The risk appetite statement may take on a variety of forms. However, it always makes a broad statement about the relative riskiness of the company and how that aligns with the way business is conducted. The risk appetite statement could be a one-line declarative comment that is part of a broader mission statement or overarching company policy. Recently, however, companies have branched from the one-liner to compose short documents that elaborate on the one-line statement. Many times the statement is qualitative, but just as often it may include quantitative information.

When working out a risk appetite statement, five key steps will enable you to truly reflect on the company’s areas of risk hunger, risk aversion, and overall tendency to push the envelope—or not:

Make the high-level risk statement.Build the risk appetite statement as part of the strategic planning and budgeting process. Think about the direction the company is heading and the strategic initiatives that will get you there. Consider how this will impact growth expectations and the budget over the next year, then start with a few qualifying and focusing questions. What sort of growth and activities will happen? Where? How do these factors affect your idea of risk-taking and the types of risks you see playing out in the near and longer term? It’s important to arrive at a common idea of these considerations with your board and senior management. Do the hard work; boil down your responses to a few key, overarching statements.

Get specific.Make specific statements about your total risk tolerance. It is best to do this, if possible, in the context of the total amount of capital at stake (economic capital or maximum loss threshold) and for each area of risk. Figure out your target solvency standard—the target debt rating. How will you use this within existing models and measures? What does this imply for current company activities? Conduct these measures in a two-step process. First, identify the key areas to call out. Then, using the plan for the year, forecast the impact on each risk area. If possible, do this quantitatively as well as qualitatively.

Target risk versus return.Use the specific measures you just set to project the risk-adjusted return on economic capital, RAROC, or economic profit implied by this plan. Test to ensure that it aligns with expectations.

Set thresholds.Establish the key thresholds. Identify the core risks that you monitor, and whether thresholds will be defined for specific departments, products, or portfolios within the company, rather than generally. What is the maximum risk allowable in each area? How do these contribute to your total risk? Build triggers, and a process to identify and address the situation if a trigger is hit.

Socialize and communicate the process.Besides setting the overall appetite itself, this may be the most important step. Your risk appetite statement must be ratified by both management and the board. In doing so, everyone agrees to the framework and the boundaries it establishes. Also ensure that the risk appetite statement is well communicated to all key employees, particularly those involved with risk management and mitigation and those in key risk-taking positions. Make sure everyone understands the direction.

Your risk appetite statement will only serve the company effectively if you establish realistic boundaries and thresholds. Without them, the statement becomes like a fenceless yard: the shape seems obvious, but individual shoots or entire sections will overtake the boundary before trouble is noticed.

It is vital for you to remember that these are high-level thresholds. They create the starting point for other limits—hard and soft, quantitative and qualitative—to set in the future. They are not intended to be day-to-day limits—at least not on most days.

Now for a few pointers. Once you’ve set the thresholds, monitor and manage them like any other limit, but on a less frequent basis (normally, anyway). Make your boundaries actionable and able to be checked. Include a trigger or buffer so you have time to react in case of a risk event or potential disruption.

Finally, build the process to monitor and report on the status of thresholds while also addressing any breaches of triggers that might occur.

The actual structure of the risk appetite statement can vary from one company to another. Some companies use a highly quantitative format; others use a more qualitative approach. This decision generally stems from resources available to the company with respect to its risk measurement and forecasting capabilities.

A risk appetite statement enables companies to determine their willingness to take risks.

Nevertheless, the framework of the statement is usually similar. An effective two-page (or shorter) summary can be broken down into four distinct sections: