Risk appetite defines the amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives. It is set by senior leadership or the board of directors and serves as a guiding principle for all risk-related decisions. Risk appetite can be expressed qualitatively through policy statements or quantitatively through thresholds such as maximum acceptable financial loss or tolerable downtime.
A clearly articulated risk appetite ensures consistent decision-making across the organisation and prevents both excessive risk-taking and overly cautious behaviour that could hinder growth. It should be reviewed periodically and adjusted in response to changes in the business environment, threat landscape or regulatory requirements.