Michael Barr, the Federal Reserve’s Vice Chair for Supervision, published his review of Silicon Valley Bank’s failure on April 28, 2023.
The report found SVB breached its own long-term interest-rate risk limits in 2022, then changed the limits instead of the balance sheet, while the chief risk officer seat sat empty for eight months.
The collapse that followed in March 2023 is the strongest case for studying risk appetite statement examples before you need them. A statement the board ignores is decoration. One with hard thresholds and named owners forces the uncomfortable conversation while there is still time to act.
| Risk Appetite Statement Examples by Sector: Key Takeaways |
| Risk appetite statement examples transfer across sectors at the structure level only. The five-level scale (averse, minimal, cautious, open, hungry) is universal; the thresholds never are. |
| Banks write the most quantitative statements: net charge-offs below 0.50% of average loans, one-day trading VaR capped at $50 million, and 50 to 100 board-level metrics per the RMA. |
| Healthcare and energy boards anchor appetite at zero: no appetite for preventable patient harm or life-altering injuries, with open appetite reserved for innovation and growth. |
| The OCC’s heightened standards (12 CFR 30, Appendix D) require covered banks to hold a written risk appetite statement; OMB Circular A-123 pushes the same discipline onto federal agencies. |
| NIST CSF 2.0 outcome GV.RM-02 expects risk appetite and tolerance to be documented, communicated, and maintained, pulling cyber appetite out of the IT department and into the boardroom. |
| Steal the format, not the numbers: pair every qualitative sentence with a metric, a threshold, and a named owner before the board signs. |
The examples below draw on published statements from real institutions and on supervisory guidance, organized across six US sectors. Each section gives you the wording, the metric that anchors it, and the regulator watching over your shoulder.
What Strong Risk Appetite Statement Examples Have in Common
Supervisors wrote the recipe years ago. The OCC’s heightened standards at 12 CFR 30, Appendix D require national banks above $50 billion in assets to keep a written statement of risk appetite with both qualitative wording and quantitative limits.
The Financial Stability Board set the same expectation globally in November 2013, and COSO defines appetite as the types and amount of risk an organization will accept in pursuit of value. ISO 31000 ties that choice to objectives, the anchor our enterprise risk management framework guide builds on.
Before borrowing any wording, separate three terms boards blur constantly. Capacity is the loss you can absorb, appetite is the risk you choose to pursue, and tolerance is the deviation you accept around it. Our comparison of risk appetite, risk tolerance, and risk capacity draws those lines in detail.
The Five-Level Scale Behind Most Risk Appetite Statement Examples
Most published statements grade each risk category on a five-level scale rather than declaring one appetite for the whole enterprise. The Institute of Risk Management popularized the ladder below, and you will see it echoed in every sector table that follows.
| Appetite level | What it signals | Example wording |
| Averse | Risk avoided wherever possible; escalation is immediate | “We have no appetite for willful regulatory breaches or sanctioned-party dealings.” |
| Minimal | Accepted only with strong controls and fast reporting | “We accept minimal privacy risk; any breach reaches the board inside 24 hours.” |
| Cautious | Accepted inside tight, monitored limits | “We accept credit losses up to 0.50% of average loans through the cycle.” |
| Open | Accepted where returns clearly justify the exposure | “We will take measured execution risk to enter two new state markets by 2028.” |
| Hungry | Actively sought for competitive advantage | “We pursue first-mover product bets ahead of proven demand, inside approved capital.” |
Chart: Typical Appetite Levels Across Risk Appetite Statement Examples
Figure 1. Indicative appetite levels by risk category, drawn from published risk appetite statement examples and IRM guidance.
Notice the shape: appetite climbs as the risk moves away from obligations and toward strategy. Compliance and life safety sit at averse in nearly every published statement, while growth and innovation carry the only open or hungry ratings.
Banking Risk Appetite Statement Examples
No sector writes tighter statements, because no sector gets graded on them as publicly. The European Central Bank publishes its supervisory risk appetite statement outright, and development lenders like the EBRD do the same, which gives drafters real text to study.
