Working In Uncertainty

Risk appetite definitions

by Matthew Leitch 9th December 2009 (revised 11 March 2010 in light of new research)


This article is a study of alternative definitions of the phrase ‘risk appetite’ and is designed to provide clear, definitive answers to the questions people most often ask.

Key points

The key points from this analysis, presented as answers to common questions, are as follows:

  • Q: What does ‘risk appetite’ mean?

    A: The phrase ‘risk appetite’ is a buzzphrase in search of a single clear meaning. It means different things – often not very clearly – to different people, when they have any concept for it at all.

  • Q: An important person (e.g. regulator, guidance document, auditor) says we should define/articulate our ‘risk appetite’. What do they actually want us to do?

    A: One cannot be sure and should check. However, in the financial sector it usually means they want you to set up and operate a system of limits that limit risk taking in your organization. They expect you to operate the system much like a budgetary control system, so that includes periodically resetting the limits and monitoring actual behaviour against them. The numbers you set limits for do not need to be risk measures, and for many types of risk taking behaviour you can write a policy saying it is completely banned, effectively setting your limit to zero. They don't expect the board to set all the limits but they do usually expect them to give some kind of indication for some overall limits. This is not the only or even the best way to govern risk taking, but it has some support and fits into the popular idea of control by numbers.

    In other sectors it is more likely that they want you to put limits of some kind on each of the risks in your risk analysis, or write and communicate a document making general policy and ‘attitude’ statements about different types of risk. They may also want you to monitor and enforce compliance with those policies, though this may be difficult if the policies are quantitatively vague.

  • Q: Does the phrase ‘risk appetite’ refer to an important concept in risk management that I should try to understand?

    A: No. It has been linked with a number of different ideas. For example, it may refer to the risk budgeting control system just mentioned. Sometimes ‘risk appetite’ gets confused with other concepts, and it does sound interesting, but the reality is that there is no interesting concept behind it. You can have a complete understanding of risk and risk management without ever using the phrase ‘risk appetite’ and, indeed, it is easier to understand risk if you use clearer, more self-explanatory terms.

  • Q: Should we define/articulate our risk appetite?

    A: Your organization should try to govern/control its risk taking and may find that applying limits is useful in doing that. However, a system of risk limits does not completely govern risk taking; it just limits it. People can still make poor decisions and take on risk that is not justified by the returns, and they can easily misjudge the value of upside outcomes. Also, just setting limits makes no impact unless you have an effective way of getting people to act within them.

  • Q: How can we work out our ‘risk appetite'?

    A: Even if ‘risk appetite’ is referring to a system of quantitative limits, you can hardly ever work it out by calculation. However, ‘risk appetite’ in this sense is not a matter of personal preference and there are things you should consider. The important considerations are objective factors such as the organization's reserves, flexibility, and management skills, the returns available, the needs of stakeholders, and the actual risks involved. Personality should not play a part.

  • Q: Should we use the phrase ‘risk appetite’ internally?

    A: No. Absolutely not. It has misleading connotations and multiple, inadequate definitions have been published. Even if you write your own definition many people will ignore it or get confused between what they think it should mean and your definition. Use a different phrase, such as ‘risk limits’ or ‘risk taking policies’ instead.

Published definitions

The definitions quoted below were found by searching the internet in late 2009 using Google and search facilities on the websites of likely sources, such as COSO's website and the website of the Basle Committee.

All the definitions found conflict with either each other, with actual practice, with decision making logic, or a combination of these. Several high profile organizations who frequently use the phrase ‘risk appetite’ did not offer a definition on their website (or it failed to come to light using searches). These included the Basle Committee, the FSA (despite 88 mentions in its handbook across 34 documents), the Financial Reporting Council, ACCA, AIRMIC, and IRM.

Other wide ranging risk and finance glossaries and organizations you might expect to provide a definition did not. These included the ICAEW, AICPA, London Stock Exchange, New York Stock Exchange, Reuters,,, the Turnbull report, the Bank of England, Society for Risk Analysis, David Hillson (author of two books on risk attitude), Institute of Actuaries, Association of Consulting Actuaries, and the Government Actuary's Department.

