A common problem with discussions on risk appetite is that definitions can be unclear and different terms can be used interchangeably to mean the same thing. Below are definitions for four commonly used terms associated with risk appetite statements:

Risk ceiling — The threshold beyond which the firm would no longer be able or allowed to operate. The risk ceiling could be breached by factors that go beyond the threats of direct financial weaknesses that cause liquidation. When the risk ceiling is breached, there is no more headroom for the firm to carry out business and take on risk. As a corollary, a breach of the risk ceiling need not always result in the firm ceasing to be a going concern or filing for bankruptcy. A firm might have been affected by reputational issues such as media onslaughts, or depositor perceptions or market perceptions causing a contraction in liquidity despite the fundamental financial soundness of the institution. This might result in a temporary shock, from which the firm may not recover in the absence of extreme measures such as taxpayer or government intervention. The risk ceiling is therefore conceptually important especially when discussing reverse stress testing.

Risk appetite — The aggregated account of the board’s willingness (to allow management) to take risks in the pursuit of strategic objectives. A corporate risk appetite statement is derived through the prioritisation of stakeholder needs and executive and non‐executive interaction at board level. It is a counterpart to organisational strategy and like broad organizational strategic aims, it should be written in a high‐level and overarching statement. It sets out an appetite that is based on the interactions between various risks associated within pursuing strategic objectives and the internal and external capabilities available to manage such risks.

Risk profile — The true risk position of the firm at a given point in time. In the real world, not all aspects of a firm’s risk profile will be immediately consistent with changes to the board’s risk appetite.

Risk tolerances — The boundaries within which the executive management are willing to allow the true, day‐to‐day, risk profile of the firm to fluctuate, while they are executing business objectives in accordance with the board’s strategy and risk appetite.

Upper bound of risk tolerance — The level of risk that the executive team is willing to allow the risk profile to rise to, before it expects Board intervention.

Lower bound of risk tolerance — The minimum level of risk the executive team expects to take to achieve agreed objectives.

Risk-bearing capacity — The risk space in which the firm could choose to achieve a trade‐off between risk and return. In the diagram above, the risk‐bearing capacity is the area below the bold black line. (Also read, Five factors to measure your risk-bearing capacity.)

Source: Corporate Risk Appetite: Ensuring Board and Senior Management Accountability for Risk, Deepa Govindarajan, ICMA Centre, Henley Business School, University of Reading.