The NZ Society for Risk Management published an article on risk appetite from Grant Purdy in its RiskPost in September 2011.
Grant explains that while the concept of risk appetite seems deceptively simple: it is often described as how much risk we might wish to take to achieve a desired return. In practice, however, an organisation’s risk appetite can be exceedingly difficult to tie down or define.
He concludes that Risk appetite is a complex issue and producing a statement that describes it for an organisation is difficult and may prove unnecessary and ultimately unhelpful. ISO 31000:2009 gives an alternative, more practical and pragmatic approach to enable risk-based decisions by using risk criteria. These should be based on critical success factors and are therefore specific to a particular organisation and cannot be simply copied and reused. Some care is required in developing risk criteria to ensure that they accurately reflect the relative weightings the organisation applies to risks with different types of consequences.