Risk appetite: how much is too much?

The first step is figuring out how much risk an organisation – or rather, the senior leadership team (SLT)  – is comfortable with. This is called the risk appetite. It’s the level of risk a company is willing to accept to achieve its objectives. Who should determine risk appetite for the whole business, and how do they do it?

An important point is that risk, and an organisation's overall strategy to achieve its business objectives, are intertwined. One doesn’t exist without the other, and they must be considered together. That consideration takes place throughout the formulation and execution of the strategy. It’s most important to identify risks to business continuity, including occupational safety and health (OSH) concerns, when creating the strategy.  

What is risk appetite?

Think of risk appetite as the foundation of a company’s risk management strategy. It’s about how an enterprise views risk. This outlook shapes the workplace’s culture, operating style, and even how resources are allocated. A clear risk appetite helps a business align its people, processes and tools to monitor and respond to risks effectively.

If those involved in organisational risk management don’t understand the organisation's appetite for risk, they won’t be able to implement suitable controls that meet the needs of the business. For example, a hospital might have zero tolerance for breaches in patient data security (a very low-risk appetite) but could be open to higher risks when funding cutting-edge cancer research.

Another example can be a construction firm that may set a low risk appetite for hazards like work at height, and the risk of fall from height, ensuring strict adherence to fall protection protocols. At the same time, the company may tolerate a higher level of risk in exploring new project management software to streamline safety inspections and reporting, understanding that some trial and error might occur.

Risk appetite versus risk tolerance

It’s easy to mix up risk appetite and risk tolerance, but they’re not the same. Risk appetite is the big picture – how much risk a company is generally willing to take. Risk tolerance, on the other hand, refers to the specific limits a company is willing to operate within.

For example, a retail chain might accept more risk in testing new products (higher risk tolerance) but set strict limits on cyber security breaches (lower risk tolerance). A solid risk appetite isn’t guesswork. It requires careful analysis and should be built into a well-structured risk management framework.

Why understanding matters

Understanding the organisation’s risk appetite, as agreed by the SLT, can help OSH professionals and others to:

• identify risks that could disrupt their progress toward goals
• decide on ways to bring risks down to acceptable levels
• use resources wisely without wasting time or money.

External factors like market trends or competition often shape risk appetite more than internal factors. In highly competitive industries, businesses may need to take bigger risks to stay ahead. Meanwhile, companies focused on compliance might prefer a more cautious approach.

Role of organisational culture

An organisation’s culture plays a big part in how it handles risk. Encouraging employees to take calculated risks can nurture innovation and help achieve strategic goals. A risk-averse culture might hold the company back.

Leaders need to set the tone. They should create an environment where teams feel confident making decisions within the organisation’s risk tolerance, and consider risks when making decisions.

Regular reviews are key

Risk appetite – the same as policies, risk assessments and action plans – can’t be set once and then left alone. It should evolve as a business grows and market conditions change. Regular assessments ensure an organisation takes calculated risks to meet its goals – without overstepping or wasting resources.

In the context of health and safety, resources refer to the time, money and effort invested in safety measures, training programmes, equipment and monitoring systems. For example, over-allocating resources to minor hazards like office chair ergonomics might divert attention from addressing critical risks such as fall from height in a workplace. Striking the right balance ensures resources are used effectively to protect workers and maintain business operations

Final thoughts

Understanding and managing risk appetite is essential for any organisation. It’s about finding the right balance – taking enough risk to drive progress while avoiding unnecessary exposure. With a clear risk appetite, a business can make better decisions, stay focused on its strategic goals, and thrive in today’s ever evolving world of work.