10+ Real-World Examples Across US Sectors with Board-Ready Language, Quantitative Boundaries, and a Framework Template
Why Most Risk Appetite Statements Fail Before They Start
Here is a test. Pull up your organization’s risk appetite statement right now. If it says something like “we have a moderate appetite for risk” and nothing else, you have a problem. That statement tells nobody anything.
It does not tell your CFO whether a 7% revenue variance is acceptable. It does not tell your CISO how many unpatched critical vulnerabilities trigger an escalation. It does not help your board decide whether to approve that acquisition.
The Financial Stability Board’s Principles for an Effective Risk Appetite Framework is clear on what good looks like: a risk appetite statement should establish quantitative measures that can be aggregated and disaggregated, expressed in terms of earnings, capital, liquidity-at-risk, or other appropriate metrics, complemented by qualitative statements that set the overall tone for risk-taking.
Yet most organizations still rely on vague, qualitative-only statements that cannot be operationalized, monitored, or audited.
This guide gives you 12 sector-specific, board-ready risk appetite statement examples that combine qualitative language with quantitative boundaries.
Each example is structured so you can adapt it to your organization’s context, connect it to key risk indicators (KRIs) for ongoing monitoring, and present it to your board with confidence. The approach aligns with ISO 31000:2018 risk criteria requirements and COSO ERM performance monitoring standards.
The Anatomy of a Risk Appetite Statement That Works
Before we look at examples, let’s define the structural elements every effective risk appetite statement must contain.
The GARP risk appetite methodology describes six steps to articulate risk appetite: methodology, appetite statements, KRI alignment, threshold-setting, issue management, and monitoring dashboards. Your risk appetite statement is step two in this chain, but it must be designed to support all subsequent steps.
| Element | What It Does | Example Language |
| Risk category | Identifies the specific domain of risk being addressed (financial, operational, compliance, strategic, reputational, cyber) | “Credit Risk” or “Cybersecurity Risk” or “Regulatory Compliance Risk” |
| Qualitative posture | States the board’s overall attitude toward this risk category using consistent language (zero, low, moderate, high, aggressive) | “The Board has a low appetite for credit losses exceeding historical norms…” |
| Quantitative boundary | Translates the qualitative posture into a measurable threshold or range that can be monitored via KRIs | “…and will not accept annual net charge-offs exceeding 1.5% of total loan portfolio” |
| Tolerance range | Defines the acceptable variation before escalation is required; creates the amber/red threshold system | “A charge-off rate between 1.0% and 1.5% triggers enhanced monitoring; above 1.5% requires board notification within 48 hours” |
| Strategic rationale | Explains why this appetite level supports the organization’s strategic objectives | “This appetite supports our strategic objective of sustainable portfolio growth while maintaining investment-grade credit quality” |
| Linked KRI | Identifies the specific metric that will be monitored on the KRI dashboard to track adherence | “Monitored via: Net charge-off rate (monthly), 90-day delinquency rate (weekly), concentration by sector (quarterly)” |
The critical insight is that each element must be present. A qualitative statement without a quantitative boundary is a philosophy, not a governance tool.
A quantitative boundary without a linked KRI is a number nobody monitors. For guidance on building the KRI monitoring layer, see our step-by-step guide to setting KRI thresholds and our KRI dashboard tutorial.
