How much risk is too much risk? Understanding risk appetite


One of the most important decisions for any business, project, or individual is how much risk to take. The phrase “risk appetite” is often used to describe the level of acceptable risk, but there is no accepted definition for this term. Even worse, there is confusion between risk appetite and other risk-related terms, especially risk attitude.

In seeking to answer the “How much risk…?” question, this paper considers a range of risk terms, showing how they relate to one another. This reveals that two risk-related factors are particularly influential when individuals or organisations decide how much risk can be taken in a risky and important situation. These two key factors are risk appetite and risk attitude, which have central and complementary roles.

We explain how to use both risk appetite and risk attitude to set appropriate risk thresholds in any given situation. Risk appetite is an internal tendency to take a risk in a given situation, and it reflects organisational risk culture and the individual risk propensities of key stakeholders. But unmanaged risk appetite can lead to the wrong outcome. Risk attitude is a chosen response to risk, driven by perception, and it can act as a control point to ensure that the right amount of risk is taken, so that the achievement of objectives is optimised. Putting both risk appetite and risk attitude together into a single framework (the RARA Model) provides a practical approach that enables individuals and organisations to take the right risks safely.

What is Risk Appetite? The Physical Analogy

All important management decisions involve risk taking, and we need to be able to answer questions, starting with “How much risk.?” These questions include:

  • How much risk do we face?
  • How much risk can we take?
  • How much risk should we take?
  • How much risk do we want to take?
  • How much risk will we take?
  • How much risk are we taking?

Each of these questions is important, and a variety of risk-related terms are used to describe the answers, including: risk appetite, risk attitude, risk capacity, risk culture, risk exposure, risk perception, risk preference, risk profile, risk propensity, risk threshold, risk tolerance (and others). No one seems to be able to define how these terms might differ, overlap, replace, or relate to each other.

Among these terms, “risk appetite” has recently become a hot topic. Recent research on risk appetite (Association of Insurance and Risk Managers, 2009) has identified four ways in which an understanding and expression of risk appetite can be used within organisations:

  1. To support strategy-setting, leading to a balanced risk profile and identification of which risks to avoid and which to take
  2. To support effective management of risk, by ensuring that risk management resources are allocated optimally, and fostering a risk-aware culture across the organisation
  3. To set appropriate boundaries for risk taking, by motivating decision-makers to make better and more consistent decisions
  4. To maximise stakeholder value, by enhancing organisational performance and delivery.

But what exactly is risk appetite? One way to understand this term is to start with its physical equivalent and see whether helpful analogies can be drawn.

What is Appetite?

For most people, the word appetite is closely linked with being physically hungry. But dictionary definitions of appetite are wider; of course, they include a desire for food or drink, but appetite can also mean a desire to satisfy some other bodily craving, such as sexual pleasure. There are also non-physical appetites, in which the desired result is intangible, such as an appetite for excitement or fame. And some appetites can be destructive, involving drugs or violent behaviour. The word appetite is derived from the Latin word appetere, which means to desire strongly.

These roots immediately tell us something important about appetite, which most people fail to recognise. Appetite is not the same as hunger. Appetite is a desire, a psychological need that demands to be met. The external expression of appetite is hunger, which we experience as a lack of something, and that motivates our behaviour in an attempt to satisfy the internal desire.

So, what might influence appetite in a particular individual? There are a wide range of factors, including the following:

  • Physical characteristics (size, weight, age, etc.)
  • Metabolic rate (high, normal, low)
  • State of mind (anxious, calm, stimulated, etc.)
  • Underlying state of health (good, poor, diseased)
  • Lack of something that is required for good health (nutrients, vitamins, water, etc.)
  • Last experience when appetite was satisfied (how long ago, how fully satisfied, etc.)

Several of these influences are outside the immediate control of the individual, at least in the short-term, because they arise from one or more inherent characteristics.

So, we see that appetite is an internal desire or craving for food or some other physical stimulant. It exists within a person, and motivates him or her to meet a felt need. Appetite is the answer to the question, “How hungry do I feel?” But because physical appetite is intangible and has no units, it is hard to measure or express. It results in outwardly measurable behaviour, and is affected by various factors, but it is not something we can choose or influence as it happens, it just is what it is.

