How to Write a Risk Appetite Statement: Examples and Templates

A risk appetite statement answers a deceptively simple question: how much risk are we willing to take? It's the strategic foundation of your entire risk management program — without it, risk scoring is arbitrary, treatment decisions are inconsistent, and there's no principled way to say whether a risk is acceptable or not. If you're unclear on the distinction between appetite and tolerance, see Risk Appetite vs. Risk Tolerance first.

What a Risk Appetite Statement Includes

A complete risk appetite framework has three layers:

Layer	What It Says	Example
Overall appetite	Strategic posture on risk-taking broadly	"We pursue controlled growth and accept moderate risk in competitive markets, while maintaining low appetite for risks that could result in regulatory sanction or loss of customer trust."
Category statements	Appetite by specific risk domain	"We have zero appetite for compliance violations that could result in regulatory action."
Tolerance thresholds	Measurable limits for each category	"No more than 3 open critical audit findings at any time."

All three layers are necessary. Most organizations have the first (a general philosophy) but lack specific category statements and measurable thresholds — which means the statement can't actually guide decisions.

Components of an Effective Statement

Each category-level statement should answer:

1. What type of risk is being addressed (cybersecurity, operational, compliance, etc.)
2. What level of appetite the organization has (zero, low, moderate, high)
3. Why — the strategic rationale connecting appetite to objectives
4. What is never acceptable — any absolute limits regardless of opportunity

A useful structure:

"[Organization] has [appetite level] appetite for [risk type]. We [accept/will not accept] [specific condition] because [strategic rationale]. Under no circumstances will we [absolute limit]."

Templates and Examples by Risk Category

Cybersecurity Risk

Zero appetite example (financial institution):

"We have zero appetite for cybersecurity risks that could result in unauthorized access to customer financial data or systems. We invest significantly in preventive and detective controls and require all critical systems to maintain MFA, encryption, and continuous monitoring. We will not accept residual cybersecurity risk above Medium for any system processing customer data."

Low appetite example (SaaS company):

"We have low appetite for cybersecurity risk, recognizing that our customers trust us with their operational data. We accept that some residual risk is unavoidable in a cloud environment, but we require that all high and critical cybersecurity risks have active mitigation plans and owners. We will not accept any residual risk above High without board-level sign-off."

Tolerance thresholds to pair with this:

• Unpatched critical vulnerabilities open > 30 days: ≤ 5
• Systems without MFA: 0
• Time to remediate Critical findings: ≤ 14 days

---

Compliance and Regulatory Risk

Zero appetite example:

"We have zero appetite for deliberate non-compliance with applicable laws, regulations, and contractual obligations. We accept that inadvertent compliance gaps may occur in a complex regulatory environment and require that all identified gaps have remediation plans within 30 days of identification. We will never knowingly operate in violation of regulatory requirements, regardless of business impact."

Low appetite example:

"We have low appetite for compliance risk. We are committed to achieving and maintaining SOC 2 Type II and ISO 27001 certification. We accept that minor findings may arise during audit cycles but require immediate escalation of any finding that could affect certification status or result in regulatory action."

Tolerance thresholds:

• Open critical audit findings: ≤ 2
• Overdue regulatory responses: 0
• Controls failing effectiveness testing: ≤ 10% of total control population

---

Operational Risk

Moderate appetite example (growth-stage company):

"We accept moderate operational risk as a necessary consequence of operating at pace in a competitive market. We prioritize speed to market and accept that some processes may be less mature than ideal during growth phases. We require that all operational risks above High have documented owners and mitigation plans, and that our critical customer-facing systems maintain 99.5% availability."

Low appetite example (enterprise):

"We have low appetite for operational disruptions that affect our customers or critical business processes. We invest in redundancy, business continuity planning, and disaster recovery for all Tier 1 systems. We accept that minor disruptions are unavoidable but require all incidents exceeding 2 hours of customer impact to trigger a formal post-incident review."

Tolerance thresholds:

• Tier 1 system availability: ≥ 99.5% monthly
• Time to recover from critical incidents (RTO): ≤ 4 hours
• Days since last DR test: ≤ 365

---

Financial Risk

Low appetite example:

"We have low appetite for financial risk that could impair our ability to fund operations or meet obligations to customers and shareholders. We maintain a minimum cash runway of 12 months and require board approval for any single investment or commitment exceeding $500K. We will not accept financial risks that could result in insolvency or breach of banking covenants without formal board review."

Tolerance thresholds:

• Cash runway: ≥ 12 months
• Revenue concentration (single customer): ≤ 25% of total revenue
• Financial loss from a single event: ≤ $500K without board approval

---

Reputational Risk

Low appetite example:

"We have low appetite for reputational risk. Our brand and customer trust are core business assets. We require that all communications, partnerships, and business practices align with our stated values and would withstand public scrutiny. We will not pursue business relationships that carry material reputational risk regardless of financial upside."

Tolerance thresholds:

• Customer satisfaction score: ≥ 4.0/5.0
• Public security incidents requiring disclosure: requires immediate exec notification
• Negative media coverage about data practices: triggers immediate communications review

---

Strategic Risk

Moderate appetite example:

"We have moderate appetite for strategic risk. We are in a competitive, fast-moving market and accept that bold strategic bets are necessary to achieve our objectives. We accept the possibility of strategic initiatives failing, provided we've validated assumptions through research and pilots. We will not make strategic commitments that could result in regulatory sanction or permanent reputational damage."

---

A Complete Risk Appetite Framework Structure

1. Preamble — Strategic context and purpose of the framework
2. Overall appetite statement — Organization-wide posture
3. Category statements — One statement per risk domain (4-6 typically)
4. Tolerance thresholds — Measurable limits per category (2-4 per category)
5. KRIs — Metrics that monitor proximity to tolerance thresholds
6. Escalation protocols — What happens when thresholds are breached
7. Governance — Who approves, reviews, and updates the framework
8. Review cadence — Annual for appetite, quarterly for thresholds

Common Mistakes

Writing a statement that can't be falsified. "We manage risk responsibly" is not a risk appetite statement — it has no teeth. If the statement doesn't help you decide whether a specific risk is acceptable or not, it's not doing its job.

Using identical language across categories. Cybersecurity risk and strategic risk have different profiles and different stakeholders. Generic statements like "we have moderate appetite for all risks" provide no decision guidance.

Setting appetite without tolerance thresholds. A statement without thresholds is aspirational, not operational. The threshold is what makes the statement enforceable — it's the line that triggers action when crossed.

Appetite that doesn't match reality. If your documented appetite is "zero appetite for system downtime" but your actual availability is 98.5%, either the statement is wrong or you're chronically in breach. The statement should reflect deliberate strategic choices, not aspirations disconnected from operating reality.

Never updating it. Risk appetite set during a startup phase doesn't fit an enterprise. Risk appetite set before a major acquisition doesn't account for the new risk profile. Review it annually and update it when strategy changes.

Connecting Appetite to the Risk Register

Risk appetite becomes operational when it's linked to your risk register:

• Each risk's residual score should be compared to the applicable appetite category
• Risks above tolerance automatically flag for treatment or escalation
• Risk owners see their risk's position relative to appetite on dashboards
• KRIs linked to appetite thresholds alert when tolerance is being approached

A risk appetite statement that exists in a governance document but isn't reflected in daily risk management decisions provides compliance theater, not risk governance. Pair your statements with Key Risk Indicators to monitor proximity to each threshold in real time.