In risk management, risk appetite is the level of risk an organization is prepared to accept.
Risk appetite constraints are not easy to define; every organization can tolerate different levels of risk. It is important, however for the organization to establish a common understanding of risk and be prepared for the likelihood and impact of known threats. Organizations should define the maximum level of risk tolerance in each area of risk before taking action.
Organizations sometimes express their risk appetite through the creation of a risk appetite statement, a document that helps guide organizational risk management activities. The statement should be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices.
See also: risk assessment framework