What is Risk Appetite?

The physical analogy allows us to understand some of the key features of risk appetite, by comparing physical appetite with its risk counterpart. For example:

  • Just as physical appetite is an internal desire for something such as food, in the same way, risk appetite reflects our desire to take risk. How much risk do we feel that we can take on in a given situation?
  • Our appetite for risk is likely to be influenced by a wide range of other factors, just like our physical appetite, but it exists as an internal drive or desire that is not visible externally.
  • Physical appetite is expressed outwardly through hunger, and likewise risk appetite can be seen through the decisions we make about how much risk to take, which are expressed as risk thresholds.

Drawing these thoughts together, we can define risk appetite as:

Tendency of an individual or group to take risk in a given situation

Risk appetite is then expressed using risk thresholds, which are described against objectives, and that can be measured externally.

Why Does Risk Appetite Matter?

Risk appetite matters for two key reasons. The first is that it is increasingly becoming a compliance requirement, driven by international risk standards, corporate governance regulations, and others. Key examples include the following:

  • International standard ISO Guide 73:2009 includes a normative definition of risk appetite as “amount and type of risk that an organisation is prepared to seek, accept or tolerate.” This is reflected in other risk standards, such as ISO31000:2009, BS31100:2008 and the UK Office of Government Commerce “Management of Risk” (M_o_R) guidance (OGC, 2010).
  • Corporate governance guidelines refer to the need for organisations to define and communicate their risk appetite, with the UK Corporate Governance Code stating that: “The board is responsible for determining the nature and extent of the significant risk it is willing to take in achieving its strategic objectives” (Financial Reporting Council, 2010). Similarly, the U.S. National Association of Corporate Directors (NACD) Blue Ribbon Commission issued their “Report on Risk Governance: Balancing Risk and Reward” in October 2009, stating that “The Board of Directors need to understand the organization's risk appetite and level of risk tolerance. The assessment of the company's risk appetite should be an ongoing process, considering that risks facing the company are constantly changing.” (National Association of Corporate Directors, 2009).
  • Professional risk bodies such as the UK Association of Insurance and Risk Managers (AIRMIC), the Institute of Operational Risk (IOR), and the Institute of Risk Management (IRM) have each issued advice to their members aiming to clarify the meaning of the term and how it should be used in practice (Association of Insurance and Risk Managers, 2009; Institute of Operational Risk, 2009; Institute of Risk Management, 2011).
  • Consultancy firms have undertaken research and offered guidance to clients on the subject (PricewaterhouseCoopers, 2008; KPMG, 2008; Towers Perrin, 2009), perhaps seeing a new business opportunity to provide advice and support.

But secondly and more importantly, the ability to understand and express risk appetite allows decision-makers at all levels in an organisation to decide how much risk they should take in a given situation, from boardroom to project teams. This should inform decisions on matters such as corporate goals, investment decisions, business strategy, portfolio construction, project execution, technical solutions, operational efficiencies, and so forth. For each of these important management decisions, risk appetite drives the answer to the question, “How much risk should we take?” As a result, it is important for managers at all levels to understand and express their risk appetite, from the CEO to the project manager, and for these multiple levels of risk appetite to be consistent, coherent, and aligned.

Risk Appetite — Inputs and Outcomes

We have seen that risk appetite is an internal tendency within an individual or a group and that it cannot be seen or measured directly. It represents a hunger for risk in a given situation, a desire or drive to take on a certain level of risk exposure. But where does this internal tendency comes from? What influences risk appetite?

One obvious input to risk appetite is the situation that is being faced. Risk appetite does not exist in a vacuum or in isolation. It is defined as a “tendency of an individual or group to take risk in a given situation,” so clearly that situation is influential. In fact, it is not just the situation in general that influences risk appetite, but the specific objectives that an individual or organisation wishes to achieve in or from that situation. For a project manager, the situation is the project, and the objectives are the project objectives.