Risk Appetite vs. Risk Tolerance vs. Risk Capacity: Getting the Definitions Right
Before writing statements, your organization needs consistent terminology. Confusion between appetite, tolerance, and capacity is one of the most common reasons risk appetite frameworks fail. Here is how these three concepts relate to each other:
| Concept | Definition | Analogy |
| Risk capacity | The absolute maximum risk an organization can absorb before existential damage. Determined by capital reserves, liquidity, regulatory minimums, and operational resilience | The structural load limit of a bridge: the maximum weight it can physically bear before failure |
| Risk appetite | The amount and type of risk the board is willing to accept in pursuit of strategic objectives. Always sits below risk capacity. Expressed in the risk appetite statement | The posted weight limit on the bridge: the safe operating load the authorities allow, well below structural failure |
| Risk tolerance | The acceptable variation around the risk appetite target before escalation is required. Defines the green/amber/red boundaries on your KRI dashboard | The margin between the posted limit and the alarm that sounds when a truck exceeds it: how much deviation triggers a response |
Your enterprise risk management framework should define these terms in a risk taxonomy that is used consistently across all documentation, reporting, and training. The examples below include all three layers where appropriate.
12 Risk Appetite Statement Examples Across US Sectors
Each example below provides the full statement structure: qualitative posture, quantitative boundary, tolerance range, and linked KRIs. Adapt the specific thresholds to your organization’s data and risk profile.
1. Commercial Banking: Credit Risk
| Element | Statement |
| Qualitative posture | The Board maintains a moderate appetite for credit risk, accepting measured credit losses as an inherent cost of lending in support of our community banking mission and sustainable earnings growth. |
| Quantitative boundary | Annual net charge-offs shall not exceed 1.5% of the total loan portfolio. Single-borrower concentration shall not exceed 15% of Tier 1 capital. Commercial real estate concentration shall remain below 300% of total risk-based capital, consistent with OCC interagency guidance. |
| Tolerance range | Green: net charge-offs ≤ 1.0%. Amber: 1.0%-1.5% (triggers enhanced portfolio review and monthly board reporting). Red: > 1.5% (triggers immediate board notification, lending pause in affected segments, and remediation plan within 10 business days). |
| KRIs monitored | Net charge-off rate (monthly); 90-day delinquency rate (weekly); CRE concentration ratio (quarterly); single-name concentration report (quarterly). |
This example reflects the quantitative precision the FSB framework demands for financial institutions. For a complete library of banking-specific risk metrics, see our guide on key risk indicators for banks.
2. Commercial Banking: Liquidity Risk
| Element | Statement |
| Qualitative posture | The Board has a low appetite for liquidity risk and requires the institution to maintain sufficient liquid assets to meet all obligations under both normal and stressed conditions without forced asset sales. |
| Quantitative boundary | The Liquidity Coverage Ratio (LCR) shall be maintained at or above 120%, exceeding the 100% regulatory minimum by a 20-percentage-point management buffer. The Net Stable Funding Ratio (NSFR) shall remain above 110%. |
| Tolerance range | Green: LCR ≥ 120%. Amber: 110%-119% (triggers daily liquidity monitoring and ALM committee convened within 48 hours). Red: < 110% (triggers board notification, contingency funding plan activation, and regulatory communication if approaching 100%). |
| KRIs monitored | LCR (daily calculation, weekly board reporting); NSFR (monthly); cash flow coverage ratio at 30, 60, 90 days (weekly); wholesale funding dependency ratio (monthly). |
3. Healthcare System: Patient Safety and Clinical Risk
| Element | Statement |
| Qualitative posture | The Board has zero appetite for preventable patient harm events and maintains a low appetite for clinical quality deviations from evidence-based standards of care. |
| Quantitative boundary | Serious safety events (SSE-3 and SSE-4 on the Safety Event Classification scale) shall not exceed 2 per 10,000 patient encounters. Hospital-acquired infection (HAI) rates shall remain in the top quartile (lowest 25%) compared to CMS national benchmarks. 30-day readmission rates shall not exceed 12% for targeted conditions. |