Given the strong support for ‘risk appetite’ from government in the UK I was surprised to find it defined by so few, and this may indicate that the idea is less widely popular than it perhaps seems.

Definition as a maximum amount

The simplest definitions explain ‘risk appetite’ as an overall maximum amount of risk, on some basis.

Source Definition of ‘risk appetite'
Institute of Internal Auditors, from its glossary ‘The level of risk that an organization is willing to accept.’
ISO 31000:2009 and ISO Guide 73:2009 ‘amount and type of risk that an organization is prepared to pursue, retain or take’
HM Treasury's Orange Book ‘The amount of risk which is judged to be tolerable and justifiable’
Society of Actuaries ERM ‘factsheet' ‘the level of aggregate risk that an organization can undertake and successfully manage over an extended period of time.’
COSO's ERM framework offers two slightly different versions (1) ‘the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals.’
(2) ‘the amount of risk an entity is willing to accept in pursuit of value.’

These attempts at definition reflect a number of common misconceptions:

  • Misconception 1: That there's one level that is the right one regardless of the decision involved and that this level is determined by some kind of decision making logic. In reality each decision is different and the maximum amount of risk that a decision maker would be willing to take will increase with the predicted rewards.

  • Misconception 2: That the maximum level of risk that a decision maker would be willing to take depends on the decision maker's goals. In reality it should depend on what the decision maker expects to receive as a reward, not on what he/she would like to receive.

  • Misconception 3: It is rational to place a top limit on the amount of risk to be pursued. Pursuing risk makes no sense if the risk is the usual, downside risk; even an insurance company determined to grow tries to dodge risk as it pursues increased premiums. If the risk is upside risk then it makes no sense to put a limit on it; you would limit downside risks believed to be linked to the upside risk.

Definition as willingness

Other definitions talk about degrees of willingness to take given risks.

Source Definition of ‘risk appetite'
Business Continuity Institute, from its glossary as at 2009 (subsequently changed) ‘The willingness of an organisation to accept a defined level of risk in order to conduct its business cost-effectively.’ ‘The degree to which an organization's management is willing to accept the uncertainty of loss for a given risk when it has the option to pay a fixed sum to transfer that risk to an insurer.’
Lloyds Market ‘the willingness to take on risk’*

* This is not a very clear definition and other text from the same source suggests a concept based on maximum amount.

Note that these definitions make ‘risk appetite’ a function giving the level of willingness for any given risk. Methods for quantifying ‘willingness’ are not discussed.

Other definitions

The following definitions either suggest different ideas to those already covered or are offered by consultants and authors rather than by more ‘official’ sources.

Source Definition of ‘risk appetite'
OGC glossary, referencing M_o_R ‘An organization's unique attitude towards risk-taking which in turn dictates the amount of risk that it considers is acceptable.’
Oxford Risk (consultants on risk psychology) in their glossary ‘A person's propensity to prefer riskier or safer alternatives.’
Risk Appetite: The Foundation of Enterprise Risk Management by Towers Perrin in 2009 ‘the total risk that an organization is willing to take to achieve its strategic objectives and meet its obligations to stakeholders.’
What's your risk appetite? by Oliver Wyman available here ‘the variability in results that an organization and its senior executives are prepared to accept in support of a stated strategy’
John Thirlwell in a presentation from 2007 ‘the amount that a firm is willing to risk (for a given risk-reward ratio)’
Currency Financial Inc, in their glossary ‘The amount of capital that you are willing to lose in order to generate a potential profit.’

Some of these attempts at definition reflect a number of additional common misconceptions:

  • Misconception 4: The maximum level of risk that a decision maker would be willing to take depends on the decision maker's strategy. In reality it should depend on what the decision maker expects to receive as a reward, not just on the actions he/she plans to take.

