | 6–10% | > 10% | > 15% = mandatory re-training and technology-control enhancement |
| Customer data exposure events per year | Zero | N/A | Any occurrence | Any event involving > 10,000 records = Board notification + regulatory disclosure |
6. Third-Party and Vendor Risk Appetite
Narrative: The organization accepts managed third-party risk as a necessary consequence of outsourcing non-core functions.
All critical and high-rated vendors must pass annual risk assessments and maintain contractual SLA commitments.
We have zero appetite to concentrate more than 40% of any critical service on a single vendor without an approved contingency plan. Fourth-party (sub-contractor) risk must be visible and assessed to at least Tier 2 depth.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Critical vendor annual assessment completion | 100% assessed on time | 1 vendor overdue | 2+ vendors overdue | Any critical vendor operating without a current assessment > 6 months |
| Vendor SLA breach rate (across all monitored vendors) | ≤ 3% | 4–7% | > 7% | > 10% triggers portfolio-wide vendor performance review |
| Single-vendor concentration (critical services) | ≤ 30% | 31–40% | > 40% | > 50% without Board-approved contingency = non-compliant |
| Fourth-party visibility (critical vendor sub-contractors assessed) | ≥ 80% | 70–79% | < 70% | < 50% = TPRM program escalation |
7. ESG and Climate Risk Appetite
Narrative: The organization integrates ESG considerations into investment decisions and operational management as a fiduciary and stakeholder responsibility.
We accept managed transition risk as part of the decarbonization pathway but have zero appetite to hold stranded assets beyond the approved divestment timeline. We maintain Board-approved diversity and governance standards.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Scope 1+2 emissions vs. annual reduction pathway | On target or ahead | 1–5% above target | > 5% above target | > 10% triggers corrective-action plan and Board notification |
| ESG rating agency score (MSCI / Sustainalytics) | Stable or improving | Score decline ≤ 1 tier | Decline > 1 tier or below investment-grade | Below investment-grade = investor-relations crisis protocol |
| Board gender/diversity ratio | ≥ 30% | 25–29% | < 25% | < 20% triggers Nominations Committee action plan |
| Stranded-asset exposure as % of total portfolio | ≤ Board-approved limit | 1–3% above limit | > 3% above limit | Divestment deadline breach = Investment Committee escalation |
8. Reputational Risk Appetite
Narrative: The organization has very low appetite to accept reputational risk. Brand trust is a core strategic asset built over decades and destroyable in hours.
We will not pursue revenue or cost savings that create material reputational risk. All decisions with potential public-facing consequences must pass a “newspaper headline” test before execution.
| Metric | Green | Amber | Red | Capacity Ceiling |
| Negative media mentions (mainstream media) per quarter | ≤ 3 | 4–8 | > 8 | Sustained negative coverage > 2 weeks = crisis-communication activation |
| Customer Net Promoter Score (NPS) | ≥ 40 | 30–39 | < 30 | NPS < 20 = Board strategic review of customer experience |
| Social media sentiment (negative % of total mentions) | ≤ 15% | 16–25% | > 25% | > 35% sustained > 1 week = crisis-communication protocol |
| Whistleblower / ethics reports per quarter | Declining or stable trend | Increase ≤ 20% QoQ | Increase > 20% QoQ | Any report alleging systemic misconduct = Board notification within 24 hours |
How to Cascade Risk Appetite From the Board to the Front Line
A risk appetite statement that lives only in the boardroom achieves nothing. The statement must cascade through four levels to influence day-to-day decisions.
| Level | Document | Content | Owner | Decision Example |
| 1. Board | Enterprise Risk Appetite Statement | Aggregate appetite philosophy + category-level qualitative and quantitative statements | Board of Directors / Risk Committee | Approve the strategic plan with full awareness of the aggregate risk profile |
| 2. Executive / CRO | Risk Tolerance Framework | Category-level tolerance bands (Green/Amber/Red) with escalation protocols; maps to KRIs | CRO / Executive Committee | Decide to invest in a new market after confirming the strategic-risk metric stays within Amber |
| 3. Business Unit | Business Unit Risk Limits | Translated tolerance into operational limits per business unit (loss limits, exposure ceilings, concentration caps) | Business Unit Head / Risk Manager | Set the maximum credit exposure to a single counterparty at $2M per the enterprise 5%-of-equity rule |
| 4. Front Line | Operational Procedures and Decision Rules | Embedded risk limits within process workflows, system controls, and decision authorities | Process Owner / Team Lead | Reject a vendor proposal that would create > 40% single-vendor concentration because the TPRM limit prohibits the arrangement |
| 5. Monitoring | KRI Dashboard | Automated, real-time monitoring of appetite metrics with threshold alerts | CRO / Risk Owners | Dashboard shows the liquidity KRI trending from Green to Amber; CFO triggers a pre-emptive cash-management review |
Each level makes the appetite more specific and more operational. Use the Three Lines Model to assign clear ownership: the first line operates within the limits, the second line monitors the limits and reports breaches, the third line assures the framework is working.
