Overview
Risk Appetite defines the level and types of risk an organization is willing to accept in pursuit of its objectives. Risk Legion enables you to configure risk appetite at multiple levels and automatically flags risks that exceed your defined tolerance.Understanding Risk Appetite
Key Definitions
| Term | Definition |
|---|---|
| Risk Appetite | The amount of risk an organization is willing to accept to achieve its strategic objectives |
| Risk Tolerance | The acceptable level of variation around risk appetite |
| Risk Capacity | The maximum amount of risk an organization can absorb |
| Risk Threshold | The specific level at which risks require escalation |
Risk Appetite vs. Risk Tolerance
Risk Levels in Risk Legion
Risk Legion uses a 5×5 risk matrix with four risk levels:| Level | Score Range | Description |
|---|---|---|
| Low | 1-4 | Acceptable risk, routine monitoring |
| Medium | 5-9 | Elevated risk, enhanced monitoring |
| High | 10-15 | Significant risk, active management |
| Very High | 16-25 | Critical risk, immediate action required |
Risk Score Calculation
| Score | Level | Description |
|---|---|---|
| 1 | Insignificant | Minimal financial loss, no regulatory impact |
| 2 | Minor | Small financial loss, minor regulatory attention |
| 3 | Moderate | Moderate financial loss, regulatory review |
| 4 | Major | Significant financial loss, regulatory action |
| 5 | Catastrophic | Severe financial loss, license threat |
| Score | Level | Description |
|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances |
| 2 | Unlikely | Not expected but possible |
| 3 | Possible | Might occur at some time |
| 4 | Likely | Will probably occur |
| 5 | Almost Certain | Expected to occur frequently |
Configuring Risk Appetite
Enterprise-Level Configuration
Set the default risk appetite for your entire organization:- Navigate to Governance → Risk Appetite
- Click Configure Enterprise Appetite
- Select the maximum acceptable risk level
- Add description/rationale
- Click Save
Entity-Level Configuration
Override the enterprise default for specific Legal Entities:- Navigate to Governance → Risk Appetite
- Click Add Entity Override
- Select the Legal Entity
- Set the risk level for that entity
- Click Save
Entity-level settings override the enterprise default. This allows for different risk profiles across your organization.
Hierarchical Resolution
Risk Legion resolves risk appetite using hierarchy:Business Unit level risk appetite is planned for a future release. Currently, the hierarchy resolves from Legal Entity to Enterprise.
Risks Above Appetite
Automatic Detection
Risk Legion automatically identifies risks that exceed appetite:- During BRA assessment, residual risk is calculated
- System compares residual risk score to applicable appetite threshold
- Risks above threshold are flagged as “Above Appetite”
Dashboard Visibility
The dashboard prominently displays:- “Within Appetite” Hero Card - Percentage of risks within tolerance
- Risks Above Appetite Count - Number of scenarios exceeding appetite
- Risk Distribution Chart - Visual breakdown by risk level
Automatic Mitigation Actions
When a risk exceeds appetite:- System can automatically create mitigation actions
- Actions are linked to the specific risk scenario
- Default priority is set based on risk level
- Actions appear in the Action Plans module
Risk Appetite History
Risk Legion maintains a complete history of risk appetite changes:Viewing History
- Navigate to Governance → Risk Appetite
- Click View History
- See all changes with:
- Previous value
- New value
- Changed by
- Changed at
- Reason (if provided)
Audit Compliance
All risk appetite changes are:- Logged in the audit trail
- Immutable once recorded
- Available for compliance reporting
- Retained per data retention policy
Best Practices
Board-Level Approval
Board-Level Approval
Risk appetite should be:
- Approved by the Board or Risk Committee
- Documented in formal risk appetite statement
- Reviewed annually or after significant changes
- Communicated across the organization
Align with Strategy
Align with Strategy
Risk appetite should reflect:
- Strategic objectives
- Regulatory requirements
- Stakeholder expectations
- Industry benchmarks
Differentiate by Category
Differentiate by Category
Consider different appetites for:
- Compliance risks (typically low appetite)
- Operational risks (varies by business)
- Strategic risks (may accept higher levels)
- Reputational risks (typically very low)
Regular Review
Regular Review
Review and update risk appetite:
- After significant incidents
- When strategy changes
- Following regulatory changes
- At least annually
Regulatory Considerations
Basel Framework
Under Basel III/IV, banks must:- Define risk appetite aligned with business strategy
- Integrate risk appetite into risk management framework
- Report on risks exceeding appetite
- Demonstrate Board oversight of risk appetite
BACEN Requirements (Brazil)
Brazilian financial institutions must:- Maintain documented risk appetite statement
- Review appetite annually
- Report appetite breaches to management
- Include in ICAAP/ILAAP documentation
API Reference
| Endpoint | Method | Description |
|---|---|---|
/api/v1/governance/risk-appetite | GET | Get current risk appetite configuration |
/api/v1/governance/risk-appetite | POST | Create/update risk appetite (upsert) |
/api/v1/governance/risk-appetite/{id} | DELETE | Remove entity-level override |
/api/v1/governance/risk-appetite/history | GET | Get risk appetite change history |