Risk appetite: the board’s quiet superpower

Daniel Taylor shows how to link vision to delivery and strategy to assurance

When boards speak of strategy, they often invoke vision, budget, performance or stakeholder relations. Rarely do they mention risk appetite, even though it often the hinge on which strategy pivots.

Risk appetite is, at its core, more than a risk register, more than a compliance checkbox. It is the tacit promise a board makes about how far it is willing to walk into uncertainty, how much discomfort it will endure, how bold its mission can be.

GGi has underlined this several times over the years. Board guidance on risk appetite (2020) argues that risk appetite should be at the heart of an organisation’s risk management strategy, “a balance between the potential benefits of innovation and the threats that change inevitably brings.” Our 2017 guide A simple guide to risk for members of boards and governing bodies similarly emphasises defining risk appetite and risk tolerance annually as more than technical; it’s essential to clarifying roles and enabling good governance.

Without a well-articulated risk appetite, boards drift between paralysis and overreach, between fear of failure and the residue of missed opportunity.

The risk appetite paradox

Organisational strategies commit to doing things, to innovation and change, response to emerging needs (climate, demographic shifts, poverty, inequality).

On the other side, legal, financial, regulatory constraints impose severe limits on what organisations can do, and how far they can push.

Between those two poles lies risk appetite. If it is absent, boards lean in either direction randomly: either overly cautious (thus under-delivering against strategy or promise) or dangerously adventurous (exceeding what the law, finance or capacity allow). Risk appetite gives shape to that middle ground: it makes explicit, shared, negotiated what is acceptable uncertainty.

To navigate this space well, boards need a common language. Three terms matter: risk appetite - the amount and type of risk an organisation is willing to take to achieve its objectives; risk tolerance - the acceptable variation in outcomes before corrective action is triggered; and risk capacity - the organisation’s actual ability to bear risk, based on its resources and resilience. Confusing these can lead to poor decisions: appetite is about intent, tolerance about thresholds, and capacity about reality.

Why boards too often under‐use risk appetite

Drawing on GGi’s work and wider governance practice, there are several reasons boards don’t use risk appetite as the tool it could be.

1. Jargon and abstraction.
   ‘Risk appetite’, ‘risk tolerance’, ‘levels of risk’ are technical phrases. If they’re not translated into lived choices (“are we willing to try X even if there’s a 40% chance it fails?”) they stay abstract and costless in practice.
2. Fear of scrutiny and failure.
   Failure has consequences, so many boards prefer conservatism. But the irony is that failure to innovate can also damage legitimacy and success over time.
3. Lack of shared understanding or language.
   Different individuals and groups have different risk thresholds. Without a consistent appetite, one part of the organisation over-commits, another under-prepares.
4. One-off gestures rather than continuous living tool.
   Even where appetite is written down, it often becomes a static statement, dusty, relegated to appendices. The promise is rarely embedded in decision gateways, scrutiny, performance reporting.
5. Capacity, resources, culture.
   For appetite to work, the organisation has to have the capability to manage risk: to monitor, escalate, learn, adjust. If those systems are weak, appetite will be seen as risky in itself.

Risk appetite in practice

Risk appetite is the board’s superpower when it is used. A mature board treats appetite as a living tool that links vision to delivery, and strategy to assurance. Here’s how:

1. At the strategy-setting stage

Appetite should be a structured conversation early in the planning cycle:

• What degree of uncertainty are we willing to embrace in pursuit of each strategic priority?
• Which areas demand caution (e.g. statutory compliance) and where can we afford to be bolder (e.g. innovation, digital transformation, partnerships)?
• How will we know when risk exposure has exceeded tolerance?

This discussion should be explicit in board minutes and reflected in the corporate plan and board assurance framework (BAF).

2. As an anchor for decision-making

Every major decision - capital project, policy reform, investment - should reference appetite. Board papers should include a simple statement:

“This proposal is within our agreed appetite for innovation risk, moderate for financial exposure, and low for reputational harm.”

This discipline ensures decisions are consistent with previously expressed will, not driven by momentary enthusiasm or fear.

3. As a cultural signal

The board’s language around appetite sets the tone. A board that discusses risk only in terms of avoidance will cultivate timidity; a board that treats risk as a condition of creativity will foster psychological safety and innovation.

4. Through ongoing calibration

Appetite should be reviewed annually and whenever significant external change occurs: new leadership, political shift, or financial crisis. It should be considered alongside corporate priorities, not in isolation.

The role of the audit and risk committee

If the board defines appetite, audit and risk ensures the organisation operates within it. The committee’s role is not to rewrite or second-guess appetite but to provide assurance that it is understood, operationalised and adhered to.

