ERM and Risk Appetite

Risk appetite is defined as the types and amount of risk an organization is willing to tolerate in pursuit of business objectives. An organization creates a risk appetite approach to provide a broad picture of risk-taking across an organization, where thresholds are pre-approved by the organization’s ultimate risk owner, typically the board or CEO.

Actual risk levels can be monitored against these thresholds, and deliberate decisions can be made about these risks relative to outcomes. An organization with a higher level of risk appetite will encourage a culture of risk taking. Alternatively, an organization with lower risk appetite will require more steps to bring their risks to tolerable levels, which has implications for its budget.

As shown in Figure 1, risk appetite can be looked at as a critical crossroads for a risk owner.

Figure 1: Enterprise Risk Management Framework