Setting a Risk Appetite That Actually Helps People Make Decisions

Part 4 of a six-part series on what happens when a capable Finance Manager gets handed risk management and no one gives them a map.

Mark Scales

Minimalist illustration of a person overlooking a table with various food options from healthy to sweet treats.

TL;DR

In Part 1, Jess worked out that risk management does not start with a template. In Part 2, she assessed what the organisation was really working with. In Part 3, she built a first working risk register that people could actually use.

Now she has a harder question to answer.

How much risk is the organisation actually prepared to accept?

That is what risk appetite is meant to clarify.

Not as a glossy Board statement full of impressive words. Not as a compliance document that gets approved once and ignored. A good risk appetite statement should help the Board, CEO and management team make better decisions about what is acceptable, what needs action, and where the organisation may be doing too much.

For smaller and mid-sized organisations, the goal is not to create a complicated appetite framework. The goal is to create enough clarity that people know where the boundaries are.

The question sitting underneath the register

Jess has a first working risk register now. It is not perfect. That is fine.

It has twelve risks. Clear statements. Named owners. Real controls. Current ratings. A handful of practical actions. It is the first time the organisation has been able to look at its risk profile and say, “Yes, that broadly looks like us.”

That alone is progress.

But as Jess prepares the next Board paper, she notices something uncomfortable.

The register says which risks are high, medium or low. It shows what controls are in place. It lists what management is planning to do next.

What it does not say clearly is whether the organisation is comfortable with any of this.

  • A cyber risk is rated high. Is that acceptable for now because treatment is underway, or is it outside tolerance and requiring urgent escalation?
  • A funding concentration risk is rated high. Is that just the reality of the current business model, or is the Board expecting management to actively reduce dependence over the next twelve months?
  • A compliance risk is rated medium. Is medium okay, or is any material compliance weakness unacceptable given the organisation’s obligations?
  • A workforce risk is rated medium too. But everyone knows the organisation is stretched. Should they invest more in capability and succession planning, or is that just the level of risk they are willing to carry while funding remains tight?

The register has created visibility.

Now the organisation needs judgement.

That is where risk appetite comes in.

Risk appetite is not a fancy way of saying “low risk”

This is the first thing Jess has to get straight.

When people hear “risk appetite”, they often assume the goal is to say the organisation has a low appetite for risk.

Of course the Board does not want bad things to happen. Nobody does. But risk appetite is not meant to be a list of things the organisation would prefer to avoid.

It is meant to answer a more practical question:

What level of risk are we prepared to accept in pursuit of our objectives?

That last part matters. In pursuit of our objectives.

Because the organisation is not trying to eliminate risk. It is trying to achieve something. Deliver services. Grow sustainably. Win funding. Support clients. Protect staff. Improve systems. Innovate. Stay financially viable.

Every one of those goals involves risk.

  • If the organisation wants to grow, it may need to accept some delivery strain, hiring risk, technology risk, and financial uncertainty.
  • If it wants to protect vulnerable clients, it may need very low tolerance for safeguarding failures, privacy breaches, and poor-quality service delivery.
  • If it wants to innovate, it may need to accept that some experiments will not work.
  • If it wants financial resilience, it may need to make harder decisions about programs, pricing, reserves, and funding dependence.

So the question is not, “Do we like risk?”

The question is, “Which risks are we willing to take, which risks must be tightly controlled, and which risks are outside the line?”

That is a much better conversation.

The Board has to be in this

Jess’ first instinct is to draft something herself.

That is understandable. She knows the register. She knows the risks. She knows the Board wants better reporting. She could probably pull together a decent first version, send it to the CEO, tidy it up, and get it into the next Board pack.

But that would miss the point.

Management can absolutely draft, recommend, explain and operationalise risk appetite. But the Board has to play a central role in setting it.

