Define your organisation’s risk appetite

One of the mandatory requirements of the Victorian Government Risk Management Framework (VGRMF)(opens in a new window) is that each organisation defines its risk appetite (Your organisation’s risk appetite is the type and amount of risk that the organisation is willing to bear in pursuing its objectives).

By defining its appetite and making it explicit in a statement shared with decision-makers across the organisation, your responsible body and executive team send a clear signal to decision-makers about how much risk they may take, and create, in carrying out the functions and activities of the organisation.

A risk appetite statement also makes it clear to decision-makers how they should allocate the organisation’s resources to controlling risks. For example, managers shouldn't spend money on controlling risks which their responsible body has declared a high appetite for, at the expense of controlling risks which it has said it has a low appetite for.

Your internal and external context will present you with a wide range of different risks. Some of them may be complex or have many ‘moving parts’. You may need more than one statement of your risk appetite and, in fact, you may need a suite of them to articulate your responsible body’s appetite for risk.

For the sake of simplicity, we'll talk about your risk appetite statement—just bear in mind that the task is to define your risk appetite and this will, in many cases, require more than a sentence.

An essential part of your framework

As an essential part of your framework, your risk appetite statement should

align with your risk management policy
drive your risk management strategy and procedures
be demonstrated in the contents of your risk register through risk tolerance and key risk indicators.

Who's responsible for defining it?

Your responsible body (For a department, the responsible body is the accountable officer. For other agencies, it is the board or the person or body with ultimate decision-making authority), with the support of the executive team, must define the organisation’s risk appetite in a language that it can be

used by the executive team to analyse the organisation’s tolerance in relation to each risk
understood by decision-makers in the rest of the organisation so that they can apply it in their deliberations.

They should also show leadership by demonstrating how to use it in their own decision-making.

When should the responsible body do this?

A risk appetite statement should be defined at the same time as the organisation’s risk management framework.

If you have a framework already but not a risk appetite statement, then work with your responsible body to create one at your next opportunity. You should then review the other elements of your framework to make sure they're all consistent.

The appetite for risk changes, though, in response to what's going on within the organisation and in the environment, so does the risk itself. This means your responsible body and executive team should also look at their statement when

there's a change in the organisation’s internal and external context
the membership of your responsible body or executive team changes
they're developing a new strategy
they'e evaluating strategies and projects.

To illustrate the first point, we can look at the arrival of coronavirus in Victoria, which was a dramatic change in the environment we were all working and living in. Organisations needed to change their work practices overnight at the direction of the Victorian government. A consequence was that organisations became very keen to deliver or improve their delivery of online services, which involved re-balancing their appetite for risk to project budgets or risk of cyber threats.

Why define it?

The pandemic is an excellent example of how risk appetite connects directly to decisions about controlling risk, trading off one risk against another, and the performance of the organisation as it pursues its objectives.

It also shows that we all have an appetite for risk, even if we only discover what that is when a risk materialises in an event.

We know that risk is dynamic. It changes as your internal and external context changes. By defining risk appetite in advance, a responsible body gives both itself and the organisation a head start on making decisions about how to respond to that change:

the responsible body knows where it stands on the potential impacts of the risk and so will be able to make critical decisions quickly
decision-makers across the organisation will know when they need to take further steps to control a risk that's growing, and when they need to escalate it to the responsible body for a decision.

The other virtue of stating the risk appetite is that it sends a signal to decision-makers that they can and should take a risk, within boundaries, to meet their objective.

By setting the boundaries clearly, it can help make sure that those decisions about how much and what type of risk to take, are consistent, accountable and comply with legislation.

It also helps decision-makers decide when and how to control risk. Controlling risk comes at a cost, both the direct expense and in deciding not to do other things that might be worthwhile. This means that you should direct your resources to controlling risks that you have a low appetite for, rather than risks you have a high appetite for.

The role of risk practitioners?

Make a case and find examples

Risk practitioners should make a case for the value of a risk appetite statement, both to their responsible bodies and executive team, and to the wider organisation.

We recommend you find examples which are relevant to your organisation in order to show how consequential a risk appetite statement is.

