The Organisation’s Risk Appetite

The organisation’s risk appetite reflects the level and type of risk it is willing to accept to pursue its objectives. It is shaped by various factors, including the organisation’s capacity to absorb loss, its management culture and attitude toward risk-taking, and the scope of risks considered. Risk appetite typically encompasses business risks, internal control risks, and other exposures tied to achieving strategic goals. Classifications of risk appetite provide a framework for understanding an organisation's stance on risk.

A risk-averse organisation seeks to avoid risks altogether, prioritising stability and compliance. A minimalist approach accepts only the bare minimum risk necessary to meet objectives. Organisations with a cautious appetite take on limited, well-understood risks. Organisations with an open risk appetite embrace broader opportunities where risk justifies benefits. A hungry appetite reflects a proactive pursuit of high-risk opportunities, often seen in industries driven by innovation or growth.



When determining risk appetite, an organisation must also evaluate its risk assessment model, which identifies potential threats, likelihood, and possible impacts. Based on this assessment, organisations choose from several risk response options, including risk avoidance, reduction, transfer, and acceptance. These decisions are influenced by their ability to mitigate risks through internal controls and their overarching goals and risk capacity. A clear understanding and alignment of risk appetite, assessment, and response strategies enable effective decision-making, ensuring the organisation balances opportunity and resilience. After completing its risk analysis, an organisation must determine how to address and respond to the identified risks.