How can risk appetite add value throughout the whole organisation?

4 min read
May 30, 2024

The majority of risk practitioners believe that risk appetite is useful at all levels of the business, according to our recent benchmark.

In the benchmark Risk appetite implementation and optimisation, we asked 120 risk leaders at large non-financial organisation a series of questions about the use of risk appetite in their organisations. There were a range of maturities:

With this spectrum of maturity, how can risk appetite be leveraged at different levels of the business? We've broken it down using the typical organisational structure.
According to our benchmark, here's how risk appetite is currently being used at different levels of the organisations:
risk appetite organisations (1)-1

Executive level

Appetite is agreed with the exco, audit and risk committee and board before being socialised through leadership committees.”

FTSE Metals and Mining Company

At most companies, risk appetite is set at the top of the organisation, before cascading down to business functions through risk owners.

The board approves risk appetite statements and ensures that they are aligned to pillars of the corporate strategy. In many companies, appetite statements are aligned to specific goals or objectives under the corporate strategy:

risk appetite alignment

In most cases, reporting to the board or executive committee requires an up-to-date view of where the business' principal risks are sitting, relative to the appetite settings agreed by the board. 

Whether this is based on qualitative assessment of the risks, or is backed up by metrics and quantitative data, risk appetite provides a framework for senior leaders to determine if going in a particular direction will expose the organisation to too much risk.

Risk appetite optimisation and implementation
Benchmarking 120 large non-financial organisations

Risk appetite implementation and optimisation benchmark pages

A number of Risk Leadership Network members flagged risk appetite implementation and optimisation as a key priority. Allowing them to benchmark against other organisations is our first step in supporting them. 

This 2024 benchmark explores how 120 large non-financial organisations in a range of geographies and sectors are setting risk appetite, embedding an understanding of risk appetite within the business, and using it to guide decision-making at different levels of the organisation.

Find out more about the report here.


Second line

Statements and KRIs are owned by group functions; they have responsibility for embedding and monitoring controls to meet appetite.”

ASX Telecommunications organisation

Second-line business functions, where the majority of risk owners typically sit, compile data about risk appetite, metrics, limits and tolerances and report this to the board. However, they also use risk appetite to trigger management action when risk exposure exceeds tolerance. 

Risk appetite is embedded in the enterprise risk assessment methodology at more than 70% of organisations. This enables risk owners (and more broadly, their departments) to validate their key risks against the organisation's appetite limits. In one organisation, for example, all departments validate key risks at least three times a year.

At some companies, risk appetite is also used in management incentive systems, with the goal of promoting more proportionate decisions. Appetite then, if backed up by qualitative metrics and data, can provide a framework for assessing risk management performance.

Risk Leadership Network combination logo_RGB(2)
Collaborate with experienced risk leaders on embedding risk appetite
Share ideas, benefit from lessons learned, and validate your approach before implementation.
Choose a topic


First line
“We train first-line managers on our appetite statements and encourage them to refer back when making decisions, especially in 'grey' areas”
Head of Risk

multinational privately-owned retail company

Risk appetite tends to get less traction the further down the business you go; in fact, risk appetite is only used in the first line at 13% of companies. Does this mean risk appetite is simply a leadership tool?

At those companies who have embedded risk appetite in the first line, a key action has been to obligate all staff to review and attest to reading risk appetite statements. The value here lies in the increased risk awareness organisation-wide.

By familiarising the overall business with risk appetite statements you can emphasis the key principle: that risk and opportunity work together. It's not enough to simply mitigate risks; in order for the business to be successful, it has to take calculated risks as well.

Helping first-line business units to use risk appetite more independently — i.e. through training sessions — can also be valuable from a risk-team perspective. While risk appetite would still be overseen centrally, first-line familiarity with, and use of, appetite, will free up the risk team's time and resources, allowing them to focus on strategically important issues.

Where to next?

Our Risk appetite implementation and optimisation benchmark was created in response to the priorities raised by a number of Risk Leadership Network members — all looking to embed risk appetite throughout their organisation. 

Benchmarking against other organisations was our first step in supporting them. Now, we're continuing to support each member in their specific priorities by facilitating peer-to-peer collaboration via:

  • 1-to-1 calls with practising risk leaders who have successfully embedding risk appetite within a similar organisation;
  • Virtual workshops allowing risk leaders to share ideas, lessons learned, and validate their approach prior to implementation;
  • Bespoke benchmarks, tools, and templates that solve specific issues and challenges.

We allow prospective members to get involved in one collaboration as a guest. Fill in this form to request to collaborate with leading CROs and heads of risk on risk appetite. 

Get new posts by email