Skip to main content

Overview

Risk Appetite defines the level and types of risk an organization is willing to accept in pursuit of its objectives. Risk Legion enables you to configure risk appetite at multiple levels and automatically flags risks that exceed your defined tolerance.

Understanding Risk Appetite

Key Definitions

Risk Appetite vs. Risk Tolerance

Risk Levels in Risk Legion

Risk Legion uses a 5×5 risk matrix with four risk levels:

Risk Score Calculation

Impact Scale: Likelihood Scale:

Configuring Risk Appetite

Enterprise-Level Configuration

Set the default risk appetite for your entire organization:
  1. Navigate to Governance → Risk Appetite
  2. Click Configure Enterprise Appetite
  3. Select the maximum acceptable risk level
  4. Add description/rationale
  5. Click Save

Entity-Level Configuration

Override the enterprise default for specific Legal Entities:
  1. Navigate to Governance → Risk Appetite
  2. Click Add Entity Override
  3. Select the Legal Entity
  4. Set the risk level for that entity
  5. Click Save
Entity-level settings override the enterprise default. This allows for different risk profiles across your organization.

Hierarchical Resolution

Risk Legion resolves risk appetite using hierarchy:
Business Unit level risk appetite is planned for a future release. Currently, the hierarchy resolves from Legal Entity to Enterprise.

Risks Above Appetite

Automatic Detection

Risk Legion automatically identifies risks that exceed appetite:
  1. During BRA assessment, residual risk is calculated
  2. System compares residual risk score to applicable appetite threshold
  3. Risks above threshold are flagged as “Above Appetite”

Dashboard Visibility

The dashboard prominently displays:
  • “Within Appetite” Hero Card - Percentage of risks within tolerance
  • Risks Above Appetite Count - Number of scenarios exceeding appetite
  • Risk Distribution Chart - Visual breakdown by risk level

Automatic Mitigation Actions

When a risk exceeds appetite:
  1. System can automatically create mitigation actions
  2. Actions are linked to the specific risk scenario
  3. Default priority is set based on risk level
  4. Actions appear in the Action Plans module

Risk Appetite History

Risk Legion maintains a complete history of risk appetite changes:

Viewing History

  1. Navigate to Governance → Risk Appetite
  2. Click View History
  3. See all changes with:
    • Previous value
    • New value
    • Changed by
    • Changed at
    • Reason (if provided)

Audit Compliance

All risk appetite changes are:
  • Logged in the audit trail
  • Immutable once recorded
  • Available for compliance reporting
  • Retained per data retention policy

Best Practices

Risk appetite should be:
  • Approved by the Board or Risk Committee
  • Documented in formal risk appetite statement
  • Reviewed annually or after significant changes
  • Communicated across the organization
Risk appetite should reflect:
  • Strategic objectives
  • Regulatory requirements
  • Stakeholder expectations
  • Industry benchmarks
Consider different appetites for:
  • Compliance risks (typically low appetite)
  • Operational risks (varies by business)
  • Strategic risks (may accept higher levels)
  • Reputational risks (typically very low)
Review and update risk appetite:
  • After significant incidents
  • When strategy changes
  • Following regulatory changes
  • At least annually

Regulatory Considerations

Basel Framework

Under Basel III/IV, banks must:
  • Define risk appetite aligned with business strategy
  • Integrate risk appetite into risk management framework
  • Report on risks exceeding appetite
  • Demonstrate Board oversight of risk appetite

BACEN Requirements (Brazil)

Brazilian financial institutions must:
  • Maintain documented risk appetite statement
  • Review appetite annually
  • Report appetite breaches to management
  • Include in ICAAP/ILAAP documentation

API Reference

Example: Set Enterprise Risk Appetite

Example: Set Entity Override

See API Reference for complete documentation.