In addition to the situation and its associated objectives, there are two other factors that influence risk appetite. Both of these have to do with people, not surprising, because risk appetite is an internal tendency. The first factor relates to individuals and the other arises from the group context.

  • On the individual side, the appetite for risk in a particular situation is affected by the general tendency of each individual to take risk in any circumstances. This is called risk propensity, and it in turn is driven by a range of risk-related personality traits, or innate motivations, known as risk preferences.
  • Another influence on risk appetite is the culture of the group or organisation in relation to risk, describing the set of shared beliefs, values, and knowledge that a group has about risk. This is called risk culture, and it results in a set of norms and behaviours that are naturally adopted by the group when situations are faced that are perceived as risky and important.

One interesting fact to notice about these inputs to risk appetite is that they are all internal and are not chosen by the individuals separately or the group acting together, they just are what they are. The effect of individual risk propensity and corporate risk culture on risk appetite is subtle and invisible, it is essentially unmanaged, and it cannot be seen or measured externally. The resulting risk appetite therefore arises unconsciously and without the deliberate choice or intentional intervention of the individual or group concerned. That is why we describe risk appetite as a tendency—because it is internal and unmanaged.

As well as considering the inputs that affect risk appetite, we should also look at its outcomes. Just as we have no units to measure or describe physical appetite, the same is true for risk appetite. We describe our natural hunger for food or drink by translating the internal appetite into externally measurable terms, for example a steak or a salad. We also need an external proxy for risk appetite, something that can be seen and measured objectively. This role is taken by risk thresholds, which are external expressions of risk appetite. And just as risk appetite is defined in terms of the objectives associated with a specific situation, risk thresholds are expressed in the same way. There should be a risk threshold set for each objective, reflecting the overall risk appetite in the situation.

Once we have defined risk thresholds for a given situation (how much risk we are willing to take), we can then compare these with the overall risk capacity of the organisation to bear risk, either in this specific situation or in aggregate. This will tell us whether our risk appetite can be fully satisfied or not. We might find that our appetite for risk leads us to set risk thresholds that exceed our capacity to take risk. This could lead to a problem if left unmanaged, because we might end up taking on too much risk, exceeding our risk capacity. Alternatively, our risk appetite may lead us to be too cautious, setting low risk thresholds, which are well within our risk capacity, and that do not stretch or challenge the organisation or make best use of its resources.

The inputs and outcomes for risk appetite are shown in Exhibit 1. The problem is that risk appetite and all its inputs are invisible internal factors that are hard to influence directly. This makes it difficult to change things if our risk appetite is leading to inappropriate risk thresholds. As a result, we need some other way to intervene and exercise control over unmanaged risk appetite.

Risk appetite inputs and outcomes

Exhibit 1 – Risk appetite inputs and outcomes

Using Risk Attitude to Moderate Risk Thresholds

Our previous work on risk attitude (Hillson & Murray-Webster, 2007; Murray-Webster & Hillson, 2008) has defined it as:

Chosen response to risk, influenced by perception

The important characteristic of risk attitude in this context is that it is chosen, and can therefore be modified and managed. And, like risk appetite, risk attitude also has a range of inputs and outcomes, as illustrated in Exhibit 2.

Risk attitude inputs and outcomes

Exhibit 2 – Risk attitude inputs and outcomes

Considering inputs first, the chosen risk attitude is influenced by the perception of the degree of risk exposure associated with a given situation, and risk perception in turn is affected by a complex web of factors, referred to as the “triple strand” of influences (conscious, subconscious, and affective factors). It is common to speak about only a few specific risk attitudes, such as risk-averse, risk-seeking, risk-tolerant, or risk-neutral. But, in fact, risk attitude exists on a continuous spectrum with an infinite number of possible positions. Faced with a given risky situation, a particular individual or group might exhibit a risk attitude anywhere on this spectrum.

Turning to outputs from risk attitude—two things are important in the context of making decisions in risky and important situations. The first is that our attitude to risk affects the degree of risk we are willing to take, as expressed in risk thresholds. Clearly, if we are comfortable with the perceived exposure to risk (i.e., our attitude is risk seeking), then we will wish to set higher risk thresholds than if we are uncomfortable with the uncertainty (risk averse).