The Board needs to be involved because risk appetite is fundamentally a governance choice. It defines the level of risk the organisation is willing to accept while pursuing its strategy. That is not just an operational setting. It is part of how the Board directs, oversees and holds management accountable. It is a critical aspect of the Director’s ensuring they are meeting their obligations as Directors.

The Board should be clear about the organisation’s boundaries before management has to make the hard calls.

  • How much financial volatility is acceptable?
  • How much dependence on one funder, customer, system, supplier, or key person is too much?
  • How much service disruption can the organisation tolerate?
  • Where does the Board expect zero tolerance?
  • Where is it genuinely open to calculated risk?
  • Where is it worried the organisation is being too cautious?

These are Board-level questions.

And for Jess, this changes the task. She is not trying to write the perfect risk appetite statement in isolation. She is trying to create the conditions for the right Board and executive conversation.

Why this gets difficult

On paper, risk appetite sounds sensible.

In practice, it can get awkward quickly.

Because once you ask how much risk the organisation is prepared to accept, you start exposing differences that were previously hidden.

One director may have a very low appetite for financial risk because they are worried about sustainability. Another may be more comfortable using reserves to fund growth. The CEO may want more room to move. The CFO may want tighter limits. Operations may already feel under-resourced and see “low appetite” statements as unrealistic unless funding follows.

Everyone can agree with motherhood statements.

“We have a low appetite for risks that compromise safety.”

Fine. But what does that mean when the organisation needs to decide whether to continue delivering a service with thin staffing coverage?

“We have a moderate appetite for innovation.”

Fine. But does that mean the organisation can pilot an AI tool? Change a client-facing process? Invest in a new platform? Move quickly before every policy is perfect?

“We have a low appetite for compliance risk.”

Fine. But what does that mean when the organisation has known policy gaps, limited internal assurance, and a team already at capacity?

The hard part is not writing the sentence. The hard part is being clear about what the sentence requires.

The common mistakes

The first mistake is making the risk appetite statement too abstract.

“We have a balanced appetite for strategic risk and a conservative appetite for operational risk.”

That might sound mature, but it does not help a manager decide what to do on Monday morning.

The second mistake is making everything low appetite.

This feels safe. It is not.

If every category says low appetite, the statement stops making decisions. It becomes a values poster. The organisation says it has low appetite for everything, while continuing to operate with known exposures because real life has not changed.

That creates a credibility problem.

The third mistake is confusing appetite with aspiration.

A Board might want low risk in cybersecurity, workforce capability, compliance, service quality, and financial sustainability. Fair enough.

But if current controls are weak, systems are old, roles are unclear, and assurance is limited, the organisation may not actually be operating within that appetite.

That does not mean the appetite is wrong. It means the gap needs to be visible.

The fourth mistake is creating a statement nobody uses.

This is the most common one.

The Board approves it. Management files it. The risk register keeps getting updated exactly as before. Board papers still say “high risk” without explaining whether that risk is inside or outside appetite. Investment decisions still happen without reference to appetite. Nobody changes what they escalate.

At that point, a document exists but the appetite does not.

Start with the decisions appetite needs to support

Jess catches herself almost making the same mistake. She is about to start with categories.

Strategic. Financial. Operational. Compliance. People. Technology. Reputation.

That structure is not wrong. She will probably need something like it.

But it is not the starting point.

The better starting point is to ask: what decisions should this help us make?

For her organisation, the answer is pretty practical.

  • The Board wants to know when a risk is outside comfort and needs attention.
  • The CEO wants to know where management has authority to accept risk and where it needs Board input.
  • Risk owners need to know when “we are managing it” is enough and when they need to do more.
  • Jess needs to know how to report risk in a way that does not just show ratings, but shows whether exposure is acceptable.

That gives her the design brief.

The risk appetite statement does not need to impress a risk specialist.

It needs to help these people make these decisions.

Keep the first version simple

For Jess’ organisation with 40 staff, the first version of risk appetite should usually be simple enough to explain in a short meeting.

Not simplistic. Simple.