| Tolerance range | Green: SSE rate ≤ 1 per 10,000; HAI rates in top quartile. Amber: SSE rate 1-2 per 10,000 or HAI rates in second quartile (triggers quality committee deep-dive within 5 business days). Red: any SSE-4 event or HAI rates in third/fourth quartile (triggers immediate root cause analysis, board patient safety committee notification, and corrective action plan within 72 hours). |
| KRIs monitored | Safety Event Classification rate (monthly); HAI rates by type (monthly, benchmarked quarterly); 30-day readmission rate (monthly); sentinel event count (real-time reporting). |
4. Healthcare System: Cybersecurity and PHI Protection
| Element | Statement |
| Qualitative posture | The Board has zero appetite for unauthorized disclosure of protected health information (PHI) and a low appetite for cybersecurity control gaps that could expose the organization to HIPAA enforcement actions or ransomware disruption. |
| Quantitative boundary | PHI breach events affecting 500+ individuals: zero tolerance. Critical vulnerability patch compliance: ≥ 95% within 14 days of disclosure. Mean time to detect (MTTD) for security incidents: ≤ 24 hours. Annual cybersecurity spending: minimum 6% of IT operating budget. |
| Tolerance range | Green: zero reportable breaches; patch compliance ≥ 95%; MTTD < 24 hrs. Amber: patch compliance 85-94% or MTTD 24-48 hrs (CISO escalation to executive team within 48 hours). Red: any reportable breach, patch compliance < 85%, or MTTD > 48 hrs (board notification; incident response plan activation; OCR breach notification assessment initiated). |
| KRIs monitored | Breach incident count (real-time); patch compliance rate (bi-weekly); MTTD and MTTR (weekly); phishing simulation click rate (monthly); security training completion (quarterly). |
Healthcare cybersecurity risk appetite must align with HIPAA Security Rule requirements. Our NIST Cybersecurity Framework KRI guide and cyber security KRI examples provide the monitoring metrics these statements require.
5. Technology Company (SaaS): Operational and Service Delivery Risk
| Element | Statement |
| Qualitative posture | The Board accepts a moderate appetite for operational risk in exchange for rapid innovation and market expansion, provided service continuity to enterprise customers is maintained at contractual SLA levels. |
| Quantitative boundary | Platform uptime shall be maintained at ≥ 99.95% measured monthly (maximum 21.6 minutes unplanned downtime per month). P1 incident volume shall not exceed 3 per quarter. Customer NPS impact from service disruptions shall not cause a decline of more than 5 points quarter-over-quarter. |
| Tolerance range | Green: uptime ≥ 99.95%; P1 incidents ≤ 1/quarter. Amber: uptime 99.9-99.94% or 2-3 P1 incidents (triggers engineering post-mortem and SLA credit assessment). Red: uptime < 99.9% or > 3 P1 incidents (triggers CTO board presentation, customer communication plan, and infrastructure investment review). |
| KRIs monitored | Platform uptime (real-time, reported monthly); P1 incident count and MTTR (weekly); customer churn correlated to incidents (monthly); change failure rate (bi-weekly). |
6. Insurance Company: Underwriting Risk
| Element | Statement |
| Qualitative posture | The Board accepts a moderate appetite for underwriting risk, pursuing profitable premium growth across diversified lines of business while maintaining disciplined risk selection and pricing adequacy. |
| Quantitative boundary | Combined ratio shall not exceed 98% on a calendar-year basis. Net premium growth shall not exceed 15% annually without board-approved capital adequacy assessment. Catastrophe exposure (1-in-100-year PML) shall remain below 20% of policyholders’ surplus. |
| Tolerance range | Green: combined ratio ≤ 95%. Amber: 95-98% (triggers underwriting review by CUO and actuarial pricing analysis). Red: > 98% (triggers board notification, line-level profitability review, and rate action plan within 30 days). |
| KRIs monitored | Combined ratio by line (monthly); loss ratio development (quarterly); premium growth rate (monthly); RBC ratio (quarterly); catastrophe PML (semi-annually). |
For the complete insurance risk measurement framework, including claims, reserve, and fraud KRIs, see our dedicated guide on key risk indicators for insurance companies.