But the influence of risk attitude is much wider than simply affecting the chosen level for risk thresholds and tolerances—it also affects our risk actions. In fact, every action we take in relation to the perceived level of risk exposure is driven by our position on the risk attitude spectrum. Each step in the risk process is affected by the risk attitude we adopt in the situation, including:

  • Identifying threats and opportunities
  • Assessing and prioritising identified risks
  • Selecting and implementing appropriate risk responses

Our risk actions modify the degree of risk exposure associated with the situation, leading to a revised perception of risk. As a result, we may wish to change our risk attitude, to give us the best chance of achieving our objectives in light of the new risk challenge that we now face. So, in fact there should be a cycle between the current level of risk exposure, our chosen risk attitude, and the risk actions we take.

Changing risk attitude is a simple matter of making a different choice. Earlier work (Murray-Webster & Hillson, 2008) has described how applied emotional literacy can be used to modify risk attitude in an intentional way, using a framework called the Six A's model. This starts with Awareness of the existing risk attitude that we have initially chosen in a given situation, together with Appreciation of the factors that have influenced that choice. Next, we Assess whether the risk attitude is helping us to achieve our goals or not. If the existing risk attitude is assessed as being appropriate, then we Accept it and continue without change. But if a change in risk attitude is required, then we Assert the need for change and take Action to modify our chosen risk attitude.

Putting it Together: The RARA Model

Comparing Exhibits 1 and 2 shows that risk appetite and risk attitude share common inputs (the situation and its objectives) and a common outcome (the setting of risk thresholds). As a result, it is possible to merge the two exhibits into a single model, showing the relationship between risk appetite and risk attitude; we call this the RARA Model (Exhibit 3).

The RARA Model indicates how we can exercise control over setting risk thresholds to make sure that they are appropriate in the setting of the given situation, taking into account of influence of individual risk preferences as well as of organisational risk culture, and ensuring that the risk thresholds do not exceed our risk capacity.

We have already seen that the influences on risk appetite are internal and so cannot be easily modified or measured. However, risk attitude is a choice and it is possible to choose a different risk attitude using the Six A's approach. As a result, the ability to choose a different risk attitude in a given situation provides a point of control in the RARA Model. We can now take a four-step approach to setting appropriate risk thresholds, as follows:

Step 1 - Unmanaged. First, we set risk thresholds intuitively without any conscious intervention or modification. This will result in risk thresholds that reflect the internal risk appetite. However, because all the factors influencing risk appetite are internal and cannot be modified, the resulting risk thresholds may be inappropriate. Because these initial risk thresholds are set using “gut feel,” the effect of chosen risk attitude is excluded at this point.

Step 2 - Constrained. The initial risk thresholds are reviewed in light of the individual risk propensities of the decision-makers, as well as considering the organisational risk culture. Referring to Exhibit 3, we see that these are the two main influences on risk appetite, so by considering them explicitly, we are able to express our underlying risk appetite. This may result in a modification of risk thresholds.

Step 3 - Check. At this point we should review the risk thresholds against the risk capacity to determine whether they are appropriate. If not, then some intervention is required.

Step 4 - Informed. The final step is taken if Step 3 indicates the need to modify the risk thresholds. This takes advantage of our ability to choose a different risk attitude and uses it as a point of active and intentional control in the process. By changing our risk attitude, we are able to influence the final choice of risk thresholds to produce something that is more appropriate.

This simple four-step process provides us with a simple and practical way to set risk thresholds at a level that will enable us to take the right risks safely.

The Risk Appetite-Risk Attitude (RARA) Model

Exhibit 3 – The Risk Appetite-Risk Attitude (RARA) Model


Risk appetite matters. It is an important topic for us to understand, because our risk appetite drives the way we answer the important, “How much risk…?” questions. But risk appetite is an internal tendency, invisible and impossible to measure. As a result, we need to use an external proxy to allow risk appetite to be expressed, and this is the role of risk thresholds.