The Nordic Investment Bank shows the upkeep cadence too. Its board adopted version 9 of the bank’s risk appetite statement on May 12, 2026. Nine versions of one document is the cadence working.
| Risk category | Appetite | Example statement |
| Credit | Cautious | “Maintain consolidated net charge-offs below 0.50% of average loans through the cycle.” |
| Liquidity | Minimal | “Hold the liquidity coverage ratio at least 25% above the regulatory minimum at all times.” |
| Market | Cautious | “Cap one-day trading value-at-risk at $50 million; any breach halts new positions pending CRO review.” |
| Capital | Minimal | “Operate with a CET1 ratio at least 200 basis points above the supervisory requirement.” |
| AML and sanctions | Averse | “No appetite for AML program failures; willful violations reach the board within 48 hours.” |
| Strategic growth | Open | “Accept measured execution risk to grow digital deposits to 30% of the funding base by 2028.” |
Chart: The Board Metrics Behind Bank Risk Appetite Statement Examples
Figure 2. An illustrative split of the 50 to 100 board-level metrics the RMA finds inside most bank risk appetite statements.
The RMA Journal reports that most banks maintain roughly 50 to 100 board-level metrics inside their risk appetite statements. The hard part is keeping that number down, and pairing each one with the key risk indicators that shape risk appetite at committee level.
The averse end has a price tag. In October 2024 the DOJ, OCC, and FinCEN levied about $3.09 billion in penalties on TD Bank for Bank Secrecy Act failures, which is why AML lines read as zero appetite and why compliance risk analysis budgets keep growing.
Healthcare and Insurance Risk Appetite Statement Examples
A hospital board reads appetite through a clinical lens before a financial one. WTW’s 2025 ranking of top healthcare risks puts workforce shortages and patient safety at the head of the list, and the sector’s statements reflect that ordering.
Watch days cash on hand first if you sit on a health system finance committee. Margins are thin enough that a single payer dispute can push a small system through its financial floor.
| Risk category | Appetite | Example statement |
| Patient safety | Averse | “Zero appetite for preventable serious harm; every never event reaches the quality committee within 72 hours.” |
| Privacy and HIPAA | Minimal | “Minimal appetite for privacy risk; any breach above 500 records triggers CEO and board notice.” |
| Clinical innovation | Open | “Open appetite for new care models operating inside IRB oversight and credentialing controls.” |
| Financial resilience | Cautious | “Maintain at least 200 days cash on hand and a 3% operating margin floor.” |
| Underwriting (insurer) | Cautious | “Cap single-event probable maximum loss at 5% of policyholder surplus.” |
| Solvency (insurer) | Minimal | “Hold the risk-based capital ratio above 350%; below 400% starts a capital action plan.” |
Insurers carry an extra filing duty. The NAIC’s ORSA requirement obliges carriers writing more than $500 million in annual premium to file an Own Risk and Solvency Assessment summary, and the appetite statement anchors that document.
Wording alone will not satisfy an examiner. Our guide on how to define, document, and operationalize risk appetite covers the evidence trail, and these key risk indicator examples supply the clinical and financial metrics each line needs.
Technology and SaaS Risk Appetite Statement Examples
Speed is the asset a software board is protecting, so the statement splits sharply by category. The same company that calls itself hungry on product bets will write zero appetite next to platform availability, because churn punishes downtime faster than any regulator.
NIST raised the bar in February 2024. CSF 2.0 added a Govern function, and outcome GV.RM-02 expects risk appetite and tolerance to be established, communicated, and maintained, which moves cyber appetite from the IT department to the boardroom.
| Risk category | Appetite | Example statement |
| Platform availability | Averse | “No appetite for core-platform uptime below 99.95% in any calendar month.” |
| Cyber vulnerabilities | Minimal | “Critical vulnerabilities patched within 14 days; exceptions need CISO sign-off and an end date.” |
| Product innovation | Hungry | “We pursue first-mover product bets ahead of proven demand, capped at 15% of R&D spend.” |
| AI deployment | Cautious | “Generative AI ships to production only with human review and a model inventory entry.” |
| Third-party risk | Minimal | “Critical vendors hold SOC 2 Type II or an equivalent attestation before onboarding.” |
Anchor the cyber lines to a framework the security team already uses. Our cybersecurity risk management primer and the cyber security risk management framework guide map onto the CSF 2.0 outcomes a board will now ask about.
