Risk Appetite Statement Template

RISK APPETITE PHILOSOPHY

Understanding Risk Appetite for CEOs

Risk appetite defines how much risk your company is willing to accept in pursuit of its objectives. Without a clear risk appetite, decisions become arbitrary—some too conservative, others too aggressive. A well-defined risk appetite creates a framework for consistent, strategic decision-making across the organization.

THE RISK APPETITE REALITY
═══════════════════════════════════════

WHAT RISK APPETITE IS:

Risk Appetite: The amount and type of risk an organization
is willing to accept in pursuit of its objectives.

Risk Tolerance: The acceptable variation from risk targets.

Risk Capacity: The maximum risk the organization can absorb.

Risk Appetite ≤ Risk Capacity (always)

WHY RISK APPETITE MATTERS:

Without defined risk appetite:
☐ Inconsistent decision-making
☐ Missed opportunities (too conservative)
☐ Excessive exposure (too aggressive)
☐ No basis for resource allocation
☐ No framework for board governance

With defined risk appetite:
☐ Clear decision framework
☐ Aligned risk-taking across organization
☐ Better board governance
☐ Faster decision-making
☐ Appropriate resource allocation

RISK APPETITE BY COMPANY STAGE:

EARLY STAGE (Pre-PMF):
☐ High appetite for product/market risk
☐ High appetite for competitive risk
☐ Medium appetite for operational risk
☐ Low appetite for compliance risk
☐ Low appetite for reputation risk

GROWTH STAGE (Scaling):
☐ Medium appetite for product/market risk
☐ Medium appetite for competitive risk
☐ Medium appetite for operational risk
☐ Low appetite for compliance risk
☐ Low appetite for reputation risk

MATURE STAGE:
☐ Lower appetite for product/market risk
☐ Medium appetite for competitive risk
☐ Low appetite for operational risk
☐ Very low appetite for compliance risk
☐ Low appetite for reputation risk

THE CEO'S ROLE:

☐ Define overall risk philosophy
☐ Set risk appetite by category
☐ Ensure board alignment
☐ Communicate appetite organization-wide
☐ Make decisions at appetite boundaries
☐ Review and update periodically

---

COMPREHENSIVE RISK APPETITE FRAMEWORK

Risk Appetite Statement Development

═══════════════════════════════════════
SECTION 1: RISK APPETITE STATEMENT
═══════════════════════════════════════

COMPANY RISK APPETITE STATEMENT

COMPANY: _______________
VERSION: _______________
APPROVED BY: _______________
APPROVAL DATE: _______________
NEXT REVIEW: _______________

STATEMENT OF RISK PHILOSOPHY:

[Company name] recognizes that taking calculated risks is
essential to achieving our strategic objectives and creating
stakeholder value. We maintain a [growth-oriented / balanced /
conservative] approach to risk, accepting risks that:

☐ Align with our strategic priorities
☐ Offer appropriate return for the risk taken
☐ Fall within our capacity to manage
☐ Do not threaten our ability to operate
☐ Protect our stakeholders and reputation

We have zero tolerance for:
☐ Willful regulatory or legal violations
☐ Ethical misconduct
☐ Reckless disregard for stakeholder safety
☐ Actions that threaten organizational survival

STRATEGIC CONTEXT:

Our strategic priorities (which inform risk appetite):
1. _______________
2. _______________
3. _______________

Key stakeholders to protect:
☐ Customers
☐ Employees
☐ Investors
☐ Partners
☐ Community

Risk Appetite by Category

═══════════════════════════════════════
SECTION 2: APPETITE BY CATEGORY
═══════════════════════════════════════

STRATEGIC RISK:
Definition: Risks related to business strategy, competitive
position, and market changes.

Appetite Level: ☐ High ☐ Medium ☐ Low

Risk Tolerance Statement:
We are willing to take significant strategic risks to
[achieve growth / maintain position / protect market share].
We accept uncertainty in [market direction / competitive
landscape / technology evolution] as inherent to our business.

