Risk Appetite in Practice: Reflections from the Boardroom

Why risk appetite only works when it evolves with the organisation.

Mark Scales

Board member reflecting in a modern boardroom with abstract risk and governance icons.

Risk appetite is the mechanism by which a Board communicates its expectations for the management of risk in the organisation. This allows Management to operationalise those expectations day to day.

If it isn’t reviewed regularly and grounded in how the organisation actually operates it quietly stops working.

Last month, I facilitated a series of risk appetite review sessions with an Executive Leadership Team and Board of a regulated, government-funded health services organisation. This was their 4th year of reviewing their risk appetite and what struck me was how much had changed over the years, and how clearly that change needed to be reflected in their appetite.

This article shares some reflections from those sessions, what risk appetite is really for, why it needs ongoing attention, and how we approach reviewing it at StartRisk.

What risk appetite really is (and why we set it)

At its simplest, risk appetite defines how much risk an organisation is prepared to accept in pursuit of its objectives.

But in practice, that definition often undersells its importance.

A well-designed risk appetite statement is not just a governance artefact. It is:

  • A signal from the Board to Management about expectations
  • A decision-making reference point for executives
  • A filter for risk reporting
  • A mechanism for escalation, not just documentation

When risk appetite works, Management can confidently answer questions like:

  • Is this risk acceptable at our current level of controls?
  • Should this risk be escalated to the Board?
  • Are we being too conservative — or too exposed — in this area?

When it doesn’t work, risk appetite becomes a static document that lives alongside the risk framework but rarely influences behaviour.

How risk appetite supports effective risk management

The clearest patterns I see across small and medium organisations are this:

Either risk appetite is not defined OR it is not built in to operational practice. This limits risk maturity and leads to a lack of clarity for both the Board and management.

In practice, a risk appetite provides this clarity in four key ways.

It creates consistency

Without appetite, risk ratings become subjective. What one executive considers “acceptable”, another sees as a red flag. Appetite creates a shared reference point reducing personal bias.

It enables focus

Boards don’t need visibility of every risk. They need confidence that risks outside appetite are clearly identified, escalated, and discussed.

It guides behaviour

When appetite is embedded, managers make better trade-offs. They know where they have discretion and where they don’t.

It links strategy and operations

Risk appetite is where strategy meets reality. It translates high-level objectives into practical boundaries for action.

Why risk appetite must be reviewed

For organisations that have a defined risk appetite, one of the most common issues I encounter is that it’s outdated.

In the recent sessions I facilitated, the organisation’s risk appetite had been formally reviewed each year for the prior four years and each year changes had been made.

What had changed?

  • The organisations strategy had shifted
  • Governance and operational processes had changed and matured
  • The relationship between the Directors and Executive had matured with growing trust
  • Some Directors and Executives had changed bringing new perspectives

This resulted in a number of changes to the risk appetite over the years including:

  • Refinement of risk language to fine tune understanding and reflect real world experiences
  • Changes to risk classes to reflect changes to business operations
  • Amendments to consequence criteria
  • A general shift towards being more tolerant of risk

As governance and organisations mature, they can often afford to accept more risk — not less.

If appetite isn’t reviewed to reflect that, it risks becomes overly restrictive, slows decision-making, and can quietly work against strategy.

Common risk appetite problems I see in practice

Across regulated small and medium businesses and not-for-profit organisations, the same issues come up repeatedly:

  • Appetite either not set OR set too conservatively and never adjusted
  • Appetite not embedded into operational risk processes
  • Appetite not reflected in risk reporting
  • Appetite linked too closely to historical incidents rather than current capability
  • Appetite statements reviewed on paper, but not tested against reality

All of these undermine the very purpose of risk appetite.

How we approach reviewing risk appetite at StartRisk

A risk appetite review should not be a theoretical exercise. It should be grounded in how the organisation actually operates today.

This is the approach we use.

Step 1: Start with Management’s reality

We begin by seeking structured feedback from operational leaders and Executive Management on how the current risk appetite is working in practice.

The focus is practical and evidence-based:

  • Where is the current appetite too restrictive?
  • Where is it too relaxed?
  • Are there specific examples where appetite has constrained good decisions?
  • Are there areas where risk exposure has grown beyond what was originally anticipated?

Specifically we seek recommendations on:

  • Changes to appetite levels
  • Refinement of risk class definitions
  • Updates to consequence criteria
  • Emerging risk classes driven by strategy or environment

This is typically done through a combination of surveys, targeted interviews, and an Executive workshop.

What this does well is surface real operational tension not just theoretical views.

By far the largest benefit is having Executive Management debate and align on what the risk appetite means for the organisation.

Step 2: Bring evidence to the Board and apply constructive challenge

The second stage is a facilitated Board session.

Management feedback is presented risk class by risk class, alongside:

  • Existing appetite statements
  • Current consequence definitions
  • Examples from operations
  • Observations on maturity and control effectiveness

This creates the conditions for constructive challenge.

For example, in one discussion, an Executive leader observed that as the organisation’s brand presence and credibility had strengthened, it could therefore utilise this to responsibly pursue stronger advocacy outcomes — though that meant accepting a higher level of brand and reputation risk than in the past. This led to a constructive conversation where the Directors agreed and laid out their expectations for what would need to be true for the appetite level to be raised.

That insight only emerged because appetite was being reviewed in context, not in isolation.

The Board discussion then focuses on:

  • Whether the appetite still reflects the organisation’s strategy
  • Whether consequence definitions are still fit for purpose
  • Whether expectations are clear and operationally achievable

Changes are captured in real time, with clarity on intent.

Step 3: Embed the changes properly

Updating the appetite statement is the easy part.

The real work is embedding the change.

This includes:

  • Updating the Enterprise Risk Management Framework
  • Revising the Risk Appetite Statement
  • Aligning risk systems and tooling
  • Updating risk reporting thresholds
  • Rolling out changes through structured change management

That change management matters. Without it, people keep operating to the old rules.

We typically support this through:

  • Clear communication from leadership
  • Targeted training sessions
  • One-on-one conversations where appetite has materially shifted

This is where appetite moves from a document to a behaviour-shaping mechanism.

What typically changes over time

The sessions reinforced a pattern I see repeatedly in maturing organisations:

  • Greater acceptance of risk as governance and controls strengthen
  • Refined risk class definitions to reduce ambiguity
  • More nuanced consequence criteria aligned to real impacts
  • New risk classes introduced as strategy evolves
  • Clearer escalation triggers for Board reporting

These are signs of a more mature understanding of risk management and that an organisation is finding their right level of risk. The one that enables it to pursue its strategic objectives with confidence rather than holding it back through unnecessary caution.

Final reflection

Risk appetite is not about being conservative or aggressive.

It’s about being deliberate.

If your risk appetite hasn’t been reviewed in years, there’s a good chance it no longer reflects who you are, how you operate, or where you’re trying to go.

When done properly, reviewing risk appetite becomes one of the most valuable governance conversations a Board and Executive team can have.

If this resonates, it’s often a sign the conversation is worth having. You’re welcome to book a no-obligation discussion with one of our risk experts.

More articles