Every organisation already manages risk, it just usually does it in silos, with no one adding up the total. Enterprise risk management (ERM) is the attempt to see and steer that total from the top, and risk appetite is the deceptively simple statement of how much of it you are willing to carry on purpose. Get the appetite vague and ERM becomes paperwork; get it sharp and it becomes a decision rule a manager can actually use on a Tuesday.

The quick version

  • Enterprise risk management manages risk across the whole organisation as a portfolio, strategic, financial, operational and reputational risks looked at together, rather than department by department.
  • Risk appetite is "the types and amount of risk, on a broad level, an organisation is willing to accept in pursuit of value" (COSO's definition). It is a deliberate choice, not a default.
  • Appetite, tolerance and capacity are not synonyms: capacity is the most you could survive, appetite is how much you choose to take within that, and tolerance is the measurable wobble you'll accept around a specific target.
  • The point of all this is not to minimise risk, that just minimises the business, but to take the right risks knowingly, and to make "are we inside appetite?" a question anyone can answer before they act.

The idea in depth: from silos to a portfolio

The oldest mistake in risk is treating each risk in isolation. A bank can have a flawless credit team, a flawless trading desk and a flawless IT department and still fail, because no one was watching how those risks correlated and compounded. ERM exists to close that gap. The most widely used articulation comes from COSO, the Committee of Sponsoring Organizations of the Treadway Commission, whose 2017 framework, Enterprise Risk Management, Integrating with Strategy and Performance, organises ERM into five components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication and reporting (summary via the NC State ERM Initiative). The 2017 revision's headline move was to bolt risk onto strategy: risk is something you weigh while setting objectives, not something you check after the plan is written.

In practice that means dropping "what's on the risk register?" as a quarterly ritual and asking "what could stop this strategy from working?" at the moment the strategy is being chosen. A risk conversation that happens only after the board has approved the plan has missed the point, ERM has already failed at its main job.

The companion standard is ISO 31000:2018, which gives the cleanest one-line definition of risk itself: "the effect of uncertainty on objectives." Notice what that definition does and doesn't say. It doesn't say risk is bad, an effect can be positive. And it ties risk to objectives: with no goal, there is no risk, only events. ISO 31000 frames risk management as principles, a framework and a process you embed into how the organisation already runs, rather than a separate bureaucracy bolted on the side.

An honest limitation. Frameworks like COSO and ISO 31000 are scaffolding, not magic. They tell you how to organise a risk programme; they cannot tell you which risks matter most for your business, and they are routinely implemented as box-ticking, a heat-map deck no one reads, produced to satisfy auditors. A thin, ritualistic ERM programme can give a board false comfort. The framework is only as good as the honesty of the conversations it triggers.

Risk appetite: the word that does the work

If ERM is the machinery, risk appetite is the setting on the dial. COSO defines it as "the types and amount of risk, on a broad level, an organisation is willing to accept in pursuit of value" (COSO, Risk Appetite, Critical to Success). The phrase "in pursuit of value" is the part people skip, and it's the most important part. Appetite is not about how much loss you'll stomach; it's about how much risk you'll deliberately take on to get something you want. A start-up chasing a new market and a pension fund protecting retirees should have wildly different appetites, and both can be right.

Risk appetite isn't how much you can lose. It's how much risk you'll choose to carry to get something worth having.

The single most useful thing a leader can do here is to stop treating three different words as interchangeable. Risk capacity is the hard ceiling, the maximum risk the organisation could absorb before its survival is threatened, set by capital, liquidity and resilience. Risk appetite is the strategic choice of how much risk to take within that ceiling; appetite should always sit below capacity, never on it. Risk tolerance is narrower still: the acceptable variation around a specific target, usually expressed as a number, a downtime window, a percentage variance, a credit-loss threshold. Appetite is the sentence; tolerance is the figure that makes the sentence enforceable.

flowchart TB
  A(["Risk capacity
the most we could survive"]) --> B(["Risk appetite
how much we choose to take"])
  B --> C(["Risk tolerance
measurable limits per objective"])
  C --> D(["A decision a manager
can make today"])
From an absolute ceiling down to a usable threshold, appetite sits inside capacity, tolerance makes appetite operational. Leaders Loop

The fix is to write appetite statements that bite. "We have a low appetite for regulatory and safety risk and a high appetite for product-experimentation risk" is a real statement, it tells a product manager they can ship a rough beta but not skip a safety review. "We are committed to managing risk appropriately" is not a statement; it's wallpaper. A good test: would two managers, reading your appetite statement, make the same call on the same decision? If not, it isn't doing its job yet.

Why the risk–uncertainty distinction matters

There's an older idea underneath all of this that keeps risk leaders honest. In 1921 the economist Frank Knight, in Risk, Uncertainty and Profit, drew a line that still matters: risk is when you don't know the outcome but you can know the odds (a measurable quantity, like a portfolio's loss distribution); uncertainty is when you can't even know the odds, now called "Knightian uncertainty" (see the MIT News explainer).

