What is risk appetite?

8 min read
Created:   August 20, 2020
Updated:   July 14, 2025
What is risk appetite in a company?
3:08

Every decision you make impacts the future of your business. But are you making decisions aligned with your company’s risk appetite, or are you simply reacting to circumstances?

Imagine two companies in the same industry, facing the same challenge: expanding into a new market.

  • Company A decides to wait, afraid of financial and regulatory impacts.

  • Company B analyzes its risk appetite, evaluates potential scenarios, and moves forward with confidence.

Both face risks, but only one manages them strategically. The difference lies in making decisions based on risk appetite.

Many companies define their risk appetite on paper, but fail to apply it when making decisions. As a result, they either become overly conservative and miss opportunities or take risks without assessing their potential impact.

This is where risk management software plays a vital role: it enables informed decision-making aligned with the company’s strategy.

what-is-risk-appetite

What is Risk Appetite and How Does It Impact Decision-Making?

Risk appetite refers to the level of risk an organization is willing to accept in pursuit of its objectives. In other words, it is the degree of impact a company is prepared to tolerate in order to achieve its goals. It also reflects how prepared a company is to consciously, systematically, and strategically face uncertainty.

Although a company’s board of directors may know its limits, risk appetite is often overlooked, not only when managing risk but also when setting and evaluating strategic priorities.

That is how it works in business. The level of risk that the company is willing to take leads to decision-making, and it guides them.

*Graph taken from the article "Definition and Implementation of Risk Appetite" by the Institute of Internal Auditors of Spain.

In general, a company's risk appetite depends on its industry, market, economic capacity and organizational culture. And although delimiting the risk appetite is a regulatory obligation, it is a strategic element that contributes to good business decisions and strengthens corporate governance, as well as risk supervision.

The level of risk that the company is willing to assume allows for better decisions according to the strategic objectives. It is also important to consider the economic capacity and possible losses. For example, if in an investment opportunity the probability of loss is 50 percent or more, it is advisable to refrain from investing; it is necessary to analyze whether it can tolerate those risks or if they could lead to bankruptcy.

In this article, you will learn what risk appetite is, how it differs from risk tolerance, what to take into account when analyzing it, and how to use it to avoid making mistakes by not innovating or exceeding the limits in your organization.

Therefore, proper risk identification and management help to generate efficiency in financial operations, improve the company's performance, and give greater value to processes because uncertainties become opportunities and the organization is aligned with its uncertain environment.

Today, companies must develop comprehensive risk management plans that incorporate new technologies, evolving regulations, and shifting market and country conditions. These plans enable the identification, analysis, and transformation of uncertainties into opportunities that enhance brand value.

When a company identifies and analyzes the risks to which it is exposed, it must draw the limits of risk acceptance, knowing what risks it is willing to accept in the search for value to achieve its goals, according to the company's capacity and its risk policies.

In risk management, establishing the risk appetite is crucial, as it determines the level of risk the company will face. This, in turn, informs the required resources and efforts to manage and mitigate potential impacts. In this way, financial risks are prevented. An example of this is investments.

Suppose there are two different investment portfolios. In the first one, the risk of loss is very high, but the level of profit can be higher in case the investment is successful. In the second, the risk of loss is very low, but the profit margin is very small.

Which of the two is more convenient? That depends on your objectives. If you want a fixed income and want to avoid significant losses, perhaps the second option is the best. But if you are looking for a higher return on your investment, the first one would be more convenient.

It works in the same way in the business environment. The level of risk that the company is willing to assume drives decision-making and directs it.

However, this level can also be relative to a specific category of risk. For example, depending on the strategic objective of an organization, a company may accept a high level of risk for investment. But if the investment is made in an emerging company and there is more than a 50% probability of losing half of the capital, the company refrains from investing.

This deviation in appetite is known as risk tolerance.

 

h_pirani_blog_august_grafica

This figure explains the two concepts. At each of the extremes is the minimum and maximum risk that a company can assume, its total risk capacity.

The green space in the middle is the risk appetite, i.e., how much risk the company is willing to assume.

And finally, the yellow space after it indicates the tolerance level, i.e., the acceptable level of variation in risk that a company assumes for a specific objective, such as investing in an emerging company.

According to this scheme, risk appetite is broader in scope and depends on the overall mission of the organization. Risk tolerance, on the other hand, aims at more specific and concrete objectives.


risk-management-guide-from-scratch

Risk Appetite vs. Risk Tolerance

In a visual model:

  • The total capacity for risk spans from minimum to maximum.

  • The green zone in the middle is the risk appetite—how much risk the company is willing to take.