7. Public Pension Fund: Investment and Funding Risk
| Element | Statement |
| Qualitative posture | The Board of Trustees accepts a moderate appetite for investment risk in pursuit of the assumed rate of return necessary to meet long-term benefit obligations, while maintaining a low appetite for liquidity risk that could impair near-term benefit payments. |
| Quantitative boundary | Funded ratio shall be maintained at or above 80% on an actuarial basis. Annual investment return shortfall versus the assumed rate shall not exceed 300 basis points on a trailing 3-year average. Illiquid asset allocation (private equity, real assets, infrastructure) shall not exceed 25% of total assets. Benefit payment coverage ratio shall remain above 1.2x. |
| Tolerance range | Green: funded ratio ≥ 90%; return shortfall ≤ 100 bps. Amber: funded ratio 80-89% or return shortfall 100-300 bps (triggers investment committee strategic review and contribution adequacy assessment). Red: funded ratio < 80% or return shortfall > 300 bps (triggers board-level funding policy review, actuarial experience study acceleration, and potential benefit structure evaluation). |
| KRIs monitored | Funded ratio (quarterly actuarial update); investment return vs. assumed rate (monthly); illiquidity ratio (quarterly); benefit payment coverage (monthly); contribution adequacy ratio (annually). |
For pension-specific risk measurement frameworks, see our comprehensive guide on key risk indicators for pension funds.
8. Manufacturing Company: Supply Chain and Operational Risk
| Element | Statement |
| Qualitative posture | The Board maintains a low appetite for supply chain disruption risk, recognizing that production continuity is the foundation of customer trust and revenue stability. |
| Quantitative boundary | Single-source supplier dependency shall not exceed 30% of total material spend for any critical input. Customer on-time delivery rate shall be maintained at ≥ 95%. Unplanned production downtime shall not exceed 40 hours per quarter across all facilities. Finished goods inventory days shall remain between 15 and 30 days. |
| Tolerance range | Green: on-time delivery ≥ 97%; single-source dependency ≤ 25%. Amber: on-time delivery 95-96% or single-source dependency 25-30% (COO-led supply chain review and alternative sourcing evaluation). Red: on-time delivery < 95% or single-source dependency > 30% (board notification, customer impact assessment, and supply chain diversification plan within 30 days). |
| KRIs monitored | Supplier concentration by critical input (quarterly); on-time delivery rate (weekly); unplanned downtime hours (weekly); inventory days (monthly); supplier financial health scores (semi-annually). |
9. University: Strategic and Enrollment Risk
| Element | Statement |
| Qualitative posture | The Board of Regents has a moderate appetite for strategic enrollment risk, accepting reasonable variability in enrollment volumes to support program innovation and demographic diversification, while maintaining a low appetite for financial risks that would compromise the institution’s bond rating or endowment purchasing power. |
| Quantitative boundary | Year-over-year enrollment decline shall not exceed 5% at the institutional level or 10% in any individual college. Tuition revenue dependency shall remain below 75% of total operating revenue. Endowment draw shall not exceed the Board-approved spending rate of 5% on a 12-quarter trailing average market value. |
| Tolerance range | Green: enrollment variance within ±3%; tuition dependency ≤ 70%. Amber: enrollment decline 3-5% or tuition dependency 70-75% (triggers Provost-led enrollment strategy review and budget contingency activation). Red: enrollment decline > 5% or tuition dependency > 75% (board notification, program portfolio review, and operating budget reduction plan within 60 days). |
| KRIs monitored | Enrollment yield rate (cycle reporting); net tuition revenue per student (semester); application volume and admit rate trends (weekly during cycle); endowment return vs. spending rate (quarterly). |
10. Energy Utility: Regulatory and Environmental Risk
| Element | Statement |
