
Risk Appetite, Tolerance, and Capacity: Clarifying the Core
27/07/2025
WHILE DESIGNING A RISK APPROACH, I FOUND THE FOLLOWING https://www.aevitium.com/post/risk-appetite GUIDANCE INVALUABLE.
Before designing a practical risk appetite framework, it is essential to clarify three foundational concepts that are often misunderstood or used interchangeably: risk appetite, risk tolerance, and risk capacity.
While closely related, each plays a distinct and critical role in shaping how organisations manage risk in pursuit of their strategic objectives.
A practical risk appetite framework is a direct extension of the organisation’s risk strategy.
A risk strategy defines how an organisation approaches uncertainty, prioritises risks, and balances ambition with protection. Risk appetite translates that intent into actionable boundaries that guide decision-making and resource allocation.
The appetite framework serves as a practical link between high-level risk principles and operational decisions. It ensures that strategy is implemented within well-understood limits, and that those limits reflect both ambition and capacity and are aligned with business objectives.
Where risk strategy sets the direction, risk appetite sets the pace, scope, and depth of risk-taking in pursuit of strategic goals. Together, they help shape a consistent approach to risk—one that aligns leadership intent with day-to-day delivery.
🔹 Risk Appetite – What We Want to Take On
- Risk appetite defines the amount and type of risk an organisation is willing to pursue or retain in the pursuit of its strategic goals. It reflects an acceptable level of risk and intent. Appetite is shaped by the organisation’s purpose, business model, and leadership mindset.
- Example: A digital bank with a growth strategy focused on rapid customer acquisition may have a higher risk appetite for credit or onboarding fraud than a traditional retail bank, provided controls and losses remain within defined expectations.
🔸 Risk Tolerance – What Variability We’ll Accept
- Risk tolerance refers to the level of variation around appetite that an organisation is prepared to withstand before action must be taken. It is the buffer zone, the acceptable stretch within which normal fluctuations in risk exposure are allowed without triggering formal escalation.
- Example 1: If the appetite for third-party cybersecurity risk is “low,” the tolerance might still allow for minor exceptions on specific supplier onboarding cases, provided certain controls are in place and exposure remains under predefined thresholds.
- Example 2: If the appetite for investment risk is “high” at an asset manager, the tolerance for passive investment guideline breach, ie, the breaches triggered by market fluctuations, might still allow for minor exceptions to cater for market movements, provided specific controls are in place and exposure remains under predefined thresholds.
🔺 Risk Capacity – What We Can Afford to Bear
- Risk capacity is the organisation’s absolute limit. It represents the maximum level of risk it can carry without jeopardising its financial viability, regulatory standing, or operational integrity. This is grounded in tangible constraints, including capital, liquidity, funding, or technical capabilities.
- Example: A global insurer may want to underwrite catastrophe risks (appetite) and may allow some loss volatility (tolerance), but solvency rules, reinsurance coverage, and internal capital models will define its actual capacity.
🔄 How They Interact: A Strategic Continuum
One helpful way to visualise the relationship is through a continuum or layered threshold model.
- Alternatively, think of nested circles:
- At the centre: Risk appetite defines the preferred zone for decision-making;
- Around that: Risk tolerance marks the range of acceptable variation; and
- The outer boundary: Risk capacity sets the absolute red line.
- This layered view highlights a critical insight: your risk appetite must sit comfortably within your risk capacity. Your tolerances must be specific enough to signal when decisions or exposures are drifting toward the edges of acceptable limits.
⚠️ Why This Distinction Is Foundational
- In our fieldwork, we have observed that organisations tend to blur or oversimplify these terms. Very often, the notion of risk capacity is not covered at all.
- As a result, the risk appetite framework loses credibility and does not get embedded.
- Decision-makers do not know when to escalate or intervene.
- Boards approve risks without understanding if they are near critical limits or what they mean from a strategic standpoint.
- Culture defaults to risk aversion or unmanaged risk-taking.
- Clarity ensures that risk is taken intentionally, monitored effectively, and aligned to strategic priorities. It also creates the groundwork for meaningful thresholds, escalation protocols, and performance metrics, all of which are explored in the guiding principles that follow.
Risk Appetite in Strategy Setting
Risk appetite plays a crucial role in shaping a company's strategic direction. It defines the boundaries within which the organisation is willing to operate, helping leaders select, prioritise, and pace strategic initiatives. When clearly articulated, appetite provides a shared reference point for evaluating opportunity, managing uncertainty, and deploying resources with confidence.
IN PRACTICE, APPETITE INFORMS TRADE-OFFS ACROSS A RANGE OF STRATEGIC DECISIONS:
1. Growth and innovation
Appetite influences the level of investment in new markets, products, or technologies. A higher appetite for innovation risk may support early-stage experimentation, while a more cautious stance will favour proven models and incremental change.
