Risk appetite is the broad level of risk a company is willing to take in pursuit of its goals; risk tolerance is the acceptable variation around specific objectives or limits. Together they define the boundaries within which a business operates. Setting them is a board responsibility and a strategic choice — it makes decisions more consistent, lets management act with clear limits, and prevents a company from being either recklessly aggressive or so cautious it misses opportunities.
Risk appetite
The overall amount and type of risk a company is willing to take.
Risk tolerance
The acceptable variation around a specific objective or limit.
Why it matters
Clear limits make decisions consistent and enable confident delegation.
Board’s job
Setting appetite is a strategic choice owned by the board.
What Risk Appetite Means
Risk appetite is the amount and kind of risk a company is willing to accept in pursuit of its objectives. Every business must take risk to create value — no risk means no investment, no innovation, and no growth — so the question is never whether to take risk but how much, and of what kind. Risk appetite is the answer a company gives to that question, deliberately and in advance, rather than discovering it through accident.
Risk appetite varies enormously between businesses, and rightly so. A young technology company pursuing rapid growth will accept a high level of risk, betting on bold moves in the hope of large rewards. A pension fund managing retirees’ savings will accept very little, prioritising the protection of capital above all. A regulated bank sits somewhere in between, balancing the pursuit of returns against the obligation to remain safe and stable. None of these appetites is correct in the abstract; each suits the purpose and circumstances of the organisation.
Defining risk appetite forces useful conversations. It makes a company decide, explicitly, how much financial leverage it will carry, how much it will concentrate its business with a single customer or in a single market, and which activities are simply off-limits regardless of potential reward. These are strategic choices about the character of the business, and making them consciously is far better than leaving them to be settled, decision by decision, without any guiding framework.
How Risk Tolerance Differs
Risk appetite and risk tolerance are closely related and often confused, but the distinction is useful. If risk appetite is the broad, qualitative statement of how much risk a company is willing to take overall, risk tolerance is the more specific, often quantitative expression of acceptable variation around particular objectives or limits. Appetite sets the overall stance; tolerance sets the concrete boundaries on individual risks.
An example makes the difference clear. A company’s risk appetite might state that it is willing to pursue international expansion but is averse to risks that could threaten its survival. Risk tolerance translates that into specifics: no more than a defined percentage of revenue from any single country, debt kept below a certain ratio, no expansion that would require betting more than a set amount of capital. Tolerance turns the broad appetite into measurable limits that managers can actually work with day to day.
This relationship — broad appetite at the top, specific tolerances beneath it — is what makes the concepts practical. The appetite communicates the company’s overall philosophy toward risk; the tolerances give managers clear lines they must not cross. Together they connect the board’s strategic view of risk to the concrete decisions made throughout the organisation, forming a key part of the wider risk management framework.
Why Every Company Needs Defined Limits
A company that has not defined its risk appetite is not avoiding the question — it is answering it by default, inconsistently, through whatever individual decisions happen to get made. The result is usually one of two failures. Either the company becomes accidentally reckless, taking on dangerous exposures because no one set a limit, or it becomes unthinkingly cautious, passing up worthwhile opportunities because no one gave managers permission to take sensible risks. Often a company swings between the two, lurching from over-caution to over-aggression as the mood changes.
Defined limits cure this by making risk-taking deliberate and consistent. When everyone understands how much risk the company is willing to take, decisions across the organisation pull in the same direction. A proposal can be tested against the appetite: does this fit who we are and what we are willing to risk? This consistency is especially valuable in large organisations, where many people make risk-affecting decisions and cannot all consult the board. Clear appetite and tolerance let the board’s risk philosophy reach every corner of the business.
Defined limits also enable confident delegation, which is essential to running any sizeable company. If managers know the boundaries within which they can operate, the board and senior leadership can delegate decisions freely, trusting that those decisions will respect the agreed limits. Without such boundaries, either everything must be escalated — paralysing the organisation — or decisions are made with no shared sense of the acceptable, inviting nasty surprises.
Setting and Using Risk Appetite
Setting risk appetite is fundamentally a board responsibility, because it is a strategic choice about the kind of company this is. The board, drawing on management’s input and the company’s strategy, decides how much risk the business should be willing to take overall and in key areas. This is not a one-off exercise; appetite should be revisited as strategy evolves, as the business grows, and as the environment changes. A young company’s appetite for risk will, and should, look different a decade later.