Know which kind you're facing before you reach for a tool. Quantitative models, appetite thresholds and stress tests are powerful against measurable risk. Against true uncertainty, a pandemic, a technology nobody saw coming, a precise number is false comfort; there you need judgment, optionality and resilience instead. The most dangerous risk programmes are the ones that dress uncertainty up as risk by attaching a confident decimal to it.

A worked example

Take a mid-sized online retailer, call it Harborline. (Illustrative figures throughout; this is a teaching example, not a real company.) The board has approved an aggressive plan: expand into two new countries and launch a buy-now-pay-later option to lift conversion. Risk is managed in silos, finance frets about credit losses, ops about fulfilment in unfamiliar markets, legal about consumer-credit regulation in each country. Nobody owns the total.

An ERM approach asks the COSO question at the strategy table, not after it: what could stop this plan from working, across all four risk types at once? Then it sets appetite in plain language. Harborline's board agrees a high appetite for growth and market-entry risk (this is the whole point of the plan) but a low appetite for regulatory and credit risk (a consumer-credit breach or a wave of defaults could threaten the business itself). That single distinction does real work.

flowchart TD
  S(["Strategy: enter 2 markets
+ launch BNPL"]) --> Q{"What could stop this,
across all risk types?"}
  Q --> G(["Market-entry risk
HIGH appetite, go"])
  Q --> C(["Credit / regulatory risk
LOW appetite, tight limits"])
  C --> T(["Tolerance: default rate
< 4%, illustrative"])
  T --> M{"Defaults trending
toward 4%?"}
  M -->|"Yes"| A(["Tighten lending,
escalate to board"])
  M -->|"No"| K(["Carry on, inside appetite"])
Appetite turns into a number (tolerance), and the number turns into a trigger that tells a manager exactly when to act. Leaders Loop

Now appetite becomes a tolerance an analyst can monitor: lending is capped so the expected default rate stays below an illustrative 4%, with automatic escalation to the board if it trends above 3.5%. The market-entry side is left looser, the company expects some bruises learning a new country and has decided that's a cost worth paying. When defaults creep toward the threshold in month four, nobody has to convene a committee to debate whether it's a problem: the tolerance already said it was, and the pre-agreed move fires. That's ERM working, not preventing the risk, but catching it at the line the business chose in advance, while letting the bets it wanted to make run free.

Frequently asked questions

Isn't ERM just risk management with a fancier name?

The difference is the word "enterprise." Traditional risk management handles risks one function at a time, credit risk in finance, safety risk in operations. ERM looks at the whole portfolio together, because risks correlate and compound, and because the riskiest thing an organisation does is usually its strategy, which no single department owns. The aim is a single, top-down view of total risk against the strategy, not a stack of departmental registers no one reconciles.

Who actually sets the risk appetite?

The board owns it, as part of its governance and oversight role; management proposes it, operationalises it into tolerances, and reports against it. That split matters: appetite is a statement of the organisation's values and ambition, which is properly a board-level decision, while turning it into thresholds and monitoring is management's job. If your appetite was written by the risk team alone and the board has never debated it, it isn't really the organisation's appetite.

Doesn't all this just make a company slower and more cautious?

It shouldn't, and a good appetite statement does the opposite. The point of naming a high appetite for, say, product experimentation is to give teams explicit permission to take those risks without seeking sign-off each time. ERM done well removes friction from the bets you've decided to make and concentrates scrutiny on the few that could sink you. If your risk process only ever says "no," it's being used as a brake, not a steering wheel.

How is risk appetite different from risk tolerance?

Appetite is broad and strategic, the kinds and overall amount of risk you'll accept in pursuit of value. Tolerance is narrow and measurable, the acceptable variation around a specific objective, usually a number. Appetite says "we have a low appetite for unplanned downtime"; tolerance says "no more than 99.9% uptime breached, i.e. under 43 minutes a month." Appetite gives the intent; tolerance gives the line you monitor.

Can a small company do ERM, or is it only for banks?

The principles scale down. A small firm doesn't need a risk committee and a software platform; it needs the leadership team to spend an hour naming the handful of things that could genuinely break the business, deciding which risks it's happy to run and which it isn't, and agreeing a trigger for the dangerous ones. That conversation is ERM. The frameworks are heavy because they're built for complex organisations, borrow the thinking, not the bureaucracy.

Related in the Toolkit

Risk appetite only becomes real once you've found and sized the risks it applies to (risk identification & assessment) and written them somewhere with an owner and a plan (risk registers & mitigation strategies). And appetite is a governance decision, so it lives or dies on who's accountable for it, which is where the board's role comes in.

Where to go next