  • Misconception 5: An organization's response to risk should be a reflection of the personal propensities to risk taking of one or more people in the organization. Unless the organization exists and is run for the sole benefit of the person whose risk attitide is used as the basis for the risk responses of the organization, this is wrong. More usually, many stakeholders are involved, many not even within the organization let alone holding senior executive positions.

Interpretation in practice

In practice, when banks and insurance companies write about their ‘risk appetite’ in annual reports it is clear that they are mainly talking about a system of limits operating mainly on numbers, some of which are risk assessments but many of which are not. However, there is a lot of variation in the way these are explained and much of the text concerns how the limits are arrived at. Often, the ‘risk appetite’ part of their limit system is just a high level set of limits or policies of some kind, with the rest of the system being named in some other way.

Here are five illustrative examples from the UK.

Company and source Numbers used in ‘risk appetite’ control system
Prudential Annual Report 2008 ‘European Embedded Value (EEV) operating profit’
‘International Financial Reporting Standards (IFRS) operating profit’
‘EU Insurance Groups Directive (IGD) capital requirements’
‘economic capital requirements’
Aviva Annual Report 2008 What they do is not entirely clear but what they say is: ‘We monitor the financial impact of the changes to market values (including our staff pension schemes) through our measurement of economic capital and sensitivities to our key performance measures and set our risk appetite in respect of the amount to be invested in different types of asset.’
Barclays Annual Report 2008 The long description is frustratingly unclear and includes a lot of puffery. It seems they rely on budgets and their risk models and try not to disappoint shareholders through low dividends or market value falls. Limits are set for individual businesses, and possibly for types of risk too, but it's not clear.
Lloyds TSB Annual Report 2008 They say: ‘Business risk appetite is encapsulated in the Group's budget and medium-term plan, which are sanctioned by the board on an annual basis. Divisions and business units subsequently align their plans to the Group's overall business risk appetite.

Credit risk appetite is expressed both in terms of credit risk economic equity and in terms of the impact of credit risk on earnings volatility.

Credit risk appetite is set by the board and is described and reported through a suite of metrics derived from a combination of accounting and credit portfolio model parameters which in turn use the various credit risk rating systems as inputs. These metrics are supplemented by a variety of policies, sector caps and limits to manage concentration risk at an acceptable level.

Market risk appetite is defined with regard to the quantum and composition of market risk that exists currently in the Group and the direction in which the Group wishes to manage this.

This statement of the Group's overall appetite for market risk is reviewed and approved annually by the board. With the support of the group asset and liability committee, the group chief executive allocates this risk appetite across the Group. Individual members of the group executive committee ensure that market risk appetite is further delegated to an appropriate level within their areas of responsibility.

Insurance risk appetite is defined with regard to the quantum and composition of insurance risk that exists currently in the Group and the direction in which the Group wishes to manage this.

Operational risk appetite is defined as the quantum and composition of operational risk identified in the Group and the direction in which the Group wishes to manage it.

The Group has developed an impact on earnings approach to operational risk appetite. This involves looking at how much the Group could lose due to operational risk losses at various levels of certainty. In setting operational risk appetite, the Group looks at both impact on solvency and the Group's reputation, including customer service requirements.

For legal and regulatory risk the Group has minimal risk appetite and seeks to operate to high ethical standards. The Group encourages and maintains an appropriately balanced legal and regulatory compliance culture and promotes policies and procedures to enable businesses and their staff to operate in accordance with the laws, regulations and voluntary codes which impact on the Group and its activities.

Liquidity and funding risk appetite for the banking businesses is set by the board and reviewed on an annual basis. It is reported through various metrics that enable the Group to manage liquidity and funding constraints. The chief executive, assisted by the group asset and liability committee and its sub-committee the senior asset and liability committee, regularly reviews performance against risk appetite. The board reviews liquidity and funding risk on a quarterly basis.

