Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Pioneer Graphic

Making sense of risk appetite, tolerance, and acceptance (2nd edition)

by Matthew Leitch, 9 August 2010 (original version 17 July 2007 and revised 30 April 2008)

A new edition of this article - why?
Introduction and key points
Control of decison making illustrated by typical 'risk appetite' approaches
The scope for improvements to decision making under limited knowledge
Planning new projects to improve decision making under limited knowledge
Decisions and ways to make them
Summary of key points
Further reading

Please note

The author is available to help with work to evaluate existing arrangements for governing risk taking, design new tools and processes, write guidance on their use, review work done using them for lessons to learn, and (in the UK) to provide relevant training.

A new edition of this article - why?

Welcome to a new edition of this article on 'risk appetite', 'risk tolerance', and related ideas and practices. The first edition focused on resolving the confusion created by the chaotic and misleading terminology used in this area of risk management. That article received considerable praise and has even been described as a 'classic'. However, things have moved on and three events have been particularly important in prompting this major update:

Introduction and key points

While the terminology and theory around 'risk appetite' may have been a mess, some of the practical initiatives attempted around it contain the seeds of greatness. The common factor in these initiatives is the attempt to influence directly by policies and their implementation important decisions taken inside organizations, in such a way that the limitations of knowledge are better handled. In other words, the aim is to get people to think effectively about 'risk' in some sense when they make important decisions. One option is to impose some overall limits on risk and overlay those on top of existing business planning and monitoring decisions, but this is only one option and not necessarily the easiest or most useful.

The decisions involved, the style of policy, and the approach to limited knowledge vary. Some techniques are better than others. However, the general desire is to reduce the incidence of decisions that are stupid, short term, narrow minded, or selfishly motivated. There is also a desire to give leaders new levers they can pull to influence people in their organizations. The general approach is to lay down some rules, or at least guidelines, focusing on 'risk' in some sense, and try to get people to follow those rules.

There is no one technique for making decisions, still less making them under uncertainty, that is theoretically perfect and practical in all situations in organizations. Nor is there one way to take 'risk' into account that is theoretically perfect and universally practical. However, there are several good approaches that can be used, ranging from computational to conversational, and it is not hard to see that circumstances should at least influence which are used. (See here for an overview and some practical suggestions.)

Furthermore, the technique for taking 'risk' into account needs to work with the overall approach to taking a decision. For example, if a decision is primarily based on finding ways to stay on budget then asking for Net Present Value calculations using risk adjusted discount rates reflecting the betas of alternative courses of action is not appropriate! In most cases it is too much work, but more importantly the Net Present Value criterion is philosophically incompatible with trying to stay on a fixed budget.

With these fundamental insights in mind it is obvious that crucial steps in any initiative in this area will include the following:

Through following this approach there is an opportunity for many organizations to refresh their management methods, improve their decision making, and get more from their investment in risk management.

In the remainder of this article I will illustrate the above ideas by describing some typical projects (pointing out some common problems), and then go into more detail on project planning and on different types of decision, techniques for decision making, and techniques for dealing with limited knowledge.

But before that, to deliver on the promise of the title of this article, here is a brief explanation of relavant terminology.


The phrase 'risk appetite' does not have a single, established meaning. For most people with an opinion on it the meaning is something to do with willingness to take risk, or an extent to which a person or organization will take risk, or do something risky. There is a misleading suggestion that it has some kind of psychological basis and that people actually like risk to some extent. 'Risk appetite' is often seen as synonymous with 'risk attitude' though most experts disagree. 'Risk attitude' is a phrase whose meaning depends on the psychological theory and definition of 'risk' involved.

The phrase 'risk tolerance' also means different things to different people. Often it means the same as 'risk appetite' but is used in situations where it is harder to see the positive reward associated with the risk. Others use this phrase to refer to tolerable deviations from a target.

The phrase 'risk capacity' is seen as having more to do with objective circumstances and less to do with choices and preferences. Risk capacity is usually viewed as the ability to withstand losses. In this sense it is not a capacity for risk per se, but for actual events.

I refer to 'limited knowledge' because that is the objective situation we humans face most of the time. 'Risk' and 'uncertainty' are concepts we can use to gain an understanding of the limitations of our knowledge. The practical point is that some of the best ways to make decisions under limited knowledge do not involve using a concept called 'risk'. They use 'probability' and 'value' instead. Therefore, talking always about 'risk' tends to exclude those methods.

