Who typically determines the risk appetite for an organization?

The determination of an organization's risk appetite is primarily the responsibility of senior management. This group is tasked with understanding the overall strategic goals and objectives of the organization, thus enabling them to make informed decisions regarding the level of risk that is acceptable in pursuit of those goals.

Senior management evaluates various factors, including the organization's mission, resources, regulatory environment, market conditions, and stakeholder expectations, to set a risk appetite that aligns with the organization’s broader strategy. By establishing a clear risk appetite, senior management provides guidance on how much risk the organization is willing to take in order to achieve its objectives, which is essential for making informed operational and strategic decisions.

In contrast, a contractual agreement may outline specific risks associated with particular deliverables or services but does not encompass the broader strategic view that senior management provides. Legislative mandates set minimum standards or compliance requirements but do not define how much risk an organization is prepared to accept overall. Appetite evaluation, while relevant, is typically part of a process driven by senior management rather than a standalone entity responsible for defining risk appetite.