| Qualitative posture | The Board has zero appetite for environmental compliance violations that could result in material fines, consent decrees, or permit revocation, and a low appetite for operational safety incidents that could harm employees, contractors, or communities. |
| Quantitative boundary | Environmental permit exceedances: zero tolerance for Tier 1 violations. OSHA Total Recordable Incident Rate (TRIR): shall not exceed 1.5 per 200,000 work hours (vs. industry average of 2.1). NERC Critical Infrastructure Protection (CIP) audit findings: zero high-severity findings. |
| Tolerance range | Green: zero Tier 1 violations; TRIR ≤ 1.0; zero CIP findings. Amber: any Tier 2 violation, TRIR 1.0-1.5, or any medium-severity CIP finding (triggers EHS director review and corrective action plan within 10 days). Red: any Tier 1 violation, TRIR > 1.5, or high-severity CIP finding (board notification within 24 hours; regulatory self-disclosure assessment; root cause analysis and remediation within 30 days). |
| KRIs monitored | Permit exceedance count by tier (real-time); TRIR (monthly, rolling 12-month); near-miss reporting rate (monthly); CIP compliance score (quarterly); environmental reserve adequacy (annually). |
11. Fintech / Payments Company: Compliance and Third-Party Risk
| Element | Statement |
| Qualitative posture | The Board has zero appetite for willful or systemic regulatory non-compliance and a low appetite for third-party vendor failures that could disrupt customer-facing payment services or compromise consumer data. |
| Quantitative boundary | Regulatory examination findings rated ‘Matters Requiring Attention’ or higher: maximum 2 per examination cycle. State money transmitter license renewal: 100% on-time. Critical vendor SLA compliance: ≥ 97%. SAR filing timeliness: 100% within 30-day regulatory window. BSA/AML false positive rate: ≤ 90% (to balance alert quality with detection coverage). |
| Tolerance range | Green: zero MRA findings; vendor SLA ≥ 97%; SAR timeliness 100%. Amber: 1 MRA finding or vendor SLA 95-96% (triggers CCO-led response plan and enhanced vendor monitoring). Red: ≥ 2 MRA findings, any consent order, or vendor SLA < 95% (board and audit committee notification; regulatory remediation plan; potential vendor replacement initiated). |
| KRIs monitored | MRA/MRIA finding count (per examination); SAR filing timeliness (monthly); vendor SLA compliance (monthly); complaint volume by type (monthly); license renewal tracker (quarterly). |
For AML-specific risk metrics, see our guide on key risk indicators for AML and financial crime compliance.
For broader compliance monitoring, see our regulatory compliance KRI framework.
12. Nonprofit Organization: Reputational and Fiduciary Risk
| Element | Statement |
| Qualitative posture | The Board has zero appetite for activities that compromise the organization’s mission integrity or donor trust, and a low appetite for financial risks that could impair the organization’s ability to sustain programs for more than one fiscal year. |
| Quantitative boundary | Operating reserves shall be maintained at a minimum of 6 months of average monthly operating expenses. Program spending ratio shall remain at or above 75% of total expenses. Donor concentration: no single donor or grant shall represent more than 25% of total annual revenue. Investment portfolio drawdown shall not exceed 15% from peak in any 12-month period. |
| Tolerance range | Green: reserves ≥ 8 months; program ratio ≥ 80%; donor concentration ≤ 20%. Amber: reserves 6-8 months or donor concentration 20-25% (triggers finance committee review and diversification strategy refresh). Red: reserves < 6 months or donor concentration > 25% (board notification; fundraising diversification plan within 30 days; potential program prioritization review). |
| KRIs monitored | Operating reserve months (monthly); program spending ratio (quarterly); donor concentration index (quarterly); investment portfolio performance vs. policy benchmark (monthly). |
Risk Appetite Framework Template: Putting It All Together
A risk appetite statement does not live in isolation. It sits within a risk appetite framework that includes the governance structure, the monitoring mechanism, and the escalation protocol.