Boundaries:
☐ We WILL accept: Market entry risk, product innovation risk,
   competitive positioning risk, M&A risk (within capacity)
☐ We will NOT accept: Bet-the-company strategies without
   board approval, irreversible commitments exceeding
   ___% of resources

Quantitative Limits:
☐ Single initiative investment: Max $_____ or ___% of capital
☐ Customer concentration: Max ___% from single customer
☐ Market concentration: Max ___% from single market
☐ Technology bet: Max ___% of R&D on unproven technology

OPERATIONAL RISK:
Definition: Risks related to people, processes, systems,
and external events affecting operations.

Appetite Level: ☐ High ☐ Medium ☐ Low

Risk Tolerance Statement:
We maintain [moderate / low] appetite for operational risk,
prioritizing reliable delivery to customers while accepting
some disruption risk to enable efficiency improvements.

Boundaries:
☐ We WILL accept: Process improvement risk, technology
   modernization risk, organizational change risk
☐ We will NOT accept: Single points of failure for critical
   systems, inadequate business continuity capability

Quantitative Limits:
☐ System availability target: ___% uptime
☐ Maximum acceptable outage: ___ hours
☐ Recovery time objective (RTO): ___ hours
☐ Recovery point objective (RPO): ___ hours
☐ Key person dependency: Max ___ critical roles single-covered

FINANCIAL RISK:
Definition: Risks related to financial position, liquidity,
capital, and economic exposure.

Appetite Level: ☐ High ☐ Medium ☐ Low

Risk Tolerance Statement:
We maintain [moderate / conservative] financial risk appetite,
prioritizing [growth investment / financial stability]. We
accept [higher burn for growth / lower growth for stability].

Boundaries:
☐ We WILL accept: Controlled burn rate for growth, reasonable
   leverage for expansion, customer concentration (with limits)
☐ We will NOT accept: Runway below minimum threshold, excessive
   customer concentration, unsupportable capital structure

Quantitative Limits:
☐ Minimum cash runway: ___ months
☐ Maximum burn multiple: ___x
☐ Maximum customer concentration: ___% single customer
☐ Maximum debt/equity ratio: ___x
☐ Minimum gross margin: ___%

COMPLIANCE RISK:
Definition: Risks related to laws, regulations, contracts,
and ethical standards.

Appetite Level: ☐ Very Low (always)

Risk Tolerance Statement:
We have zero tolerance for willful non-compliance with
applicable laws and regulations. We accept that compliance
is not optional and invest appropriately in compliance
programs.

Boundaries:
☐ We WILL accept: Reasonable interpretation risk, good-faith
   compliance efforts, emerging regulation uncertainty
☐ We will NOT accept: Willful violations, knowing non-compliance,
   inadequate compliance investment, regulatory arbitrage

Quantitative Limits:
☐ Target compliance: 100% with all applicable regulations
☐ Acceptable audit findings: Zero material, <___ minor
☐ Training completion: 100% of applicable personnel
☐ Compliance budget: Minimum $_____ or ___% of revenue

REPUTATIONAL RISK:
Definition: Risks to stakeholder perceptions and trust.

Appetite Level: ☐ Low ☐ Very Low

Risk Tolerance Statement:
We maintain low appetite for reputation risk, recognizing
that trust is essential to our success. We accept some
reputation risk from honest controversy but protect against
preventable reputation damage.

Boundaries:
☐ We WILL accept: Controversy from legitimate business
   decisions, competitive criticism, honest mistakes
☐ We will NOT accept: Ethical violations, stakeholder
   mistreatment, preventable trust erosion

Quantitative Limits:
☐ Customer satisfaction target: > ___
☐ Employee satisfaction target: > ___
☐ Reputation monitoring: Active on all channels
☐ Response time for issues: < ___ hours

TECHNOLOGY/CYBER RISK:
Definition: Risks related to technology, data security,
and cyber threats.

Appetite Level: ☐ Low ☐ Very Low

Risk Tolerance Statement:
We maintain [low / very low] appetite for technology and
cyber risk, recognizing the critical nature of data
protection and system integrity to our business.