Control of decison making illustrated by typical 'risk appetite' approaches

The most important point in this article is that the common factor in 'risk appetite' initiatives is the attempt to influence directly by policies and their implementation important decisions taken inside organizations, in such a way that the limitations of knowledge are better handled.

This may not have been the thought uppermost in the minds of people who have worked on projects so far, but in hindsight it is clear that, where anything worthwhile has been achieved at all, it is through affecting decision making.

As this article will make clear, there are many alternatives when formulating policies to guide decision making under limited knowledge. The current state of the art has not explored every combination and there is huge scope for further exploration and improvement. Many projects could have achieved more with clearer thinking about different types of decision and how they are made. Furthermore, many have been undermined by choosing decision making techniques that are seriously flawed.

Certain techniques have appeared often in the past. Here they are, with notes on current strengths and weaknesses.

Risk control systems in UK banks

Although there are wide variations, the typical approach followed by UK banks has been to put in place a system of numerical limits and similar policies. These are often set annually along with targets and budgets. There are mechanisms in place to track the numbers involved so that compliance with the rules can be monitored.

The strengths of this approach include its high profile, close integration with key decision making methods (especially where they are quantitative), and enforcement using computer systems.

Its weaknesses include a heavy reliance on limits. The problem with this is that it limits risk taking without helping people get closer to optimising it. However, the next type of project is also used often in banks and, where it is used, provides more guidance than limits.

Risk adjusted performance measurement in financial institutions

This involves calculating the cost of the capital required to cover risk generated by business activities. If this cost is subtracted from the financial contribution of a business activity this gives a better picture of its true impact on the business. For example, if a business unit pursues a highly risky strategy but is lucky enough to escape without serious problems for a period of time its reported performance will still be penalised for the risks involved.

The strengths of this approach include its smooth link between level of risk and cost, which is more informative and safer than using limits, and its discouragement of short termism.

Its weaknesses include the rare skills needed to do it, which tend to mean it is only done at a high organizational level.

High level risk appetite statements

By this I mean statements of policies on risk taking that are rather vague, usually expressed without numbers, or using numbers on poorly defined risk measures that divide levels of risk into just a few buckets e.g. 'high', 'medium', and 'low'.

In themselves these statements seem to have little value, due to lack of clear meaning and failure to link them to specific decision making.

Risk appetite lines on Probability Impact grids

One of the most widespread approaches is to place 'risks' on a matrix that has 'probability' on one axis and 'impact' on the other - or similar words. A line is then drawn across the matrix and called the 'risk appetite' or something similar. The idea is that if a risk is placed on the 'too risky' high side of the line then something has to be done differently, but if the risk is placed on the low side of the line then no change is needed. The picture might look something like this:

This approach has been promoted by HM Treasury and others, and is seen often in the UK's public sector. However, despite this backing it is based on some serious misconceptions and leads to illogical decisions if applied rigorously, except in some rare situations.

There are four problems, and if an organization's approach has any one of these problems then it needs to be changed as soon as possible:

Project approval criteria that cover risk

Although the phrase 'risk appetite' is rarely used, approval of projects in organizations often has elaborate written procedures to govern it, and these frequently involve some kind of risk assessment. This assessment may mean that the project has to be redesigned if it involves too much risk of certain kinds, or its benefits have to be higher to compensate for a high risk score.

Strengths of this approach include its (typically) detailed guidance, while weaknesses tend to be due to rather subjective assessments and difficulties deciding on meaningful thresholds.

The scope for improvements to decision making under limited knowledge

How much improvement is possible? How valuable could it be?

The credit crunch of 2007 - 2009 provided a number of reasons for trying to improve decision making under uncertainty. Mortgage lenders in the USA took decisions that were based on short term, selfish motives, under-estimated risk, and continued to drive risks up beyond the point where it made sense for their organizations. It is not clear that inappropriate propensity to take risk played a particularly significant role, or even any role at all, but it is clear that decisions were faulty.

A part of the problem is management methods. Suppose Alan is Bob's boss and wants to ask Bob to make a special effort to sell a new product next month. They see each other daily and have a good working relationship. Alan wants to give Bob room to be creative in how he achieves the things Alan wants, so he says:

"Bob, next month it's very important that you and your team make an effort to sell the new product. The plan is for sales of 120k in the first month, with 150k being at the top of expectations and less than 50k being a serious problem. Having said that, don't put existing sales at risk by ignoring them. Also, can you make sure everyone knows that we can't claim this product has health benefits. I realise that the branding sails close to the wind."

