Skip to content

Featured Search

Why boards lack confidence in risk appetite, and how you can fix it.

Tags

“Are we still inside risk appetite?”  

It is a reasonable question. It is also, for many organisations, an uncomfortable one. 

On paper, most boards have approved a risk appetite statement. In practice, answering that question often triggers weeks of reconciliation, competing interpretations and uneasy debate. Reports are pulled together. Assumptions are challenged. Context is reconstructed after the fact. 

When CEOs and board directors were asked about their organisations’ readiness to tackle today's biggest risks, only 11% reported feeling extremely confident.1    

The problem is not a lack of risk information. It is the lack of a clear, appetite-anchored view of that information. 

Join our upcoming webinar, Risk appetite in action, to see how organisations turn appetite statements into practical boundaries for better decisions and reporting. 

Risk appetite was never meant to be a document 

Risk appetite was designed to make risk usable. It gives leaders a shared frame for trade-offs: what risk is worth taking, where variation is acceptable, and what must trigger action. 

That is the intent. The reality is often less useful. 

Many organisations can point to a board-approved risk appetite statement. Far fewer can show how it shapes day-to-day decisions, reporting and escalation. Appetite becomes something the organisation has, rather than something it uses. 

The gap shows up in maturity data. 

35% say they have a comprehensive risk appetite framework with quantitative and qualitative indicators. 13% say they have no risk appetite defined across the organisation.2   

Those numbers sit uncomfortably together. They suggest a market where 'risk appetite' ranges from an embedded discipline to a loose aspiration, often within the same industry. 

What the data tells us about board confidence  

Boards are not short of risk reporting. They are short of decision-ready risk reporting. 

One survey finding captures the problem. Even when dealing with hot-button topics like cybersecurity and climate, confidence is limited. 

Only 32% of board members say they’re completely satisfied with the information they receive from management on cybersecurity and climate risk.3

That is not a formatting issue. It is a governance issue. If boards cannot see risk clearly, they cannot judge whether the organisation is operating within the boundaries it approved. 

When appetite is disconnected from reporting, boards get noise instead of signal. 

Fragmented signals, no clear risk picture 

In many organisations, appetite and risk information sit in different worlds. 

Appetite statements live in board papers and policy documents. Indicators sit in operational dashboards. Incidents and issues are recorded in registers. Performance data is tracked elsewhere again. Each source may be credible on its own. Together, they rarely form a single view. 

Risk teams then do what they have always done. They stitch. 

That reliance on manual consolidation is visible in the tools people use. 

Spreadsheets and slide presentations are used by 88% of respondents for performing ERM activities.

This is where appetite quietly loses its value. Reporting shows what happened, but not whether it matters in appetite terms. Thresholds exist, but they are not consistently visible. Escalation becomes a judgement call. 

Risk discussions drift into argument about interpretation, rather than agreement about action. 

Appetite loses value when it cannot be seen. 

 

Scenario: Lack of clarity delays bank going to market 

A regional bank has a documented appetite for credit risk. The wording is clear enough. But the limits sit in board papers, while exposure and KRI data is split across spreadsheets and reporting tools. 

Then a new initiative arrives: grow higher loan-to-value ratio (LVR) home loans for first-home buyers in a key region.  

The question is straightforward: are we still inside risk appetite? But answering it becomes an exercise in reconstruction. The risk team reconciles multiple reports, debates assumptions with stakeholders, and negotiates what “inside appetite” really means in this case. A decision is made, but not from a single, appetite-anchored view. 

The debate is the symptom. The missing boundary is the cause. The organisation has an appetite statement, but it does not have appetite visibility. The initiative is delayed going to market, and the bank forgoes its first-mover advantage. 

Why this gap creates real risk   

When appetite is disconnected from measurement and reporting, costs accumulate quickly. 

Decisions slow down. Escalation becomes inconsistent. Boards lose confidence in what they are seeing and start to question whether the picture is complete, reliable and timely. 

Regulators have made similar points in their own language. 

