In 2024, Toronto-Dominion (TD) Bank incurred over $3 billion in penalties because of failures in its anti-money laundering (AML) policies. While the bank did have AML controls, it lacked a clear framework for managing high-risk customers. This allowed criminals to use its services to launder millions of dollars.
That’s one potential cost of not defining your risk appetite. Leaving the level of acceptable risk undefined can cause uncertainty and exposes businesses to operational disruptions, reputational damage and financial losses. These repercussions can be financially devastating for even established businesses.
What Risk Appetite Really Means
According to ISO Guide 73:2009, risk appetite is the amount and type of risk an organization is willing to accept or retain. It informs strategic decision-making and operational choices by providing guidance on what organizations can and can’t afford to pursue. For example, a health services provider with a zero-appetite policy for patient confidentiality breaches would avoid any third-party vendors with a history of data breaches.
While the terms risk tolerance and risk appetite are sometimes used interchangeably, they are distinct. ISACA explains that risk tolerance is the level of deviation from an organization’s risk appetite that it can cope with. TRisk tolerance defines the acceptable level of variation in the organization’s risk appetite.
The Costs of an Undefined Risk Appetite
Without clear risk appetite statements, it becomes hard for management and employees to make proper business decisions. The lack of boundaries can lead to over-caution or excessive risk-taking, potentially resulting in missed opportunities, inconsistent decisions and losses.
Inconsistent Decision-Making
The lack of a clear risk appetite framework leaves teams to their own devices, forcing them to use their best judgment when making decisions. Unfortunately, what one team considers the best decision may not be the same for others. For example, your finance team might play it safe when faced with a financial risk, such as expanding a product’s target market, while your sales team moves forward with the expansion.
Inconsistent decision-making can lead to different outcomes in similar situations. It can also cause internal friction, especially when every team believes its decision is right.
Operational Risks
Without clear guidelines, teams may spend too much time addressing low-risk issues. They might over-escalate them, causing unnecessary delays in decision-making and execution.
An undefined risk appetite might also cause employees to overlook high-risk threats. In TD Bank’s case, for example, employees underestimated the risk their customers posed. They screened less than one transaction out of every 10, making it easy for high-risk individuals to launder money without raising red flags.
Decision Paralysis
When teams don’t know what’s acceptable and what’s not, they might hesitate to make decisions. While caution is generally a good strategy in risk management, being overly cautious can lead to missed opportunities or delayed execution. If you delay a product launch because your team is unsure about what rate of bugs is acceptable, you might lose your competitive advantage when another company launches its product first.
Inconsistent Third-Party Experiences
Your risk appetite directly informs employees’ risk response strategies. If the former is unclear, teams might respond differently in similar situations, resulting in inconsistent experiences for external stakeholders. For example, if you don’t define your cybersecurity risk appetite when dealing with vendors, one team might avoid a technology because of security concerns, while another chooses to purchase the technology and develop a contingency plan.
How to Set a Framework Defining Risk Appetite
A robust risk framework takes factors such as an organization’s strategic objectives and risk capacity into account. These are the basic steps to developing your framework.
1. Map Out Objectives
Business objectives inform risk appetite. So a good starting point is to define your goals. Then outline what you need to do to achieve them and create your risk profile.
For example, if you want to introduce a new product within a year, your profile could look like this:
| Type of Risk | Risk Factor | Description |
| Financial risk | Cost overruns | Development costs may exceed the set budget. |
| Financial risk | Poor pricing | There might be a misalignment between production costs and pricing, resulting in a low return on investment (ROI). |
| Market risk | Low demand | The product might not appeal to our target market. |
| Operational risk | Process breakdowns | System downtimes might disrupt production and distribution. |
| Compliance risk | Regulatory pressure | We might face new regulations. |
2. Analyze Internal Risk Capacity
Assess your ability to manage or absorb financial, strategic, reputational, compliance and operational risks. As with objectives, your risk capacity should inform your appetite. So if you have a large budget, you could expand your appetite for business growth, as you can absorb issues such as market fluctuations and new regulations.
3. Work With Stakeholders
Defining risk appetite isn’t a job for risk professionals alone. Involve stakeholders at different levels within your organization, including operations managers, IT personnel, finance managers and procurement teams.
These stakeholders can provide valuable input on potential vulnerabilities and your organization’s capacity to handle them, based on their experiences. They can also help your governance, risk and compliance (GRC) team develop a well-informed set of risk criteria and risk treatment strategies.
4. Establish Clear Risk Thresholds
A good risk appetite framework doesn’t just provide qualitative statements. It also defines quantitative limits. Instead of simply stating that you have a low risk appetite for cybersecurity threats, you could define your appetite as “no more than two security threats per year.”
Establishing risk metrics helps you better monitor your risk exposure. It can also inform risk escalation measures. In this case, if you experience more than two threat incidents in a year, your IT team would know to escalate the issue to management so that executives can allocate resources to a system upgrade.
5. Run Scenario Tests
Simulate “what-if” scenarios to validate your risk appetite limits. For instance, if your framework sets a high risk appetite for innovation and growth, model the potential risk scenarios that come with this stance, such as:
- Regulatory pressures when expanding into new markets
- Limited operational capabilities
- Liquidity risks
- Slow market adoption
Assess how each scenario impacts your operations and make necessary adjustments. If the impacts of a high risk appetite are too drastic, revise your framework to reflect a lower or zero appetite.
6. Communicate With Teams
A risk appetite framework is only effective when it’s embraced across an organization. So make sure every pertinent stakeholder, from executives to IT personnel and sales teams, understands yours. Try offering:
- Risk-focused training sessions
- Quick-reference guides
- Risk management dashboards that highlight acceptable risk levels across different business activities
Bridge Your Organization’s Risk Appetite and Management
Establishing a risk appetite framework supports alignment between stakeholder expectations and business decisions. It can streamline decision-making, reduce operational bottlenecks and promote consistency in risk responses.
However, defining your risk appetite is just one piece of the risk management puzzle. You also need to integrate it into your broader risk management strategy. That’s where enterprise risk management (ERM) platforms such as Onspring provide value.
Onspring helps you operationalize your risk appetite by connecting risk registers, real-time dashboards and governance workflows in a single platform.
Want to take the next step? Download Onspring’s What’s Your Organization’s Appetite and Tolerance for Risk? guide today.
