Building a Risk Appetite Framework

Risk appetite defines how much risk an organisation is willing to accept in pursuit of its objectives. Without a clear risk appetite framework, teams lack the guidance needed to make consistent risk treatment decisions.

A risk appetite framework typically operates at three levels: strategic (board-level tolerance for risk across the organisation), tactical (business unit or programme-level thresholds), and operational (project-level escalation criteria).

To define risk appetite, start by identifying your organisation's key objectives and the categories of risk that could affect them. For each category, establish clear thresholds that distinguish acceptable risk from risks requiring escalation or avoidance.

Express risk appetite in measurable terms wherever possible. Rather than "low appetite for safety risk", specify "no individual risk with a safety impact score above 3 on our 5-point scale" or "total safety-related EMV must not exceed 2% of project value".

Communication is essential. Risk appetite statements should be documented, approved by senior leadership, and shared with all team members. They should be reviewed at least annually, and more frequently when the operating environment changes significantly.

A well-implemented risk appetite framework empowers project teams to make faster, more consistent decisions about risk treatment. It also provides a clear escalation path when risks exceed agreed thresholds, ensuring that senior leadership is engaged at the right moments.