The table below provides a framework template you can adapt. This structure aligns with the GARP six-step risk appetite methodology and Gartner’s risk appetite framework guidance.
| Framework Component | Description | Owner / Approval |
| 1. Risk taxonomy | Defines the risk categories for which appetite statements are required. Typically 6-10 Level 1 categories: financial, credit, market, operational, compliance, strategic, reputational, cyber, third-party, model risk. | CRO develops; board approves annually |
| 2. Risk appetite statements | Qualitative + quantitative statements for each Level 1 risk category, using the anatomy structure described in this guide. | Risk function drafts; executive committee reviews; board approves |
| 3. KRI alignment | Each appetite statement linked to 2-4 KRIs with defined data sources, calculation methodology, and reporting frequency. | Risk function selects; 1st line validates data availability; CRO approves |
| 4. Threshold calibration | Green/amber/red thresholds set for each KRI using statistical analysis and expert judgment. Back-tested against historical events. | Risk function calibrates; business unit heads validate; risk committee approves |
| 5. Escalation protocols | Documented response procedures for amber and red breaches: notification SLAs, investigation requirements, remediation timelines, and decision authority. | CRO defines; executive committee approves; internal audit validates |
| 6. Monitoring dashboard | Live dashboard displaying all KRIs against thresholds, trend arrows, breach history, and management commentary. Reported to risk committee quarterly and board semi-annually. | Risk function maintains; CRO presents to board |
| 7. Annual recalibration | Formal annual review of all appetite statements, thresholds, and KRIs. Triggered earlier by material events: strategy change, M&A, regulatory change, or significant risk event. | CRO initiates; board approves revised framework |
For step-by-step guidance on building the threshold layer, see our guide to setting KRI thresholds. For the KRI monitoring infrastructure, see our KRI dashboard tutorial and risk monitoring best practices.
Five Pitfalls That Kill Risk Appetite Statements
1. Qualitative-only language. “We have a moderate appetite for operational risk” is not a governance tool. It is a philosophy statement. Every qualitative posture must have at least one quantitative boundary.
The FSB Principles are explicit: effective frameworks establish quantitative measures of loss that can be aggregated and disaggregated.
2. Set-and-forget syndrome. A risk appetite statement drafted in 2021 probably does not reflect your 2026 risk landscape. AI risk, supply chain reconfiguration, and evolving cyber threats have shifted the boundaries.
Schedule annual recalibration, and trigger interim reviews after any material event. Your risk assessment process should feed directly into appetite recalibration.
3. No connection to KRIs. A risk appetite statement without linked KRIs is a document that nobody monitors.
Each statement must map to specific, measurable indicators with defined thresholds and data sources. See our complete KRI examples library for metrics across every risk domain.
4. Board rubber-stamping. If the board approves the risk appetite statement without discussion, challenge, or amendment, the governance process is failing. Board members should understand what each quantitative boundary means, what scenarios would trigger a breach, and what management’s response plan is. The ISACA risk appetite and tolerance guidance emphasizes that boards should actively challenge risk appetite assumptions, particularly as organizations deploy AI and other emerging technologies.
5. One-size-fits-all across business units. Enterprise-level appetite must be cascaded to business units with appropriate adjustments.
A retail banking division and an investment banking division within the same holding company will have different operational risk tolerances.
The GARP methodology recommends that each unit adapt the appetite statement to its local operating environment while remaining within the enterprise boundaries.