Boundaries:
☐ We WILL accept: Managed technology evolution risk,
   reasonable integration risk, calculated innovation risk
☐ We will NOT accept: Unpatched critical vulnerabilities,
   inadequate access controls, insufficient security investment

Quantitative Limits:
☐ Critical vulnerability remediation: < ___ hours
☐ Security assessment frequency: Annual minimum
☐ Security training: 100% of employees
☐ Backup/DR testing: Quarterly minimum

Risk Boundaries and Limits

═══════════════════════════════════════
SECTION 3: BOUNDARIES AND LIMITS
═══════════════════════════════════════

RISK BOUNDARY SUMMARY:

| Category | We Accept | We Avoid | Hard Limits |
|----------|-----------|----------|-------------|
| Strategic | Market expansion, product innovation, competitive positioning | Bet-the-company without board, irreversible over-commitment | Single customer >___%, initiative >$_____ |
| Operational | Process improvement, tech modernization, org change | Single points of failure, inadequate BC | Uptime <__%, RTO >___ hrs |
| Financial | Growth burn, reasonable leverage | Runway <___ months, excessive concentration | Cash <$_____, burn multiple >___x |
| Compliance | Reasonable interpretation, good-faith efforts | Willful violations, knowing non-compliance | Zero material violations |
| Reputation | Honest controversy, competitive criticism | Ethics violations, stakeholder mistreatment | Customer sat <___ |
| Cyber | Managed evolution, calculated innovation | Unpatched criticals, inadequate controls | Any material breach |

ESCALATION THRESHOLDS:

| Risk Type | Management | CEO | Board |
|-----------|------------|-----|-------|
| Strategic investment | <$_____ | $_____ - _____ | >$_____ |
| Customer concentration | <___% | ___-___% | >___% |
| Compliance gap | Minor | Material | Critical |
| Reputation issue | Local | Industry | National |
| Security incident | Low | Medium | High/breach |
| Runway change | >___ months | ___-___ months | <___ months |

HARD LIMITS (Board approval required to exceed):

Financial:
☐ Minimum runway: ___ months
☐ Maximum single customer: ___% of revenue
☐ Maximum capital commitment: $_____ or ___% of cash
☐ Maximum debt: $_____

Operational:
☐ Minimum service level: ___%
☐ Maximum outage: ___ hours
☐ Minimum BC capability: ___

Compliance:
☐ Zero tolerance for willful violations
☐ Maximum acceptable audit findings: ___

Strategic:
☐ Maximum single initiative size: $_____
☐ Maximum market concentration: ___%

Risk Decision Framework

═══════════════════════════════════════
SECTION 4: DECISION FRAMEWORK
═══════════════════════════════════════

RISK DECISION CHECKLIST:

PROPOSED RISK/DECISION: _______________
Requestor: _______________
Date: _______________
Risk category: _______________

ALIGNMENT ASSESSMENT:

Strategic Alignment:
☐ Supports strategic objectives: ☐ Yes ☐ Partial ☐ No
☐ Consistent with company values: ☐ Yes ☐ No
☐ Within stated risk appetite: ☐ Yes ☐ Boundary ☐ Exceeds

Risk-Reward Assessment:
☐ Potential upside: _______________
☐ Potential downside: _______________
☐ Probability of success: ___%
☐ Expected value: Positive / Negative / Neutral

Impact Assessment:
☐ Magnitude of potential loss: _______________
☐ Probability of loss: ___%
☐ Reversibility: ☐ Fully ☐ Partially ☐ Not reversible
☐ Time to detect if wrong: _______________

Capacity Assessment:
☐ Resources required: _______________
☐ Resources available: ☐ Yes ☐ Constrained ☐ No
☐ Capability to manage risk: ☐ Strong ☐ Adequate ☐ Limited
☐ Impact on other initiatives: _______________

APPROVAL MATRIX:

| Within Appetite | Approval Level |
|-----------------|----------------|
| Clearly within | Management |
| At boundary | CEO |
| Exceeds | Board |
| Exceeds hard limit | Board (exceptional) |

DECISION OPTIONS:

☐ ACCEPT: Proceed as proposed
   Rationale: _______________

☐ MITIGATE: Proceed with risk reduction
   Mitigation required: _______________
   Residual risk acceptable: ☐ Yes ☐ No

☐ TRANSFER: Shift risk to third party
   Transfer mechanism: _______________
   Residual risk: _______________

☐ AVOID: Do not proceed
   Rationale: _______________

DECISION: _______________
APPROVED BY: _______________
DATE: _______________
CONDITIONS: _______________

Risk Appetite Communication

═══════════════════════════════════════
SECTION 5: COMMUNICATION
═══════════════════════════════════════

STAKEHOLDER COMMUNICATION:

