Category: Risk management frameworks · Reviewed by Chrissie Anderson, Client Executive · Last reviewed
Risk appetite
Risk appetite is the amount and type of risk an organisation is willing to pursue, retain or take in order to achieve its objectives. It is set by the board, articulated in a Risk Appetite Statement (RAS), and operationalised through quantitative limits and qualitative statements that cascade into business decisions.
Distinction from related concepts
Risk appetite — what the board wants to take.
Risk tolerance — the acceptable variation around an appetite level (the boundary you will not cross).
Risk capacity — what the firm could absorb before becoming unviable (capital, liquidity, reputation).
These three concepts form a hierarchy: capacity ≥ appetite ≥ tolerance limits ≥ operational thresholds.
Anatomy of a Risk Appetite Statement
A credible RAS typically contains:
A high-level qualitative narrative — what the firm is in business to do and the broad risk posture (conservative, balanced, growth-oriented).
Category statements — by risk type (underwriting, market, credit, operational, liquidity, conduct, climate, cyber).
Quantitative metrics — solvency coverage ratio bands, combined ratio targets, single-risk limits, concentration limits, VaR or TVaR thresholds.
Escalation triggers — what happens when a metric breaches its early-warning level.
Board approval and review cadence — typically annual with mid-year refresh.
Regulatory expectations
PRA SS5/14 — Solvency II: ORSA — expects insurers’ ORSA to reflect a board-approved risk appetite consistent with the business strategy.
PRA SS3/15 — Solvency II: the quality of capital instruments — and SCR setting are framed against appetite.
FCA Senior Management Arrangements, Systems and Controls (SYSC 4) — requires firms to establish, implement and maintain adequate risk-management policies and procedures.
PRA Insurance Rulebook, Conditions Governing Business, requires the risk-management system to include written policies on at least: underwriting and reserving; ALM; investment; liquidity and concentration; operational risk; reinsurance.
Commercial relevance
A well-articulated risk appetite materially helps brokers and insurers place difficult risks. Where a client can demonstrate, for example, that their cyber appetite includes formal limits on single-loss exposure and a CISO-led incident response programme, cyber insurers reliably offer broader cover and lower retentions.
References
Financial Stability Board (2013). Principles for an Effective Risk Appetite Framework.
PRA Supervisory Statement SS5/14 (and updates).
COSO (2017) ERM Framework.
IFoA (2016). Risk Appetite for a General Insurance Undertaking.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.