  • The yellow zone beyond that is risk tolerance—how much deviation from that appetite is acceptable for a specific objective (e.g., investing in a startup).

According to this model:

  • Risk appetite is broader and tied to the organization’s overall mission.

  • Risk tolerance applies to more specific goals.

The Colombian Institute of Public Accountants outlines the characteristics of each:

Risk Appetite

  • Defined by management and the board at the entity level

  • May be expressed as the balance between growth, risk, and return

  • Can be visualized through a risk map

  • Nonprofits may define it as the level of risk accepted in delivering stakeholder value.

Risk Tolerance

  • Represents the acceptable variation in achieving a particular objective

  • Should be measurable, ideally in the same units as the related goal

  • Must align with risk appetite

  • Requires clarity on what constitutes unacceptable exposure

  • Helps define which scenarios management is uncomfortable facing

Why It Matters for Decision-Making?

Because it serves as a framework for evaluating what opportunities to pursue and which to avoid, ensuring decisions support strategy and sustainability.

Without a clear risk appetite:

  • A company might be too conservative, missing out on growth

  • Or too aggressive, taking uncontrolled risks that threaten financial and reputational stability

In a competitive market, the balance between taking strategic risks and protecting the business sets leaders apart.

Example: Two Companies Considering AI Investment

Imagine two firms in the same sector evaluating AI investments. Their decisions will depend on how much risk they’re willing to assume, what returns they expect, and how they define their risk appetite and tolerance.

How to Calculate Risk Appetite and Tolerance?

It depends on the company’s strategic goals. But key factors to consider include:

  • Industry type

  • Risk culture

  • Competitiveness

  • Organizational goals

  • Financial capacity

Circumstantial elements—such as budget, staff capabilities, and tech infrastructure—also play a role. Therefore, risk appetite and tolerance should be reviewed regularly and adjusted as the context changes.

What to Consider When Assessing Risk Appetite?

The Seminar on Risk Management and Evaluation Methods of the University of Chile states that "risk appetite is the amount of risk, at a global level, that management and the board of directors are willing to accept in their search for value. It reflects the entity's risk management philosophy and influences the culture and style of operation".

In addition, he recommends that risk appetite be considered when defining strategy and aligned with it because it allows for the balance of the organization, people, processes, and infrastructure. “It is the acceptable balance between the goals of growth and environment, with risks, or how the measure of risk adjusted for aggregate shareholder value, can be expressed in quantitative or qualitative terms.”

Questions to ask when assessing risk appetite:

  • What risks are acceptable or not in our lines of business?

  • Is the company comfortable with the current risk levels in each area?

  • Are we prepared to accept more risk, and what return would we expect?

  • How far can we go in sacrificing short-term profits to gain market share?

Balancing Risk Appetite

Having a balanced risk appetite is key for decision making; therefore, an organization cannot overdo it or make a mistake by not taking any risks. If it is too high, it will not be able to adequately face threats and impacts, which could affect its solidity and reputation; and if it is too low, it will miss opportunities for growth and will remain stagnant, without new challenges or innovation.

Therefore, it is necessary to establish a balance in the risk appetite, which allows decision making, strengthens communication and corporate governance, as well as risk analysis and supervision, and activates a culture of risk awareness.

Additionally, knowing the organization's risk profile implies having a high-level view of the risks implicit in the business model, key activities, and segments that are relevant to its main stakeholders.

Uncertainty in the Pursuit of Value

In the quest to provide value to users, companies face various uncertainties, those situations in which an event could occur but the probability and the impact it would cause is not fully known.

A real example is when an organization makes a very high investment, but has no certainty of return because it was an experiment or a new product launched to the market, even if the company has made a strong research to know if it would be welcomed or not, or if it is a necessity for users, there will be uncertainty, an imperfect forecast of the future. Read: 3 types of indicators to manage risk.

Uncertainty involves both threats and opportunities, and it is up to risk management to determine the outcome of one or the other. To identify, evaluate, and manage uncertainty, the organization's risk must be managed.

Even if a company has a high level of uncertainty, analyzing the information correctly will help to reduce it; however, this uncertainty will not disappear in its entirety, no matter how deep and detailed the analysis is. The lack of information can bring risks,  and the company will not know if it is able to assume those risks or not, nor what the cost of those risks is.

The future, changes in consumer behavior and habits, as well as technology, are some of the uncertainties that companies analyze the most. This is precisely why it is important to measure risk appetite.

Start by using a risk matrix to evaluate likelihood vs. impact, and classify risks as acceptable, manageable, or unacceptable. Tools like Pirani make this process simpler and more effective.

Create free account

ebook-operational risk management system manual

No Comments Yet

Let us know what you think