Tanvi Gupta, Enterprise Risk Management Leader, Allina Health
Information TechnologyRisk Management

Risk Appetite – A Compass for Executive Decision-Making

cxomagazine
By Tanvi Gupta, Enterprise Risk Management Leader, Allina Health

When I understand our risk appetite, I don’t just see the guardrails—I see the runway.

In today’s innovation-driven economy, executives face high-stakes decisions daily. Yet, many organizations approach these decisions without clarity on one foundational element – risk appetite.

As risk professionals, we navigate the delicate tension between ambition and caution. Risk appetite defines how much risk an organization is willing to take – and just as importantly, unwilling to take – in pursuit of its objectives.

Over the years working in enterprise risk management, I’ve observed a consistent pattern across industries: while organizations often have a clear view of their top risks, their risk appetite remains vague or inconsistently understood.

Risk Appetite vs Risk Tolerance: Why the Distinction Matters

Risk appetite refers to the overall level of risk an organization is willing to accept in order to achieve its goals. It’s usually broad and qualitative.

Risk tolerance, on the other hand, defines the specific boundaries within that appetite, quantifying the amount of acceptable deviation from an organization’s risk appetite before triggering escalation.

For example, while a company might declare “low appetite for information security risk,” such a blanket statement lacks operational clarity. Relevant risk tolerance metrics bring it to life:

  • Confirmed breach threshold: 0 unresolved breaches beyond 48 hours
  • Phishing simulation pass rate: ≥ 90% employee success rate on quarterly tests

Risk appetite sets the tone; risk tolerance sets the tripwire. When a risk breaches tolerance but remains within appetite, leaders can respond. If it exceeds both, escalation becomes non-negotiable. Organizations may guarantee responsibility, facilitate data-driven decision-making, and take action before risks materialize into incidents by combining the two.

Risk Appetite as a Strategic Dialogue: Asking the Right Questions

When facilitated effectively, the risk appetite conversation becomes a strategic dialogue, not a checkbox activity. At our organization, we framed risk appetite in the context of mission, vision, values, and strategy.

One of the key lessons I’ve learned through this process is that risk appetite cannot be a theoretical exercise. It must be rooted in business reality and co-created with leadership. This means shifting from “what’s your tolerance for operational risk?” to questions like:

  • What risks are we willing to take to accelerate entry into emerging markets?
  • How much volatility in financial performance or customer churn are we prepared to accept while scaling a new platform?
  • At what point does regulatory pressure, data privacy concern, or reputational exposure outweigh the potential value of disruptive innovation?

These questions spark robust discussion and they bring risk appetite to life.

In the end, Risk Appetite is not about saying no to risk, it’s about knowing which risks are worth taking, when, and why.

Operationalizing Risk Appetite: From Principles to Practice

Understanding your risk appetite is only the beginning. The real value comes from embedding it into governance, decision-making, and execution frameworks. This requires a structured approach—one that turns risk appetite from theory into daily operations.

Below is a Risk Appetite Process Map that provides this foundation. While the exact steps will vary by industry, maturity level, and business model, a leading practice framework includes four key phases:

Risk Appetite Process Map

Balanced Risk-Taking: The Middle Path

Risk appetite is not about eliminating risk altogether—or embracing it blindly. Balanced risk-taking is key. Organizations lose out on chances for innovation, expansion, and competitive advantage when they become overly risk averse. On the other hand, excessive risk-taking can lead to damaging consequences. The goal is to find the sweet spot.

Final Word: Risk Appetite – A Compass for Executive Decision-Making

As executives balance ambition with accountability, risk appetite becomes a compass for executive decision-making. It empowers innovation, aligns people and platforms, and builds trust with Boards, with customers, and with the market.

In the end, risk appetite is not about saying no to risk, it’s about knowing which risks are worth taking, when, and why.