Unfortunately, the internal nature of risk appetite also means that if it is left unmanaged it might result in the setting of inappropriate risk thresholds, leading us to take too much or too little risk. We, therefore, need a way to intervene and modify risk thresholds that have been set intuitively using the gut-level risk appetite.

Intervention is possible by choosing a suitable risk attitude that allows us to modify the initial risk thresholds, moderating the effect of unmanaged risk appetite. The RARA Model described in this paper combines both risk appetite and risk attitude, providing a practical way for decision-makers at all levels to answer the “How much risk.?” questions and take the right risks safely.


Association of Insurance and Risk Managers. (2009). Research into the definition and application of the concept of risk appetite. London, UK: Association of Insurance and Risk Managers.

British Standard BS 31100:2008. (2008). Risk management - Code of practice. London, UK: British Standards Institution.

Financial Reporting Council. (2010). UK Corporate Governance Code. London, UK: Financial Reporting Council.

Hillson, D. A., & Murray-Webster, R. (2007). Understanding and managing risk attitude—second edition. Aldershot, UK: Gower.

Hillson, D. A., & Murray-Webster, R. (2011). Using risk appetite and risk attitude to support appropriate risk-taking: A new taxonomy and model. Journal of Project, Program & Portfolio Management, (2) 1, 2946.

Hillson, D. A., & Murray-Webster, R. (2012). A short guide to risk appetite. Aldershot, UK: Gower.

Institute of Operational Risk. (2009). Operational risk sound practice guidance Part 1: Risk Appetite (version 1, December 2009). Retrieved from Institute of Risk Management. (2011). Risk appetite and tolerance. London, UK: Institute of Risk Management.

International Organization for Standardization ISO 31000:2009. (2009). Risk management: Principles and guidelines. Geneva, Switzerland: International Organization for Standardization.

International Organization for Standardization ISO Guide 73:2009. (2009). Risk management: Vocabulary. Geneva, Switzerland: International Organization for Standardization.

KPMG. (2008). Understanding and articulating risk appetite. Sydney, Australia: KPMG.

Murray-Webster, R., & Hillson, D. A. (2008). Managing group risk attitude. Aldershot, UK: Gower.

National Association of Corporate Directors. (2009). Report on risk governance: Balancing risk and reward. Washington, DC, USA: National Association of Corporate Directors.

PricewaterhouseCoopers. (2008). Risk appetite: How hungry are you? The PwC Journal, Special risk management edition. London, UK: PricewaterhouseCoopers.

Towers Perrin. (2009). Risk appetite: The foundation of enterprise risk management. London, UK: Towers Watson.

UK Office of Government Commerce. (2010). Management of risk: Guidance for practitioners, 3rd edition. London, UK: The Stationery Office.

© 2012, David Hillson/Risk Doctor & Partners Limited
Originally published as a part of 2012 PMI Global Congress Proceedings – Marseille, France



Related Content

  • PMI White Paper

    The Impact of the COVID-19 Crisis on Project Business member content open

    By Project Management Institute | Project Business Foundation This is a report on the results of a survey jointly conducted by PMI and the Project Business Foundation. The intention was to replace observations and opinions with reliable data. The mission was…

  • Project Management Journal

    Multiphase assessment of project risk interdependencies member content locked

    By Hwang, Wenli | Hsiao, Bo | Chen, Houn-Gee | Chern, Ching-Chin Project risks evolve dynamically, so variations in risk influences during the life cycle of an information system development project require analyses to devise risk management strategies cost…

  • PMI Global Congress—North America

    TAFT (this ain't freakin' Texas) member content open

    By Fournet, Bill a case study into a failure to manage assumptions

  • A model to develop and use risk contingency reserve member content open

    By Shrivastava, Narendra K. This paper describes a simple model that project managers and risk team members can implement immediately to begin using risk contingency reserve in their projects. Using a risk register and an…

  • Project Management Journal

    A new decision making model for subcontractor selection and its order allocation member content locked

    By Abbasianjahromi, Hamidreza | Rajaie, Hossein | Shakeri, Eghbal | Chokan, Farzad All experts agree on the importance of subcontracting. The high impact of subcontractors on the construction process means that the selection of subcontractors is a sensitive activity. Previous…