Jess decides the organisation does not need a 15-page appetite statement. Not yet.

It needs a practical statement across a small number of categories that reflect the organisation’s actual risk profile against its strategic objectives.

Something like:

  • Strategic and growth risk
  • Financial sustainability
  • Service delivery and client outcomes
  • People and safety
  • Compliance and legal obligations
  • Cyber, data and systems
  • Reputation and stakeholder trust

That is enough to start.

For each category, she needs to help the Board express three things.

First, the general appetite. Is the organisation open to this type of risk, cautious about it, or highly averse to it?

Second, the practical boundaries. What would be acceptable, and what would not?

Third, the escalation trigger. When does management need to bring the issue to the CEO, executive team, Board committee, or full Board?

That is where the statement starts becoming useful.

Not just “low appetite”.

Low appetite for what? Under what conditions? With what trigger for action?

A better way to phrase appetite

Jess drafts a few examples.

Not final wording. Just enough to start the conversation.

For financial sustainability:

We have a low appetite for risks that threaten the organisation’s financial viability, breach Board-approved budget settings, or materially reduce our ability to meet obligations. We may accept short-term financial pressure where it is linked to an approved strategic investment, provided the impact is understood, monitored and reported.

That is more useful than “low appetite for financial risk”.

It recognises that not all financial risk is bad. Some may be deliberate. But it draws a line around viability, obligations and Board-approved limits.

For service delivery:

We have a low appetite for risks that could result in serious harm to clients, unsafe service delivery, or sustained failure to meet core service commitments. We may accept temporary service disruption during planned change, provided impacts are assessed, communicated and actively managed.

Again, that is more realistic.

It does not pretend disruption will never happen. It distinguishes between unmanaged harm and managed change.

For innovation:

We have a moderate appetite for innovation that improves service quality, efficiency or sustainability, provided pilots are controlled, privacy and compliance obligations are met, and lessons are captured before broader rollout.

That gives management room to move.

It also stops “innovation” being used as a free pass.

For compliance:

We have a very low appetite for deliberate, repeated or material breaches of legal, regulatory or contractual obligations. Where compliance gaps are identified, we expect timely escalation, clear ownership and practical remediation.

That is strong, but not naive.

It recognises that gaps may exist. What matters is whether the organisation identifies them, escalates them, owns them and fixes them.

Jess can work with this.

More importantly, the Board can react to it.

Use the register to make appetite real

This is where the work Jess completed in Part 3 starts paying off.

Jess already has a risk register with twelve key risks. That means she does not have to discuss appetite in the abstract.

She can bring the Board and executive team back to real examples.

Take the cyber risk.

The register says there is a risk that a cyber incident caused by weak access controls and limited staff awareness results in service disruption, data loss and reputational damage.

The current rating is high.

Existing controls include MFA for some systems, backups, outsourced IT support, and basic staff awareness. But access reviews are inconsistent and the incident response plan is out of date.

So Jess asks:

  • Given our appetite for cyber, data and systems risk, is this current exposure acceptable?
  • If yes, are we consciously accepting it?
  • If no, what level of treatment does the Board expect, and how quickly?

That is a much better conversation than debating whether the risk is high or medium.

Same with funding concentration.

The organisation depends heavily on two major funding streams. Everyone knows this. The register now says it clearly.

So Jess asks:

  • Given our appetite for financial sustainability risk, how much concentration are we prepared to carry?
  • At what point does this become outside appetite?
  • What would the Board expect management to do: diversify revenue, build reserves, strengthen funder relationships, reduce cost exposure, or simply monitor the risk more closely?

Now appetite is doing its job.

It is turning risk information into governance judgement.

Do not pretend the current state matches the appetite

This is one of the most important parts.

When setting a risk appetite for the first time, or after a reset, you will often reveal that the organisation is currently operating outside appetite in some areas.

That is not failure. That is the point.