2. Market positioning
Appetite helps define how aggressively the organisation competes, enters new geographies, or exits declining segments. It ensures that ambition remains aligned with financial capacity, operational readiness, and reputational considerations.
3. Portfolio and resource allocation
Appetite guides decisions on capital deployment, transformation priorities, and risk-weighted returns. It enables a more disciplined approach to balancing short-term performance with long-term sustainability.
4. Strategic resilience
An appetite for uncertainty, complexity, and disruption helps shape decisions regarding diversification, redundancy, and contingency planning. It supports proactive risk management in the face of change.
Organisations increasingly recognise the strategic importance of risk appetite. However, unlocking its full potential requires deliberate integration into business planning and decision-making processes. When appetite is actively referenced, linked to priorities, and supported by operational levers, it becomes a powerful enabler of strategy execution.
SEVERAL CONDITIONS SUPPORT EFFECTIVE INTEGRATION:
- Alignment of timing between strategy cycles and appetite reviews;
- Shared ownership across risk, finance, and business leadership;
- Clear connections between appetite statements and business levers such as investment thresholds, product development, or innovation risk; and
- Specific and relevant articulation of appetite that reflects actual trade-offs and decision scenarios.
Embedding appetite early in strategic planning creates more substantial alignment between ambition and execution. It encourages thoughtful resource allocation, sharper prioritisation, and better-informed transformation. By positioning appetite as a planning input, rather than a retrospective control, organisations can strengthen both performance and resilience simultaneously.
STRATEGIC THEMES THAT SHAPE AN EFFECTIVE FRAMEWORK
Risk appetite is a core component of an integrated Enterprise Risk Management (ERM) approach.
- While ERM provides the structure for identifying, assessing, and managing risk, risk appetite defines how much risk the organisation is prepared to accept in pursuit of its strategic objectives. It serves as a reference point for connecting risk identification to business decision-making.
- Within the ERM framework, appetite enables prioritisation, informs resource allocation, and establishes clear thresholds for action. It also links risk exposure to performance management, capital planning, and assurance processes. When integrated effectively, appetite transforms ERM into a tool for proactive decision support, rather than passive oversight.
- A practical appetite framework is embedded across governance, culture, and execution. It is not an isolated document, but a mechanism that shapes behaviours, trade-offs, and leadership judgment. Based on our work with boards and executive teams, we have identified six strategic themes that help organisations apply appetite in a way that supports business delivery and resilience.
These themes provide practical context for the guiding principles that follow, ensuring appetite is applied not just in theory, but in how the organisation operates —strategically, culturally, and operationally.
📍 Strategic Alignment
- A risk appetite framework must reflect the organisation’s purpose, business model, and long-term strategic goals. Without this alignment, friction often emerges between business ambition and control, or between leadership vision and operational delivery. This theme ensures that risk-taking remains intentional and linked to strategy. In our experience, many organisations struggle to articulate risk appetite within this context, resulting in frameworks that lack a clear strategic anchor. This weakens usability and, in some cases, may lead to inappropriate statements that support decisions misaligned with the organisation’s strategic objectives.
🏛 Governance & Accountability
- Appetite needs clear ownership at all levels. Boards must challenge and approve appetite statements. Executives must translate them into actionable strategies and policies. Risk teams must monitor and escalate breaches. Without defined roles and accountabilities, risk appetite becomes a statement of intent rather than a basis for decision.
⚙️ Operationalisation & Integration
- For appetite to influence real decisions, it must be embedded into the day-to-day workings of the business: product approvals, investment decisions, change programmes, and front-line controls. This theme focuses on integrating planning, reporting, thresholds, and escalation pathways to turn principles into practice.
💥Resilience and Capacity
- An organisation’s ability to take risks is not just about ambition; it is about what it can absorb. Appetite must be bounded by capacity, whether financial, operational, or regulatory.
- This theme also considers how appetite supports resilience, including scenario planning and dynamic adjustment when external conditions shift.
🧭 Culture and Behaviour
- Even the best-designed framework will fail if the organisation’s risk culture is misaligned.
- Appetite must reflect not just what leadership says, but what people do. This theme focuses on behavioural signals, incentives, speaking up, and psychological safety, ensuring appetite is reinforced through culture, not contradicted by it.
🔄 Adaptiveness and Monitoring
- Risk appetite is not static. It must be responsive to shifts in strategic direction, risk environment, and internal learning. This theme covers the mechanisms for reviewing, refreshing, and monitoring appetite, including KRIs, dashboards, and post-incident reviews. A living framework enables both agility and accountability.
These six themes form the foundation of a well-constructed risk appetite framework that is actively applied and fully aligned with the organisation’s strategy, decision-making processes, capacity, and culture.
The following section introduces 12 guiding principles that bring this structure to life.
READ HERE
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.