Risk appetite and ISO 31000


Risk appetite is a concept broadly used in prudential regulation and the financial sector, but it suffers from several definition and operational problems. As a risk management concept we expect to find it in ISO 31000, but the term is not defined or directly referenced in the standard.

There is a definition of risk appetite in ISO Guide 73 Risk management – Vocabulary, but it is very broad and does not even mention objectives. In this article we explore the concept, explain why it is one of the fundamental ideas of risk management, and discuss how it is implemented under ISO 31000.

How much risk?

All enterprises have a level of uncertainty associated with the achievement of objectives. The purpose of risk management is to optimise risk by managing uncertainty so the value of objectives is created and protected. This requires minimising negative consequences and maximising positive consequences.


Too much risk is not good because it destroys value, and too little risk is also not good because it impedes the creation of value. The question is what is a healthy appetite for risk.

The elements of risk appetite

There is plenty of literature on risk appetite, but not much consensus on the basic principles. A more complete definition is from Ernst & Young:

  • Risk capacity: the amount and type of risk an organisation is able to support in pursuit of its business objectives.
  • Risk appetite: the amount and type of risk an organisation is willing to accept in pursuit of its business objectives.
  • Risk tolerance: the specific maximum risk that an organisation is willing to take regarding each relevant risk.
  • Risk target: the optimal level of risk that an organisation wants to take in pursuit of a specific business goal.
  • Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organisation’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action.

Reviewing these definitions we extract the key elements

  • The definition of risk capacity sets the practical limits of risk with direct relation to objectives
  • Risk tolerance is subjectively determined by the risk attitude
  • Risk target defines an optimisation goal; and
  • Risk limits set thresholds to help manage the target

Risk appetite model

An important observation is that risk appetite is not a single parameter.  It is a group of parameters that defines a space of values and limits designed to empower the organisation in the pursuit of its objectives. The risk capacity and risk tolerance concepts are not limiting values but ranges of acceptable values. Risk appetite should capture the downside and also the upside of risk and defines the risk parameters for the organisation to operate.

The next step is to find a way to set boundaries and limits for each of the risk appetite parameters.

Although the absolute value of objectives can generally be agreed by all stakeholders, the relative value differs for each stakeholder. This utilitarian perception of risk is useful to determine risk tolerance and risk target.

Risk attitude

Value creation requires a positive attitude towards risk, In order to create value organisations are risk seekers. Protecting value, on the other hand requires a negative attitude towards risk; to protect value organisations are risk averse.

ISO 31000 uses the concept of risk attitude. This is the the organisation’s approach to assess and eventually pursue, retain, take or turn away from risk. The organisation’s risk attitude determines the value and range of the risk tolerance and risk target.

Having created a conceptual framework of risk appetite we can see its importance for risk management; in the same way that uncertainty is the foundation of risk, risk appetite is the foundation of risk management because it defines specific targets to manage, and the parameters used to make decisions.

A clearly defined risk appetite allows a degree of transparency and helps stakeholders make informed decisions; a reason why it is a concept favoured by financial regulators. Risk appetite is the cornerstone of the first principle of risk management because it defines the risk space where value can be created and protected.

Risk appetite can refer to a single risk, a collection of risks or the aggregated enterprise risks. When a risk appetite is defined it is important to specify the level to which it applies. Risk appetite can equally apply to risk sources or to the consequences of events.

Risk appetite statement

One problem with risk appetite statements is that they can be too broad and fail to nominate specific measures. Risk appetite statements should include a description of what is to be measured and what is the reference for the measurement.

A common regulatory requirement for the board of the organisation is to produce and own a risk appetite statement. Although there is no standard contents or format, there are broadly two types of statements; some are produced at a high level and refer mostly to purpose and intention, and the second class is specific and defines operational measurements.

Both types of risk appetite statements have their place and are used for different purposes.

The building blocks of Risk appetite in ISO 31000

All the necessary elements to build a risk appetite framework can be found in ISO 31000.

The risk criteria is one of the first elements to be defined within the risk management process. It is done as one of the element of establishing context and must be based on the objectives of the organisation and the environment in which it operates. The risk criteria defines each of the elements needed to manage risk, and these include the risk appetite elements:

  • Risk capacity – the actual constraints that the organisation has in pursuing its objectives
  • Risk tolerance – the desired amount of risk based on the risk attitude of the stakeholders
  • Risk limits – the parameters set to manage the upper and lower limits of desirable and acceptable risk

The risk criteria is a collection of parameters, not a single value. It describes multiple dimensions of risk and must be commensurable with the level of risk that will be determined at a later stage. It is good practice to specify these parameters in terms of a distribution of values, either quantitatively or qualitatively.

Risk criteria are defined before risk assessment and guides the identification and analysis of risk. It is common practice to iterate through these steps until satisfactory risk criteria are achieved.

As risk criteria underpins the risk appetite, it should be aggregated to the level required by the risk appetite statement: either at the strategic/enterprise level or al the operational levels. It is important to be able to clearly articulate the risk criteria so they can be easily shared with and communicated to stakeholders. The risk criteria should be assigned to, and owned by the risk owners.

rm process

Level of risk is the second element that is used to implement risk appetite. It is an estimation of risk and it must be commensurable with the risk criteria. It is determined during risk analysis and is used to compare with risk the criteria during risk evaluation.

Depending on the size of the gap risk, treatment decisions are made. These can be:

  • Reject the risk by removing risk sources and/or events
  • Increase the risk
  • Accept the risk by informed decision
  • Modify the risk by changing the net consequences and/or likelihood
  • It is important to determine the Level of risk during the risk analysis step of the risk management process and there should be as many Levels of risk as the dimensions used for the risk criteria.

Also when analysing risk and determining the level of risk it is prudent to include the rare events at the tail of distributions.

An important consideration is that the risk capacity is usually an aggregated measure for the organisation, whereas the level of risk is a single measure for a specific risk. In order to prevent systemic failure all related risks should be combined in a risk profile and an aggregated level of risk determined for that group.


  • Uncertainty is the foundation of risk, and risk appetite the foundation of risk management
  • Risk appetite is a universal concept applying to all sectors and types of organisations
  • Risk appetite applies to the upside and the downside of risk
  • Risk appetite is not a single metric, it is a group of parameters
  • All the elements of risk appetite are defined in ISO 31000

risk appetite


Ernst & Young (2010) “Risk appetite. The strategic balancing act”
ISO (2009) “31000 Risk management – Principles and guidelines”