Set the AI line now even if usage is light. The model inventory costs little to maintain, and it gives the board a number to interrogate when a vendor embeds generative features without notice.
Energy and Manufacturing Risk Appetite Statement Examples
On a plant floor, appetite starts with bodies rather than basis points. Operators write zero appetite against fatalities and life-altering injuries first, then let financial and reliability thresholds follow.
Reliability rules carry real teeth in this sector. FERC can assess penalties of up to $1 million per day per violation for breaches of NERC reliability standards. Against that ceiling, utilities grade critical infrastructure protection at averse.
| Risk category | Appetite | Example statement |
| Workforce safety | Averse | “Zero appetite for fatalities or life-altering injuries; a TRIR above 0.6 triggers an executive stand-down review.” |
| Environmental | Minimal | “Minimal appetite for reportable releases; two in any quarter starts an independent review.” |
| NERC CIP compliance | Averse | “No appetite for willful violations of reliability or critical infrastructure protection standards.” |
| Asset reliability | Cautious | “Hold the forced outage rate below 2%; sustained breaches reopen the maintenance budget.” |
| Energy transition | Open | “Open appetite for renewable build-out inside board-approved capital and counterparty limits.” |
Treat the table as the board layer of a deeper operational risk management stack. Each appetite line should trace to entries in the risk register your site managers actually maintain.
TRIR deserves a weekly look, not a quarterly one. Safety statistics move slowly enough that a board view refreshed four times a year hides the drift a site manager can already feel.
Government, Higher Education, and Nonprofit Risk Appetite Statement Examples
Federal agencies got their marching orders in July 2016, when OMB rewrote Circular A-123 to require enterprise risk management across government. GAO’s review of agency ERM experiences treats a defined risk appetite as a marker of program maturity.
Public and nonprofit boards hold assets they do not own, which flips the framing from shareholder return to stewardship. The hardest wording choice is staying open on mission innovation while staying averse on the money.
| Risk category | Appetite | Example statement |
| Stewardship of funds | Averse | “Zero appetite for fraud, waste, or misuse of public or donor funds.” |
| Mission delivery | Cautious | “Cautious appetite for service changes that could interrupt benefit payments or core programs.” |
| Research and innovation | Open | “Open appetite for novel research conducted inside IRB and export-control boundaries.” |
| Student and citizen data | Minimal | “Minimal appetite for record exposure; incidents reach the provost or agency head within 24 hours.” |
| Reputation and donor intent | Minimal | “Minimal appetite for activities inconsistent with charitable purpose or donor restrictions.” |
Universities add a wrinkle banks never face: tenure-track researchers whose work is supposed to be risky. So the wording protects bold research and treats export controls and human-subject rules as non-negotiable.
Agencies adapting COSO will find the sequence in our guide to implementing COSO enterprise risk management. A risk-based internal audit plan then tests whether the stated appetite matches actual behavior.
How to Adapt These Risk Appetite Statement Examples for Your Board
Copying thresholds is the one guaranteed way to misuse this page. Sample risk appetite statements transfer at the level of structure, not numbers, because your capital base, margins, and regulators differ from the institutions quoted above.
Start from strategy, not from risk lists. Write one sentence per material risk category, grade it on the five-level scale, then attach a metric, a threshold, and a named owner to each line. Our board-ready guide to writing a risk appetite statement covers the drafting sequence.
Cascade before you celebrate. Each board line should translate into the key risk indicators you develop for committees and into front-line limits, with a KRI dashboard carrying breaches upward automatically.
Then make the document live. Re-approve it annually inside the risk management lifecycle, and re-open it after any acquisition, divestiture, or strategy shift, the routine our piece on risk oversight and strategic planning makes the case for.
Chart: How Organizations Use Risk Appetite Statements in Practice
Figure 3. Adoption and implementation of risk appetite statements: most organizations run one, and half blend wording with metrics.
Half of surveyed risk managers blend qualitative wording with quantitative metrics, which matches every example in this piece. The sobering number is PwC’s: only 49% of organizations say risk awareness permeates the enterprise, so the statement still has distance to travel.
For more raw wording, the original collection of risk appetite statements examples and the companion set of ten real-world risk appetite templates stack another twenty samples on top of the sector tables above. Use them as a swipe file, not a final draft.
Frequently Asked Questions About Risk Appetite Statement Examples
What should a risk appetite statement example include?