Capital risk appetite is set by the board and reported through various metrics that enable the Group to manage capital constraints and shareholder expectations. The chief executive, assisted by the group asset and liability committee, regularly reviews performance against risk appetite. The board formally reviews capital risk on an annual basis.

The risk of reputational damage, loss of investor confidence and/or financial loss arising from the adoption of inappropriate accounting policies, ineffective controls over financial, prudential regulatory and tax reporting and the failure to disclose information on a timely basis about the Group.

The risk appetite is set by the board and reviewed on an annual basis. It includes the avoidance of the need for restatement of published financial and prudential regulatory data, public disclosures about the Groups financial, including tax, performance and its legal constitution.’
Nationwide Building Society Basle II Pillar 3 disclosures 2009 ‘Profitability
Return on Capital
External Rating
Economic Capital
Asset quality’

Some of the documents whose definitions of ‘risk appetite’ have been quoted above also include statements revealing the reality of what is envisaged.

Source Definition of ‘risk appetite' Related explanation
HM Treasury's Orange Book The amount of risk which is judged to be tolerable and justifiable ‘5.2 In either case the risk appetite will best be expressed as a series of boundaries, appropriately authorised by management, which give each level of the organisation clear guidance on the limits of risk which they can take, whether their consideration is of a threat and the cost of control, or of an opportunity and the costs of trying to exploit it. This means that risk appetite will be expressed in the same terms as those used in assessing risk. An organisation's risk appetite is not necessarily static; in particular the Board will have freedom to vary the amount of risk which it is prepared to take depending on the circumstances at the time.’
COSO's ERM framework offers two slightly different versions (1) ‘the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals.’
(2) ‘the amount of risk an entity is willing to accept in pursuit of value.’
They say that the broad-based overall level is to be translated into risk tolerances, which they define as follows: ‘Risk tolerances are the acceptable level of variation relative to the achievement of objectives.’
Lloyds Market ‘the willingness to take on risk’ In section 3 of their Risk Management Toolkit they give detailed suggestions about how to write a risk appetite statement using lists of numerical limits and statements in text form.

In the cases of the Orange Book and Lloyds Market the definitions of ‘risk appetite’ are inconsistent with the ideas subsequently explained.

Connotations of ‘appetite’

Although the phrase ‘risk appetite’ is getting some high level publicity at the moment (largely from the world of accountancy) it is not as widespread or as popular as one might imagine.

So far we've seen that many organizations and sources that one expects would provide a definition of ‘risk appetite’ do not and even some high profile organizations that use the phrase do not offer a definition. The definitions available are inconsistent with each other, with actual interpretations, and with the logic of decision making under uncertainty.

Further evidence of reluctant usage comes from the report Getting It Right recently published by the ICAEW and written by Independent Audit Limited. People they interviewed had a familiarity with the phrase and were able to talk about it, but few used it within their own companies.

More recently, my own survey on the phrase ‘risk appetite’ has confirmed that it means different things to different people and it is easy to come up with clearer, more self-explanatory terms to label the concepts we want to use.

Do we really need research to tell us that this phrase is a confusing one? Not really. The phrase ‘risk appetite’ is an analogy with physical appetites such as for food or drink but it doesn't work. We have appetites for things we like or even need, whereas risk is generally seen as a bad thing by definition, though often a necessary evil. Furthermore, the word ‘appetite’ suggests something personal and instinctive rather than a part of good, thoughtful, rational management of an organization in the interests of its stakeholders.

It is hardly surprising that many people think ‘risk appetite’ is a psychological construct of some kind related to personality or mood. This idea is also reflected in some of the definitions shown above.


It's good to govern risk taking. It can be helpful to set limits and there are other methods that can be used also.

What is not good, and should be avoided, is using the phrase ‘risk appetite’. From the start it has had illogical connotations and now it has a multiplicity of poor published attempts at definition.

Use more self explanatory and accurate phrase such as ‘risk limits’ or ‘policies governing risk taking’ instead.

Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.

Please share:            Share on Tumblr


Words © 2010 Matthew Leitch.