 

What regulators flag when appetite isn’t measurable 

A UK Prudential Regulation Authority thematic letter on internal audit findings flagged, among other issues, an absence of risk appetite metrics, plus inconsistencies and data reporting issues in MI.5 

Where data quality and controls remediation lag, the consequences can be material. In 2024, US regulators announced combined penalties of roughly $135.6m against Citigroup entities, tied in part to insufficient progress in remediating data-quality management and risk-control weaknesses.6 

The lesson is not that every organisation is headed for a fine. It is that weak visibility makes weak governance. Weak governance makes surprises more likely and remediation more expensive - not just in fines and compensation, but reputation too. 

Reframing the role of risk appetite  

The problem is rarely that leaders reject the idea of risk appetite. It is that appetite is not treated as the organising principle it should be. 

A useful appetite framework does two things. It clarifies what is acceptable. And it makes that clarity visible to the people making decisions. 

Some organisations have not yet cleared the first hurdle. A survey of US government organisations made clear that even when appetite exists, integration is the harder task. 

47% said their organisations have defined risk appetite statements. Only 14% said their risk appetite is communicated throughout the organisation and integrated into strategy and decision-making. 7  

Appetite that is not integrated becomes ceremonial. Appetite that is integrated becomes operational. 

From static statements to practical boundaries 

Risk appetite becomes useful when it is translated into boundaries leaders can see and use. 

That translation is specific. High-level statements must be expressed as thresholds, tolerances and triggers. Indicators need to show where exposure sits relative to those boundaries, not just whether a metric is trending up or down. Escalation must be tied to explicit breaches and early-warning signals. 

Do that, and appetite stops floating above the organisation.  

It starts operating within it. 

 

  • Leaders can see when limits are being tested 
  • Boards can see where attention is needed 
  • Decisions speed up because fewer debates are required  
  • Accountability improves because triggers are clear 

 

That is what it means to put risk appetite into action. 

 curated-lifestyle-L81DyauMryY-unsplash

 

For many organisations, however, this is the hardest step. Moving from a board-approved statement to something that genuinely shapes decisions, reporting and escalation is where most frameworks stall. 

Join the webinar: Risk appetite in action  

If your organisation still can’t answer “Are we still inside risk appetite?” without weeks of reconciliation and debate, this session is for you. 

In this thought-leadership webinar, Protecht’s David Tattam and Michael Howell will show how organisations translate risk appetite into practical operating boundaries, using thresholds, KRIs and triggers to help boards and executives see clearly when limits are being tested and what action is required. 

 

Register Now

Protecht WEBINAR High Resolution_APAC 600 x 300

 

References

1 Korn Ferry, https://www.kornferry.com/insights/featured-topics/leadership/ceo-and-board-survey  

2 FERMA, Global Risk Manager Survey Report 2024: https://www.ferma.eu/app/uploads/2024/09/FERMA-Global-Risk-Manager-Survey-Report-2024.pdf  

3 PwC, Corporate board directors: latest findings from PwC’s Pulse Survey — https://www.pwc.com/us/en/library/pulse-survey/business-growth-through-recession-uncertainty/corporate-board-directors.html  

4 FERMA, Global Risk Manager Survey Report 2024 — https://www.ferma.eu/app/uploads/2024/09/FERMA-Global-Risk-Manager-Survey-Report-2024.pdf  

5 Bank of England / PRA, Thematic findings of internal audit review… — https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2024/thematic-findings-of-internal-audit-review-credit-risk-management-framework-non-systemic-ukdt.pdf  

6 Federal Reserve enforcement release — https://www.federalreserve.gov/newsevents/pressreleases/enforcement20240710a.htm and OCC release — https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-76.html  

7 AFERM / Guidehouse, Government Enterprise Risk Management 2024 Survey Results — https://guidehouse.com/-/media/new-library/services/sustainability/documents/2025/2024-esi-dg-008_a-aferm-erm-survey-report.pdf  
Back to list

About the author

For over 20 years, Protecht has redefined the way people think about risk management with the most complete, cutting-edge and cost-effective solutions. We help companies increase performance and achieve strategic objectives through better understanding, monitoring and management of risk.

Connect with Author on Linkedin

You may also like