A complete example pairs a qualitative sentence with a quantitative anchor: the appetite level, the metric, the threshold, and the owner. The FSB’s 2013 principles add escalation paths, so the statement says what happens when a limit breaks. Two to three pages covers most organizations.
How do risk appetite statement examples differ by sector?
The scale stays constant while the anchors change. Banks quantify credit and liquidity, hospitals write zero appetite on patient harm, utilities lead with safety and NERC compliance, and agencies anchor on stewardship of funds. Regulation drives most of the difference, and strategy drives the rest.
Who approves a risk appetite statement, and how often should it change?
The board owns approval, usually through its risk committee, with the CRO drafting. Annual re-approval is the working norm, plus a refresh after strategy or M&A shifts. The Nordic Investment Bank sits on version 9 of its statement as of May 2026, which is that cadence done right.
Are qualitative or quantitative risk appetite statement examples better?
Use both, in one line. A qualitative sentence explains intent, and the metric beside it makes a breach undeniable. Half of surveyed risk managers already blend the two, and supervisors like the OCC expect both components in writing.
How many metrics should a risk appetite statement include?
At board level, the RMA finds most banks run 50 to 100 metrics, and smaller organizations work well with 15 to 30. Past that point the board stops reading and the statement stops working. Push the detail into committee dashboards instead.
Can a small organization use these risk appetite statement examples?
Yes, and the discipline matters more when one bad bet can sink you. Keep the five-level scale, cut the categories to the five or six risks that could actually end the organization, and hold the same annual approval rhythm. A two-page statement a small board reads beats a 20-page one it files.
Risk Appetite Statement Mistakes the Best Examples Avoid
Even precise wording fails on contact with incentives. The patterns below show up whenever a statement exists on paper but never changes a decision, and each one has a cheap fix.
| Pitfall | Root cause | Remedy |
| Copying another sector’s thresholds | Templates treated as plug-and-play | Re-derive every number from your own capital, margin, and loss history |
| Wording with no metrics attached | Drafting for comfort, not commitment | Pair every sentence with a threshold, an owner, and a reporting cadence |
| Limits quietly raised after breaches | Escalation feels like failure (the SVB pattern) | Make any limit change a documented board decision |
| Hundreds of metrics nobody reads | Every function adds its favorites | Cap the board view near the RMA’s 50 to 100; push detail to committees |
| Appetite set once and shelved | Treated as a compliance artifact | Re-approve annually and after every strategy or M&A shift |
| No cascade to daily decisions | Statement never linked to KRIs or limits | Map each line to KRIs, delegations, and front-line limits |
| Zero appetite written everywhere | Boards conflating appetite with aversion | Reserve zero for safety, fraud, and willful breaches only |
The third row deserves the closest watch. Barr’s SVB review documented limits adjusted to fit the position rather than positions adjusted to fit the limits, and that habit was visible quarters before the run.
Looking Ahead: Risk Appetite Statements Through 2027
Macro sentiment is already stress-testing board appetites. Deloitte’s CFO Survey shows the share of US finance chiefs calling it a good time to take risk fell from 59% in late 2025 to 48% in the first quarter of 2026, and statements absorb that swing through tighter strategic lines.
Washington is moving the regulatory floor too. In December 2025 the OCC proposed lifting the heightened-standards threshold from $50 billion to $700 billion in assets, which would leave formal appetite requirements binding on fewer banks and shift the discipline back to boards.
Two forces push the other way. NIST CSF 2.0 keeps spreading documented cyber appetite through procurement and insurance requirements, and the EBA’s ESG guidelines, effective January 2026, force climate into the statements of any US firm with European operations.
Expect AI appetite lines to become standard by 2027. Boards that already grade generative AI as cautious, with human review and model inventories, are simply early to the next page of the sector playbook.
Infographic: Risk Appetite Statement Examples Across Six Sectors
Figure 4. One-page summary of the sector risk appetite statement examples, from banking’s quantified limits to government’s stewardship lines.
Putting These Risk Appetite Statement Examples to Work
Risk Publishing advises chief risk officers who need a draft appetite statement turned into a board-approved framework with metrics that cascade. Read about the practice, then contact us when the next board cycle puts risk appetite on your agenda.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.