In this conversation Alan expresses a form of target for sales of the new product but also warns about two risks (i.e. letting other sales slide and mis-selling). This is a natural thing to do and in conversations it is easy.

However, management control systems today often put a huge emphasis on numerical targets. If Alan's instructions were put through the usual system Bob would be left in no doubt as to the sales target and might realise the risk of ignoring other sales, but the point about mis-selling would be left out, or soon fade from memory, overwhelmed by the relentless pressure to hit targets.

This gap is one that 'risk appetite' methods try to fill. Instead of the board just telling people what it wants, it also tells them about what it does not want. Indeed, the board can go further and say how confident they want to be that those bad things will not happen.

More generally, it is human nature to see the future narrowly. We tend to be overconfident in our forecasts and believe we have more control than we really do. This problem is worse when we are with other people and subject to management systems that relentlessly push us to think about targets and offer rewards for meeting them.

The exciting opportunity here is to take off those mental blinkers and institutionalise open mindedness in important decisions. The technique of writing and implementing policies related to risk can help with this, provided we consider the specific decisions and decision making techniques, and make sure the risk related policies are compatible with the decision making techniques. Just determining some top level risk limits or targets will have little effect if they are not translated into specific decision making practices.

The main improvements will come from understanding decision making realistically and getting people to (a) think about risk/uncertainty at all, and (b) do it effectively. This is because individual differences in decision making tend to be driven more by differing assessments of the situation than by differing attitudes towards risk.

Planning new projects to improve decision making under limited knowledge

Incremental delivery

If an organization is planning a 'risk appetite' project then it should prefer incremental delivery.

What it should not do is plan a comprehensive project and move through a logical sequence of stages, such as identifying all the decisions, then analysing how all are made, then developing all the policies, and so on. This 'waterfall' style project will ensure that it gains no direct experience of changing decisions until the very end of the project. Instead, it will go through weeks, perhaps months, of laborious analysis, making mistakes that it will not detect until the policies are implemented.

It is much better with a project like this to progress just one type of decision through to implementation quickly, without doing the analysis on others, and so gain experience as early as possible. This experience will reveal mistakes and make other analyses more usable.

The ideal place to start may well not be with the board and annual planning because (1) it only happens annually so there are few chances to learn from experience, (2) board members may have less time available for problem solving and working through inefficient procedures, (3) it is better not to make early mistakes in front of the board, and (4) these are big, important decisions so mistakes could be big too.

Therefore, even if the initial intention is to restrict the project to just annual planning and quarterly monitoring at board level it may be better to include some other decision making to gain experience first.


One of the most appealing aspects of this sort of project is the opportunity to integrate risk management further into management generally. However, this also brings the challenge of working with others, often with a prior claim on those decision making processes. In addition to the people who actually make the decisions of interest there could be others from specialist teams who focus on, for example:

All of these people will tend to believe that they already ensure that uncertainty is considered. What they will not necessarily have done is to:

Decisions and ways to make them

The value of a project to improve decision making to manage risk better depends largely on being able to identify worthwhile improvements. The more people know about decision making and thinking under limited knowledge the more likely it is that improvements will emerge. Here is a discussion of some of the behaviours likely to be considered.

Types of decision

The search for decisions to include for consideration will tend to focus on those that are:

Typical candidates will be:

Decision methods and policy ideas

My analysis of actual and suggested 'risk appetite statements' (i.e. collections of risk policies) shows that they are extraordinarily varied. I suspect this is a result of the variety of risks and decisions involved. This is a huge subject and in this section I will just give some suggestions and a flavour of what is possible.

Typical and special decision making

Most decisions, even many quite important ones, are not made after careful consideration of all the alternatives and weighing of all pros and cons. We use shortcuts – rules of thumb that do a good enough job and take less effort. Indeed, because most decisions are taken under such great uncertainty that a good rule of thumb can perform as well as more detailed consideration, as well as being quicker to apply.

A deeper analysis may be reserved for new situations and where the stakes are higher than usual. A policy might capture the rule of thumb normally used and set thresholds for triggering more detailed study, use of experts, or escalation to a higher level of management.