BOARD:
Content: Full risk appetite statement, boundaries, limits
Frequency: Annual approval, quarterly review
Format: Board presentation with approval motion

EXECUTIVE TEAM:
Content: Full statement plus decision framework
Frequency: Annual review, as-needed application
Format: Leadership session, written guidance

MANAGEMENT:
Content: Relevant categories, decision framework, escalation
Frequency: Annual training, reinforcement as needed
Format: Training session, reference materials

ALL EMPLOYEES:
Content: General philosophy, relevant boundaries
Frequency: Annual communication
Format: All-hands, written summary

SIMPLIFIED RISK APPETITE SUMMARY:

For broad communication:

OUR APPROACH TO RISK

At [Company], we take smart risks to achieve our goals. Here's how we think about risk:

WHAT WE EMBRACE: ☐ Innovation and experimentation ☐ Calculated growth investments ☐ Reasonable competitive risk ☐ Learning from mistakes

WHAT WE AVOID: ☐ Bet-the-company gambles ☐ Regulatory shortcuts ☐ Ethical compromises ☐ Reckless behavior

WHAT WE NEVER ACCEPT: ☐ Willful legal violations ☐ Ethical misconduct ☐ Stakeholder safety risks ☐ Preventable reputation damage

WHEN IN DOUBT: Escalate to your manager.

TRAINING REQUIREMENTS:
| Audience | Content | Frequency |
|----------|---------|-----------|
| Board | Full statement review | Annual |
| Executives | Framework application | Annual |
| Managers | Category-specific + escalation | Annual |
| All employees | General awareness | At hire + annual |

Risk Appetite Governance

═══════════════════════════════════════
SECTION 6: GOVERNANCE
═══════════════════════════════════════

OVERSIGHT AND REVIEW:

ANNUAL REVIEW PROCESS:
☐ CEO proposes updates based on strategy changes
☐ Risk committee reviews (if exists)
☐ Board approves updated statement
☐ Communication to organization
☐ Training updated as needed

TRIGGERS FOR OFF-CYCLE REVIEW:
☐ Significant strategy change
☐ Major acquisition or investment
☐ Regulatory change
☐ Material risk event
☐ Significant market change

MONITORING COMPLIANCE:

Quarterly Monitoring:
☐ Risk metrics vs. appetite reviewed
☐ Limit breaches identified
☐ Exceptions documented
☐ Trends analyzed

Reporting:
| Metric | Threshold | Q1 | Q2 | Q3 | Q4 |
|--------|-----------|----|----|----|----|
| Customer concentration | ___% | | | | |
| Runway | ___ months | | | | |
| Service level | ___% | | | | |
| Compliance findings | ___ | | | | |
| Security incidents | ___ | | | | |

EXCEPTION MANAGEMENT:

When limits are breached:
1. Immediate notification to appropriate level
2. Root cause analysis
3. Remediation plan
4. Ongoing monitoring until resolved
5. Post-resolution review

Exception documentation:
| Date | Limit Breached | Cause | Action | Resolution |
|------|----------------|-------|--------|------------|
| | | | | |

CEO Risk Appetite Governance

═══════════════════════════════════════
CEO RISK APPETITE GOVERNANCE
═══════════════════════════════════════

CEO'S RISK APPETITE RESPONSIBILITIES:

☐ Own the risk appetite statement
☐ Ensure board approval
☐ Communicate throughout organization
☐ Make decisions at appetite boundaries
☐ Monitor compliance
☐ Update as strategy evolves

QUARTERLY REVIEW:
☐ Risk metrics vs. appetite reviewed
☐ Limit breaches noted
☐ Appetite alignment with strategy confirmed
☐ Board update prepared

ANNUAL REVIEW:
☐ Full statement review
☐ Strategy alignment check
☐ Limit appropriateness assessment
☐ Board approval obtained
☐ Organization communication

CEO RISK APPETITE QUESTIONS:

1. Does our risk appetite support our strategy?
2. Are we taking enough risk in the right areas?
3. Are there risks we're taking we shouldn't be?
4. Do our people understand our risk appetite?
5. Are we staying within our stated boundaries?

---