Once set, risk appetite has to be communicated and embedded to have any effect. It needs to reach the managers making real decisions, expressed in terms they can apply — the specific tolerances discussed earlier. It should be referenced when major decisions are weighed, so that proposals are explicitly tested against it. And it needs to be monitored: management should report to the board on whether the company is operating within its appetite, flagging when limits are being approached or breached. This reporting links risk appetite to the broader machinery of governance reporting and internal controls.
Used well, risk appetite becomes a quiet but powerful tool of governance. It aligns the whole organisation around a shared understanding of acceptable risk, lets the board delegate with confidence, and provides an early-warning system when the company starts to drift toward danger. Used badly — set vaguely, filed away, and never consulted — it becomes another piece of governance theatre. The difference lies in whether the appetite genuinely shapes decisions. A company whose people can honestly say that the risk appetite has changed what they do has a real framework; one whose appetite statement gathers dust has only the appearance of one. For the board, ensuring it is the former is a central part of overseeing risk and protecting the interests of the company’s owners.
Risk Appetite in Practice: A Living Framework
The real value of risk appetite emerges only when it is treated as a living part of how a company operates rather than a document produced once and forgotten. In practice, this means the appetite is referenced in board discussions, built into the criteria for approving major investments, and reflected in the limits given to managers and business units. When a significant decision comes up — a large acquisition, entry into a volatile market, a change in financial structure — the appetite provides a ready frame for asking whether the move fits the company’s chosen level of risk.
A living framework also adapts. Circumstances change: a company that survives a crisis may emerge more cautious; one that has built a strong balance sheet may decide it can afford to be bolder. Periodic review keeps the appetite aligned with reality, preventing the common failure of governing today’s company with yesterday’s risk philosophy. The board’s role is to lead this review honestly, resisting both the temptation to quietly expand the appetite to justify decisions already made and the opposite drift into excessive caution after a scare.
Ultimately, risk appetite and risk tolerance are the link between a company’s strategy and its day-to-day risk-taking. They translate the board’s view of how much risk is acceptable into limits that guide thousands of individual decisions. A company that sets them thoughtfully, communicates them clearly, and uses them consistently gives itself a real advantage: it takes the risks it should, avoids the ones it should not, and is far less likely to be blindsided by exposures it never meant to accept. That is what turning risk management from paperwork into genuine protection looks like.
Common Mistakes in Setting Risk Appetite
Even companies that go through the exercise of defining risk appetite often undermine it through familiar mistakes. The first is vagueness — producing a statement so general that it constrains nothing and could justify almost any decision. The second is disconnection: writing an appetite statement that lives in a governance document but never enters the actual decisions managers make, so the company’s real risk-taking bears no relation to its stated appetite. Both produce the appearance of discipline without the substance.
A third mistake is rigidity in the wrong direction — treating the appetite as fixed when circumstances have changed, so the company keeps operating under limits that no longer fit its situation. The opposite failure is also common: quietly stretching the appetite to accommodate decisions leadership has already decided to make, which turns the framework into a rubber stamp. There is also the trap of focusing the appetite entirely on financial and measurable risks while leaving strategic and reputational risks, which are harder to express in numbers, outside the framework altogether. Avoiding these mistakes requires treating risk appetite as a genuine constraint that is specific, embedded in decisions, reviewed honestly, and applied across all risk types — not just the convenient ones. The board’s discipline in holding the line is what separates a real appetite from a decorative one, and it connects directly to the quality of the company’s wider governance and reporting.
Frequently Asked Questions
What is the difference between risk appetite and risk tolerance?
Risk appetite is the broad level of risk a company is willing to take overall. Risk tolerance is more specific — the acceptable variation around a particular objective or limit. Appetite is the philosophy; tolerance is the measurable boundary that puts it into practice.
Who sets a company’s risk appetite?
The board of directors, drawing on management’s input and the company’s strategy. Because risk appetite is a strategic choice about the kind of company the business should be, it cannot be delegated away from the board, though management implements it day to day.
How often should risk appetite be reviewed?
Regularly — typically at least once a year, and whenever the strategy, the business, or the environment changes significantly. An appetite set years ago may no longer fit a company that has grown, shifted direction, or faced new threats.
Can a company have too low a risk appetite?
Yes. An appetite that is too cautious causes a company to pass up worthwhile opportunities and can leave it falling behind bolder competitors. The goal is not minimal risk but the right level of risk for the company’s purpose and circumstances.
Discover more from Kurums | Business Intelligence
Subscribe to get the latest posts sent to your email.