- TAC has expressed its low tolerance for death and injury on Victoria’s roads in the campaign message “Towards zero”. This statement shapes the objectives, strategies and operations of the whole organisation.
- The Victorian Funds Management Corporation has determined that it has no appetite to invest state money in businesses that manufacture cluster bombs.
- Hospitals across Victoria make patient safety a priority because they have little to no appetite for the risk of preventable harm.
- Organisations committed under the Climate Change Act(opens in a new window) to a five-year Adaptation Action Plan(opens in a new window) for the system they operate in might find that they have no appetite for activities that cause them to miss the goals set out in the plan.

Work with their responsible body and executive team

Risk practitioners should support their organisation’s responsible body to define their risk appetite and work with the executive team to work out the organisation’s appetite for risk.

- alerting the responsible body to changes in the internal and external context that should trigger a review of their risk appetite
- reviewing the risks recorded in the risk register to see if risks need to be re-assessed and new controls or treatment plans put in place
- identifying what risk indicators should be monitored to stay within tolerance
- a communications plan to build understanding of the value of the risk appetite statement to the rest of the organisation and, for some decision-makers, how to use it effectively
- a training plan to build skills in using a risk appetite statement in decision-making or designing strategies and procedures.

Defining your organisation’s risk appetite

The real work here is in the discussion and deliberation of the individuals that make up your responsible body.

We recommend that you invest time in developing a methodology for deliberation that helps your responsible body work quickly to come to a consensus.

Whatever your method and workshop plan, it should work through these stages.

Come to a consensus about the objectives, functions and activities that your responsible body wants to focus on
Discover their appetite for those priorities
Come to a consensus about their risk appetite
Make a statement.

There are two steps in the work of defining your risk appetite: the first is to decide what's a priority for the organisation and the second is to define their appetite for risk in relation to those priorities.

What to do now

Once the responsible body has come to a consensus about its risk appetite, the executive team then works with risk practitioners and others in the organisation to
- analyse what the organisation’s tolerances are for these risks
- identify which indicators will be monitored to make sure the organisation stays within those tolerances
The executive team should also put governance and systems in place to
- monitor and report on indicators
- take action when the organisation comes close to or breaches tolerances
- review the statement regularly
- update it when there is a change in the organisation’s internal and external context
Plans, processes and the model of governance should be presented at a meeting of the Risk and Audit Committee for discussion and approval.
A risk appetite statement can directly inform decisions. In fact, it should be detailed and specific enough to make a material difference to decisions about objectives, organisational resilience, crisis management, insurance, shared risk and pursuing innovation.
For example
- a low appetite for risk to your organisation’s reputation may inform your decision about which contractor to choose to provide corporate information management services and how you manage the contract
- no appetite for risk to your organisation’s compliance with the Climate Change Act should guide decisions about the design of services and supply chains
- a high appetite for working differently in your organisation, even if it means changes to processes or culture, might lead to procurement strategy that favours small businesses.
Knowing your risk appetite may still leave your executive team and managers with dilemmas that need to be discussed. This shouldn’t be seen as a fault in your risk appetite statement but the virtue of having it all on the table for discussion.
For example, a board may state that it has a high appetite for improving the quality of its frontline services and so will ask for procedures be re-designed so that staff spend more time on face-to-face communication with the members of the public.
This may be in tension with their low appetite for the risk of their frontline staff being the target of abuse or violence, which will increase simply because they spend more time with members of the public.
These dilemmas exist in every working environment. A risk appetite statement exposes dilemmas whilst giving the executive team and managers the information and the trigger they need to balance these risks.
We also think your risk appetite statement should inform day-to-day operational decisions indirectly through the
- design of standard operating procedures for frontline staff
- development of training programs
- design of governance and reporting systems.
Take, for example, the members of a customer service team in day-to-day contact with people. They don’t need to know the detail of the statement of risk appetite for their day-to-day decisions, but the person…
- responsible for the fit-out of their work area needs to know where the organisation stands on the health and safety of its employees and visitors to their sites
- responsible for a procedure for responding to suspicious activity will also need to be across the organisation’s appetite for risk and trade-offs between the free movement and the exposure of staff and visitors to the risk of violence
- who writes the policy on how the organisation will respond to a request for information held by the organisation will need to be across the organisation’s appetite for risk when it comes to sharing information, including their legal obligations under the Freedom of Information Act, the Health Records Act, or any other legislation.
These are just three ways in which a risk appetite statement can make a difference indirectly, to the way people in your organisation make decisions day to day.

Updated 5 June 2025