In practice, this means:

• monitoring risk exposure against appetite and tolerance thresholds through regular dashboards, using the assurance framework to highlight risks trending outside tolerance
• testing the adequacy of mitigations and controls – where exposure exceeds appetite, is the response timely and proportionate?
• challenging complacency – ensuring green RAG ratings are truly reflective of appetite, not of comfort or inertia
• promoting learning – when risks materialise, the committee asks ‘what does this tell us about our understanding of appetite?’ rather than ‘who is to blame?’
• reporting assurance to the board - providing an independent view on whether the organisation’s behaviour matches its declared appetite.

As GGi’s Board guidance on risk appetite emphasises, audit and risk’s role is about alignment and testing, not authorship. Appetite remains the board’s own statement of intent.

What It means for other committees

• Strategy and performance: They should use appetite as a lens for scrutiny: asking not just ‘are we on track?’ but ‘are we taking the right level of risk to achieve this outcome?’. Over-caution can be as damaging to performance as over-ambition.
• Finance and resources: Risk appetite informs investment, reserves and commercial policy. Boards should explicitly connect financial risk appetite (e.g., borrowing levels, capital exposure, income diversification) to long-term sustainability and intergenerational equity.
• People and culture: Appetite has a human dimension. A low appetite for cultural or workforce risk might stifle creativity, while a higher one could promote empowerment and innovation. Staff must feel safe to experiment within agreed boundaries.

What it means for the executive

The executive’s role is to translate appetite into operational practice. This is where appetite becomes action.

That means:

• embedding appetite statements into programme management, project initiation and performance frameworks
• using appetite to prioritise resources - investing more heavily in high-risk/high-reward areas only where board consent exists
• communicating appetite clearly across management tiers, so decision-makers understand their licence to act
• alerting the board when risk exposure is exceeding tolerance - not as a sign of failure, but of responsible governance.

Executives should think of appetite as the leadership covenant between them and the board: “You have trusted us with this degree of freedom; we will use it responsibly and transparently.”

The role of assurance and internal audit

Assurance functions complete the circle by testing whether reality matches intention. Internal audit, in particular, should assess:

• whether appetite statements are being consistently applied in decision processes
• whether management actions align with defined tolerance levels
• whether risk reporting captures meaningful signals of drift beyond appetite
• whether lessons from risk events are feeding back into updated appetites and controls.

The goal is not to police ambition but to ensure that innovation and control coexist.

What boards can gain when risk appetite is used well

When a board truly embraces risk appetite as a value‐adding tool, several benefits emerge:

• Sharper strategy.
  Strategy becomes not just an articulation of ambition but of what level of ambiguity, what scope of experimentation, what tolerance of failure is baked in. This allows more courageous but realistic strategic choices.
• Clarity of governance and accountability.
  Officers know what is expected; members know what is possible. When outcomes are off-track, the question becomes not ‘who oversaw this project?’ but ‘did this go outside our agreed appetite, or did we mismanage within it?’
• Better resource allocation.
  If you know where you have low tolerance (e.g., statutory duties, regulatory compliance), those areas get stronger oversight. Where you accept more risk (innovation, transformations), resources are allowed for pilot projects, failures, iteration.
• Faster decision‐making.
  Because there are pre-agreed guardrails, less time is spent debating whether ‘this is too risky’, the question becomes whether it is within appetite, and if so, how to manage the risks.
• Strengthened trust and psychological safety.
  When officers feel that boards accept risk, they are more likely to propose innovation. When boards see officers acting within agreed boundaries, trust increases. When things go wrong, there’s less blame and more learning

How to put risk appetite at the core of strategy and governance

Here are some concrete ways boards can embed risk appetite, so it isn’t just rhetoric but leaven throughout the machinery:

1. At the strategy‐setting stage. When the strategy is being drafted, risk appetite should be a foundational conversation.
2. Through decision gateways. Major projects, procurement, service redesigns should require explicit reference: ‘Here is the risk profile; is this within appetite? If not, what mitigations or escalations are proposed?’
3. In financial planning and investment. Boards must clarify how much borrowing, commercial risk, or investment exposure is acceptable. Appetite for long‐term return vs short‐term exposure must be mapped.
4. In reporting and assurance. Use the board assurance framework or equivalent to monitor risk exposure, especially where risk is trending toward or beyond appetite. Escalation triggers should be clear.
5. In culture and capacity. Training, common language, shared understanding. Risk appetite statements are useless if people don’t believe them or can’t operationalise them. Psychological safety to raise concerns, breach of appetite, is critical.
6. Regular review and recalibration. External conditions change (e.g. economic, legal, societal), internal resources evolve. Boards should review appetite annually, and also when there are inflection points (new leadership, policy shifts, crises).

In closing

Risk appetite is not a soft luxury. It matters because boards in local government are not merely stewards of what is, but architects of what could be. Without an appetite defined, shared and lived, strategies can be timid and bureaucratic, or worse, unwittingly reckless. But with it, boards can govern with clarity and courage: recognising that risk is never entirely avoidable, yet always manageable.

Practical takeaway / tool: board risk appetite framework

Here is a framework you can adapt for your board (or local government context). It serves both as a diagnostic and planning tool.