Risk appetite is the amount of risk an organization is ready to take in pursuit of its strategic objectives.
This concept of risk appetite has gradually made its way into various corporate governance codes since the 1990s.1 Nowadays, most corporate governance codes state that the board is responsible for making sure that the monitoring and internal controls of the company are such that the firm operates within its risk appetite.
Given its implications for the board, risk appetite has attracted considerable attention since the financial crisis of 2008. This chapter presents the features and challenges in defining risk appetite for non‐financial risks. It highlights the necessary tradeoff between risk and reward, and between a fast‐moving organization and the cost of controls. Building on several established sources such as COSO,2 it explains the most common recent standards regarding the structure of risk appetite, linking the different parts of a risk management framework.
“The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives (…) and should maintain sound risk management and internal control systems.”3 Since they are directly named as responsible for determining risks, board members generally take a keen interest in defining risk appetites. But this is easier said than done, and many firms or institutions struggle with both the concept ...