Our KRI dashboard guide shows how to configure the automated monitoring layer.
The Six-Step Process to Draft a Risk Appetite Statement
| Step | Action | Key Questions to Answer | Output |
| 1. Review the strategic plan | Understand the objectives, growth ambitions, and risk-return tradeoffs embedded in the strategy | What are the top 3 strategic objectives? What risks must the organization take to achieve them? What risks would derail the strategy? | Strategic context section of the statement |
| 2. Assess risk capacity | Quantify the maximum risk the organization can absorb: capital reserves, insurance limits, liquidity buffers, regulatory capital requirements | How much aggregate loss can the balance sheet absorb before solvency is threatened? What are the regulatory capital floors? | Risk capacity analysis (feeds the “Ceiling” column) |
| 3. Define appetite by category | Draft qualitative narrative + quantitative metric per risk category; link each to a strategic objective | How much [strategic / financial / operational / compliance / cyber / vendor / ESG / reputational] risk are we willing to accept? What metric best measures the exposure? | Category-level appetite statements and metrics |
| 4. Set tolerance bands and thresholds | Define Green/Amber/Red bands per metric; set the specific escalation trigger points | At what metric level does the risk become uncomfortable (Amber)? At what level is the tolerance breached (Red)? What action is triggered at each level? | Tolerance tables with escalation protocols |
| 5. Calibrate with stakeholders | Pressure-test the draft with the executive team, business-unit heads, internal audit, and the Board Risk Committee | Are the limits too tight (stifling operations) or too loose (permitting unacceptable risk)? Do the metrics have available data sources? Are the escalation paths realistic? | Revised draft incorporating stakeholder feedback |
| 6. Approve and communicate | Present the final statement to the Board to approve; communicate the statement to all employees; integrate into the risk management policy, KRI dashboard, and operational procedures | Has the Board formally approved the statement? Has the statement been communicated at all four cascade levels? | Board-approved risk appetite statement; communication record; integrated KRI dashboard |
The entire process takes 6–8 weeks from kickoff to Board approval. Do not rush Step 5 (calibration).
Appetite thresholds that are too tight generate constant false alerts and erode credibility. Thresholds that are too loose permit unacceptable risk accumulation. Calibrate iteratively.
Eight Pitfalls in Risk Appetite Statements
| # | Pitfall | Consequence | Fix |
| 1 | Qualitative-only statement with no quantitative metrics | “We have a moderate appetite for operational risk” is meaningless without a dollar limit, incident count, or threshold | Pair every qualitative statement with at least one measurable metric and Green/Amber/Red bands |
| 2 | Appetite defined in isolation from strategy | The risk boundaries do not reflect the risks the organization must accept to achieve its objectives; strategy and risk are disconnected | Draft the appetite statement alongside or immediately after the strategic plan; link each appetite statement to a strategic objective |
| 3 | Appetite exceeds capacity | The board approves more risk than the balance sheet, capital reserves, or insurance can absorb | Quantify risk capacity first. Appetite must sit well below the capacity ceiling with a buffer. |
| 4 | No cascade beyond the boardroom | The statement exists as a Board document but does not influence business-unit decisions, operational procedures, or KRI dashboards | Cascade through four levels: Board → Executive → Business Unit → Front Line. Embed limits into systems and workflows. |
| 5 | Static statement never refreshed | The appetite was approved three years ago and no longer reflects the current strategy, risk environment, or regulatory context | Review annually; trigger ad-hoc reviews after M&A, major incidents, strategy changes, or regulatory changes |
| 6 | Appetite set by the risk function without Board ownership | The CRO drafts the statement and the Board rubber-stamps the document without understanding or debating the thresholds | The Board must own the statement. Schedule a dedicated Board Risk Committee session to debate and approve each category. |
| 7 | Zero appetite stated across all categories | The organization claims zero appetite to every risk category, which is unrealistic and paralyzes decision-making | Zero appetite is only appropriate in narrow circumstances (material non-compliance, loss of life, fraud). All other categories require a stated, non-zero appetite. |
| 8 | No link between appetite metrics and the risk register / KRI dashboard | Appetite thresholds exist on paper but are not monitored; breaches are not detected in real time | Map each appetite metric to a KRI in the dashboard. Automate threshold alerts. Report appetite status to the Board at every meeting. |
From Draft to Board-Approved Risk Appetite Statement
| Phase | Timeline | Actions | Owner | Deliverable |
| Phase 1: Context & Capacity | Days 1–20 | Review the strategic plan and identify the risk-return tradeoffs; quantify risk capacity (capital, insurance, liquidity, regulatory floors); benchmark appetite against industry peers and regulatory expectations | CRO / CFO | Strategic context analysis; risk capacity assessment; industry benchmark summary |
| Phase 2: Draft Statement | Days 21–45 | Draft qualitative narratives per risk category; select quantitative metrics per category; define Green/Amber/Red tolerance bands; draft escalation protocols; compile the 5–8 page statement | CRO / Risk Manager | Draft risk appetite statement with tolerance tables and escalation protocols |
| Phase 3: Calibrate & Challenge | Days 46–70 | Circulate the draft to the executive team, business-unit heads, internal audit, and the Board Risk Committee; run a tabletop calibration exercise (present hypothetical scenarios and test the thresholds); incorporate feedback and revise | CRO / Board Risk Committee / Internal Audit | Calibrated draft; tabletop exercise record; stakeholder feedback log |
| Phase 4: Approve & Embed | Days 71–90 | Present the final statement to the full Board to approve; communicate the approved statement to all cascade levels; configure KRI dashboard thresholds to match the tolerance tables; integrate appetite language into the risk management policy and investment policy statement; schedule the annual review | CRO / Board / Risk Manager / IT | Board-approved statement; communication record; configured KRI dashboard; updated risk management policy; annual review calendar |
The Future of Risk Appetite Statements
Dynamic, Real-Time Appetite Monitoring. Static annual appetite reviews are giving way to continuously monitored appetite dashboards where KRI data feeds update appetite-metric status in real time.