  • If the Board says it has a low appetite for cyber risk, but the organisation has weak access controls, limited training and no tested incident response plan, then the organisation is probably outside appetite.
  • If the Board says it has a low appetite for compliance risk, but policies are out of date and nobody is checking whether key controls are working, then the organisation may be outside appetite.
  • If the Board says it has a low appetite for key-person dependency, but three critical processes live in the head of one person, then the organisation is outside appetite.

That can feel uncomfortable.

Good.

Risk appetite is not there to make people feel tidy. It is there to make reality visible.

The trick is not to panic every time something is outside appetite. The trick is to be clear about what happens next.

  • Some outside-appetite risks require urgent action.
  • Some require a treatment plan over time.
  • Some may be accepted temporarily because the organisation does not yet have the resources to fix them properly.

But that acceptance should be conscious and documented.

Appetite also tells you where you might be doing too much

This is the part people miss.

Risk appetite is not only about finding areas where controls are too weak.

It can also reveal where the organisation is over-controlling. That matters for smaller organisations.

A 40-person NFP does not have infinite management capacity. A growing SME cannot treat every risk like a bank would. Every extra approval, checklist, committee paper and control has a cost.

Sometimes that cost is worth it. Sometimes it is just bureaucracy wearing a governance badge.

Jess sees this in one area almost immediately.

The organisation has a low-value procurement process that requires multiple approvals, even for routine purchases. It was introduced years ago after a minor issue, and nobody has questioned it since. Managers complain about it constantly. Finance spends time chasing approvals that do not materially reduce risk.

At the same time, there are much bigger risks in contract management, cyber access, and workforce dependency that receive less attention.

That is backwards.

Risk appetite should help the organisation make those trade-offs.

Do less where the risk does not justify the control burden.

Do more where the exposure genuinely matters.

For Jess, this is a lightbulb moment.

Risk appetite is not just about saying no. It is also about giving management permission to stop wasting energy on the wrong things.

The Board workshop

Jess and the CEO decide not to send the Board a finished risk appetite statement for approval.

Instead, they set up a focused discussion.

That is the right call.

The Board does not need a theoretical lecture. It needs a practical conversation.

Jess prepares a short paper with four parts.

First, a plain English explanation of risk appetite.

Not too much. Just enough.

Second, the current top risks from the register.

The Board has seen these before, but now they are being used differently.

Third, a set of proposed appetite categories and draft statements.

Not final. Draft.

Fourth, a small number of scenarios.

This is the most useful part.

For example:

  • The organisation has an opportunity to expand a service into a new region, but delivery capacity is already stretched.
  • A key funder wants a fast turnaround on a new contract with reporting obligations the organisation has not handled before.
  • A cyber review finds access control gaps across several systems.
  • A long-serving manager resigns, and two critical processes are not documented.
  • A proposed technology pilot could improve efficiency, but involves sensitive data and an untested vendor.

These scenarios make the conversation real.

Directors respond better to practical judgement calls than abstract appetite labels.

Jess asks the Board:

  • Would we accept this?
  • Would we accept it with conditions?
  • Would we want it escalated?
  • Would we expect management to stop, treat, transfer, reduce, monitor, or proceed?

Now they are not word-smithing. They are governing.

What good looks like

By the end of the process, Jess is not aiming for perfection.

She is aiming for a usable first version.

A good risk appetite statement for an organisation at this stage should do a few things well.

  • It should be written in plain English.
  • It should be connected to the organisation’s strategy and operating reality.
  • It should distinguish between different types of risk.
  • It should include practical boundaries.
  • It should connect to the risk register.
  • It should support decision-making.
  • And it should be reviewed as the organisation changes.

Risk appetite is not set forever. Growth changes appetite. Funding changes appetite. Regulation changes appetite. Incidents change appetite. Board composition can change appetite too.

The first version just needs to be good enough to start better conversations.

What Jess adds to the register

Once the Board has agreed the first version, Jess updates the risk register.

She does not rebuild the whole thing.