90-Day Risk Appetite Statement Implementation Roadmap
| Phase | Timeframe | Key Activities | Deliverable |
| 1: Discovery | Days 1-30 | Review existing risk appetite documentation; benchmark against FSB Principles and COSO ERM; interview board members and C-suite on risk posture expectations; inventory existing KRIs and thresholds; conduct gap analysis between current statements and the six-element anatomy | Gap analysis report; stakeholder interview summary; risk taxonomy alignment matrix |
| 2: Drafting | Days 31-60 | Draft appetite statements for each Level 1 risk category using the anatomy structure; align quantitative boundaries with historical data and peer benchmarks; map each statement to 2-4 KRIs; calibrate green/amber/red thresholds; draft escalation protocols; circulate for 1st line validation | Draft risk appetite framework document; calibrated KRI threshold table; escalation protocol matrix |
| 3: Approval and launch | Days 61-90 | Present draft to executive risk committee for challenge and refinement; revise based on feedback; present to board for approval; configure KRI thresholds in GRC platform or dashboard; train risk owners on escalation procedures; communicate framework organization-wide | Board-approved risk appetite framework; live KRI dashboard; training completion records; communication materials |
Looking Ahead: AI, Climate, and Dynamic Appetite
Three developments are reshaping how organizations write risk appetite statements in 2026 and beyond.
First, AI governance risk requires explicit appetite language. Organizations deploying large language models, automated decision systems, or AI-driven customer interactions need statements that address model accuracy, bias, explainability, and autonomous decision boundaries.
The ISACA risk appetite in the age of AI framework provides a useful starting template for AI risk appetite articulation.
Second, climate and ESG risk is moving from voluntary disclosure to regulated requirements.
Organizations subject to SEC climate disclosure rules, California SB 253, or ISSB S2 standards need appetite statements that address physical risk exposure, transition risk, and Scope 1/2/3 emissions trajectories. Our guide on ESG and sustainability KRIs provides the monitoring metrics for these emerging appetite categories.
Third, dynamic risk appetite is replacing static annual statements. Leading organizations are building appetite frameworks that adjust quantitative boundaries based on market conditions, stress scenarios, and forward-looking indicators.
This means appetite statements that specify not just static thresholds but conditional thresholds: “Under normal market conditions, VaR shall not exceed $X; under stressed conditions (defined as…), the board authorizes a temporary increase to $Y for a maximum of 90 days.” Building strategic risk indicators that anticipate regime changes is the enabling capability for dynamic appetite.
What, So What, Now What
What: A risk appetite statement translates board-level risk posture into measurable boundaries that guide decision-making across the organization. Effective statements combine qualitative language with quantitative thresholds, linked KRIs, and documented escalation protocols.
So What: Without quantitative boundaries, risk appetite is a philosophy that nobody can operationalize. Without linked KRIs, it is a document nobody monitors. Without escalation protocols, breaches go unaddressed.
The 12 examples in this guide show what good looks like across banking, healthcare, insurance, pensions, technology, energy, fintech, manufacturing, higher education, and nonprofit sectors.
Now What: Start with the gap analysis: compare your current risk appetite statements against the six-element anatomy in this guide.
Identify which elements are missing, then use the 90-day roadmap to build or refresh your framework.
For the foundational concepts, start with our guide on what a key risk indicator is. For the monitoring layer, see our KRI examples library and best KRIs overview. Your appetite statement should be the sharpest governance tool in your risk management toolkit.
References
1. Financial Stability Board, “Principles for an Effective Risk Appetite Framework” (2013)
2. ISO 31000:2018 Risk Management — Guidelines
3. COSO Enterprise Risk Management — Integrating with Strategy and Performance (2017)
4. GARP, “ERM and Risk Appetite” (2025)
5. ISACA, “Applying Risk Appetite and Risk Tolerance in the Age of AI” (2024)
6. Gartner, “Risk Appetite Framework”
7. MetricStream, “Guide to Effective Risk Appetite Statements: Examples and Best Practices”
8. ZenGRC, “Risk Appetite Statement Examples” (2025)
9. Visbanking, “7 Risk Appetite Statement Examples for Bank Executives”
10. Risk Insights Hub, “Risk Appetite and Strategy Alignment” (2025)
11. Canadian Institute of Actuaries, “Risk Appetite” Reference Document
12. FAIR Institute, “Leverage FAIR for HIPAA Annual Risk Analysis”
13. HHS, “Guidance on Risk Analysis” (HIPAA Security Rule)
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.