When the liquidity coverage KRI trends from Green to Amber, the CFO is alerted immediately, not at the next quarterly review. See our KRI dashboard guide.
Scenario-Calibrated Appetite. Leading organizations are using Monte Carlo simulation and scenario analysis to stress-test their appetite thresholds before the Board approves them. Rather than setting a $5M operational-loss tolerance based on judgment alone, the
CRO simulates the probability distribution of operational losses and calibrates the tolerance to the 80th or 90th percentile. This produces evidence-based thresholds rather than judgment-based guesses.
ESG and Climate Appetite as Standard Practice. Regulatory pressure from the SEC, ISSB, and the EU CSRD is making ESG risk appetite a mandatory component of the statement, not an optional add-on.
Boards must define appetite to climate transition risk, physical climate risk, and governance risk at investee companies with the same rigor they apply to financial and operational risk.
Build Your Risk Appetite Statement Today
You now have eight board-ready examples, the seven-component structure, the six-step drafting process, and a 90-day roadmap. Use these riskpublishing.com resources to build the full framework: Risk Appetite vs. Risk Tolerance • Enterprise Risk Management Framework • Risk Assessment Policy • Risk Register Template • Risk Assessment Matrix.
More resources: KRI Dashboard Guide • KRI Examples (50 KRIs) • ESG KRI Framework • Three Lines Model • Monte Carlo Simulation • Scenario Analysis • Risk Quantification for Boards • Compliance Risk Assessment • Third-Party Risk Management • Business Continuity Plan • AI Risk Assessment Framework.
Frequently Asked Questions
What is a risk appetite statement example?
A risk appetite statement example is a sample statement a board can use as a starting point. This article provides eight examples across strategic, financial, operational, compliance, cyber, third-party, ESG, and reputational risk. Each example combines a qualitative narrative (“The organization accepts X level of risk because Y”) with quantitative metrics and Green/Amber/Red tolerance bands. Customize the examples to your organization’s scale, industry, and regulatory environment.
Who approves the risk appetite statement?
The Board of Directors (or Board Risk Committee with delegated authority) approves the statement. The CRO and risk function draft and calibrate the statement, but ultimate ownership sits with the Board. Board ownership ensures the statement carries the authority to influence decisions across all levels of the organization.
How often should the risk appetite statement be reviewed?
Formally at least once per year, aligned with the strategic-planning cycle and the annual risk assessment.
Trigger ad-hoc reviews after major strategic changes (M&A, market entry/exit), significant risk events (cyber breach, regulatory enforcement, market shock), and material changes in risk capacity (capital raise, insurance renewal, covenant amendment).
Can an organization have zero risk appetite?
Zero appetite is appropriate only in narrow, absolute-limit categories: material non-compliance with criminal law, loss of life or serious injury due to negligence, fraud and financial crime, and unauthorized access to customer data resulting in regulatory-reportable breach.
Stating zero appetite across all categories is unrealistic and counterproductive because every organization must accept some level of operational, financial, and strategic risk to function. Zero-appetite statements outside genuine absolute limits create a culture where every risk is escalated and no risk is managed.
How does risk appetite connect to the risk register?
The risk appetite statement defines the benchmark. The risk register records the actual risk exposures. Risks rated above the appetite threshold (the Red band) must have mandatory treatment actions with named owners and due dates.
Risks within the Green band can be accepted with routine monitoring. The KRI dashboard monitors appetite metrics in real time and triggers escalation when thresholds are breached. Together, the appetite statement, the risk register, and the KRI dashboard form a closed-loop risk governance system.
References
1. COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017)
2. ISO 31000:2018 – Risk Management Guidelines
3. ISO Guide 73:2009 – Risk Management Vocabulary
4. IIA Three Lines Model (2020)
5. IRM – Risk Appetite and Tolerance Guidance Paper
6. NIST Cybersecurity Framework 2.0
8. SEC Climate-Related Disclosures
9. IFRS / ISSB Sustainability Standards
10. EU CSRD
13. ISO 22301:2019 – Business Continuity Management
14. PMI PMBOK Guide
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.