She adds one simple field:

Within appetite?

The answer can be:

  • Yes
  • No
  • Unclear

That is enough for now.

For each top risk, she works with the risk owner and CEO to assess whether the current exposure sits within the Board’s stated appetite.

  • The cyber risk is outside appetite.
  • The funding concentration risk is partly within appetite, but needs closer monitoring and a longer-term diversification plan.
  • The workforce dependency risk is outside appetite in two critical areas.
  • The innovation risk is within appetite for small controlled pilots, but not for organisation-wide implementation without stronger governance.
  • The low-value procurement control burden is probably more conservative than appetite requires.

That last one surprises people.

But it is useful.

The register now shows not only what the risks are, but whether the organisation is comfortable with them.

That changes the Board paper.

Instead of saying:

  • Cyber risk remains high.

Jess can now say:

  • Cyber risk remains high and is outside the Board’s stated appetite due to inconsistent access reviews and an untested incident response plan. Management has commenced treatment actions and will provide an update next quarter.

That is a different level of clarity.

Instead of saying:

  • Workforce risk is medium.

She can say:

  • Workforce dependency remains partly outside appetite in two critical processes where documentation and cross-training are not yet in place.

Now the Board knows where to focus.

Management knows what needs action.

Jess is not just maintaining a register anymore.

She is helping the organisation govern.

The practical rhythm

The danger now is that everyone treats the appetite statement as a one-off project.

Jess needs to stop that happening. So she builds it into the rhythm.

  • When the executive team reviews the risk register, they do not just ask whether ratings have changed. They ask whether any risks have moved outside appetite.
  • When a new project is proposed, the business case includes a short appetite check.
  • When a Board paper recommends a major decision, it explains whether the recommendation is within appetite or requires the Board to consciously accept a higher level of risk.
  • When an incident happens, the post-incident review asks whether the event revealed an appetite breach, a control weakness, or an appetite statement that needs to be clarified.

None of this needs to be heavy.

In fact, it should not be.

The goal is not to create a risk appetite bureaucracy.

The goal is to make appetite part of how decisions are made.

That is when it becomes useful.

Where organisations usually land

For organisations like Jess’, the first appetite statement usually lands somewhere pragmatic.

  • They are willing to take some strategic and innovation risk if it helps them grow, improve services, or become more sustainable.
  • They are cautious with financial risk, especially where cash flow, reserves, debt, or funding concentration could threaten viability.
  • They have low appetite for risks that could harm clients, staff, vulnerable people, or service users.
  • They have very low appetite for deliberate legal, regulatory, privacy, safety, or fraud-related breaches.
  • They may tolerate some operational disruption during planned change, but not unmanaged disruption that leaves people exposed.
  • They want to protect reputation and stakeholder trust, but they also do not want fear of criticism to stop sensible improvement.

That is a realistic profile.

Not reckless.

Not frozen.

Just clear.

And for many organisations, clarity is the missing piece.

Where StartRisk fits

This is exactly the kind of work we help organisations with at StartRisk.

Sometimes that means helping the Board and executive team have the first proper risk appetite conversation or to reset after a period of change. Sometimes it means turning a messy risk register into something that clearly shows what is inside and outside appetite. Sometimes it means using the StartRisk platform to connect appetite, risk ratings, controls, treatment actions and Board reporting in a way that is simple enough to keep using and takes the admin hassle away.

The technology helps because it keeps the logic visible.

But the real value is still in the thinking.

  • What risks are we prepared to take?
  • Where are the boundaries?
  • Where are we outside appetite?
  • Where are we over-controlling?
  • What does the Board need to know?
  • What does management have authority to accept?

Those are the questions that turn risk appetite from a governance document into a decision-making tool.

If your organisation has a risk register but no clear view of what is acceptable, reach out.
A conversation is usually the best place to start.

Book now

Next week, we get to the part that determines whether any of this actually sticks: how to get buy-in from the people who matter.

More articles