People and conduct of meetings

The number of people involved in a decision, and their various roles, can be important and covered by policies.

The way meetings are conducted can also be important. Is there a genuine chairperson? A chairperson can help to control some group biases that interfere with group decision making. For example, there is evidence to suggest that groups tend to be overconfident in their judgements because they take the confidence level of the most confident person in the group, believing confidence to be a sign of competence. A chairperson can ask people to explain the basis of their views and so deter or expose baseless confidence.

Anchoring is another effect that can cause problems in a group. Suppose a group is trying to estimate a number (e.g. first year sales for a new product) and guesstimates are being made. The first estimate tends to influence all others, bringing them nearer to the first estimate than they would have been otherwise. A sensible precaution is to get people to write down their personal views before any are expressed. Variation between people is important information about the level of uncertainty involved.

With these and other biases in mind, why not have a code for chairing meetings and a policy that it will be applied in meetings that justify that level of attention?


In theory a lot of decisions are supposed to be driven by targets and this approach has reached bewildering levels of complexity in the UK's public sector. Getting risk on the agenda may be a matter of setting some additional targets, this time concerning levels of risk drivers, risk, or actual risk event occurrences. It is important to be clear if the targets are aspirations, numbers to plan for, or bare minimum levels of performance. The same potential confusion occurs with cost budgets, where a budget figure can be taken as a firm limit, as an amount to be spent or lost, or as a gentle suggestion unlikely to be taken seriously.

If the problem is approached in this way, using targets, then there will be (a) decisions about the levels to use as targets/limits and (b) decisions using the targets/limits.

Quantitative methods

Many decisions in organizations are influenced by calculations, often done on electronic spreadsheets.

It is very important that people understand that making calculations on a 'best guess' basis is highly misleading and the outputs are not necessarily appropriate for the guesses put in as inputs. Crucially, calculations on this basis usually understate the value of risk management. For example, in real life a flexible plan is more valuable than an otherwise similar but rigid plan. However, a 'best guess' calculation will not show any difference.

In addition to stipulating methods, policies can provide a variety of limits, but the more informative ones provide a way to value outcomes, financial and non-financial, over a wide range, and also value uncertainty.

Common problems with risk related policies

My preliminary analysis of actual 'risk appetite statements' and proposals by researchers also shows that some serious problems are common. Many are vague, with metrics under-specified. Most lack crucial information. Some use metrics that are impractical or would lead to bizarre behaviour in some potential scenarios.

Perhaps the most important weakness is the failure to say clearly when each policy will be applied. For example, if the board wants to maintain a particular credit rating, when will this policy by applied? Who will apply it? Specifically, how will it affect decision making? Following the approach suggested in this article should at least solve this problem.

Summary of key points

From an unpromising mess of misleading terminology and pseudo-psychological theorising some solid practical ideas are emerging. The key is to understand that a 'risk appetite statement' is really a collection of risk related policies designed to control risk taking by affecting the way decisions are taken and, in particular, the way people handle their problem of limited knowledge.

Useful projects will involve identifying the decisions involved, understanding how they are taken, and choosing policies that work with those decision making methods, or improve them.

There is an opportunity here to institutionalise open mindedness about the future, something we usually need more of, and to give boards a new set of levers they can pull to influence behaviour.

Further reading

Risk appetite definitions: Issues and answers" surveys published definitions of the term 'risk appetite' and examples of disclosures on it by companies.

"Results of a survey of alternative risk phrases" reports the findings of a survey exploring alternative concepts and phrases. The survey confirms that most people find other phrases clearer and more self-explanatory than 'risk appetite'.

"The real reasons we avoid risk: A fresh and practical perspective on fundamental theoretical questions" explores the rational reasons for behaving as if averse to risk.

"What circumstances are relevant to decision making under uncertainty?" reports the results of survey that explored the extent to which people think personality is important in rational decision making under uncertainty. This provides support for the observations in "The real reasons we avoid risk."

"Straighten out your thinking on 'risk aversion', 'risk appetite', 'risk tolerance', 'risk limits', and all that" challenges readers to think clearly about these topics, revealing a number of common misconceptions.

"How to be positive about risk" explains some pitfalls in trying to portray risk in a more positive light, and suggests tactics for doing it more successfully.

© 2010 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr