Key point 1 — Risk Appetite

Approved by the board of directors — not just by management

Key point 2 — Risk Appetite

Expressed in both quantitative (e.g., maximum acceptable loss) and qualitative terms

Key point 3 — Risk Appetite

Reviewed at minimum annually or after any major strategic change

Key point 4 — Risk Appetite

Distinct from risk tolerance: appetite is strategic, tolerance is operational

Key point 5 — Risk Appetite

Serves as the reference to determine whether residual risk is acceptable

Back to Glossary

Term DefinitionRisk

Risk Appetite

The level of risk an organization is prepared to accept in pursuit of its objectives.

Risk appetite sets the boundary within which an organization operates. It is typically expressed as quantitative and qualitative thresholds, approved by the board and reviewed annually. A well-calibrated appetite prevents excessive risk-taking while avoiding paralyzing aversion. COSO ERM 2017 recommends expressing risk appetite in direct connection with strategy: each strategic objective should have an associated acceptable risk level. Risk appetite is distinct from risk tolerance (operational limits) and risk threshold (action triggers).

📌 Key points

Approved by the board of directors — not just by management
Expressed in both quantitative (e.g., maximum acceptable loss) and qualitative terms
Reviewed at minimum annually or after any major strategic change
Distinct from risk tolerance: appetite is strategic, tolerance is operational
Serves as the reference to determine whether residual risk is acceptable

Related certifications

These certifications cover the concept of "Risk Appetite" in depth.

CRMA· IIA

Certification in Risk Management Assurance (IIA)

IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.

See CRMA prep Try the preview

CIA· IIA

Certified Internal Auditor (IIA, 3 Parts)

The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.

See CIA prep Try the preview

🔗 Related concepts

Risk

Residual Risk

The level of risk remaining after controls and mitigations have been applied.

Risk

Inherent Risk

The level of risk before any controls or mitigations are applied.

Risk

Risk Register

A centralized document listing all identified risks of an organization.

Risk

Enterprise Risk Management (ERM)

An integrated, holistic approach to identifying and managing all organizational risks.

Risk

Key Risk Indicator (KRI)

A metric measuring the evolution of risk exposure over time.

📖 Related articles

ISO 31000: A Practical Guide to Enterprise Risk Management

13 min read·certification guides

Context Beats Data: Why a Finding Without Owner, Process, and Entity Is Just Noise

8 min read·industry news

Master this concept and more

Start your GRC certification journey today.

Explore Academy

View all 31 glossary terms

Back to Glossary

Term DefinitionRisk

Risk Appetite

The level of risk an organization is prepared to accept in pursuit of its objectives.

📌 Key points

Approved by the board of directors — not just by management
Expressed in both quantitative (e.g., maximum acceptable loss) and qualitative terms
Reviewed at minimum annually or after any major strategic change
Distinct from risk tolerance: appetite is strategic, tolerance is operational
Serves as the reference to determine whether residual risk is acceptable