Governance, Risk & Compliance

How to Write a Risk Appetite Statement

A practical UK guide to writing a risk appetite statement, with the SYSC 7 and FSB definitions of appetite, capacity, tolerance and limits.

7 min read Published 17 Jul 2026
How to Write a Risk Appetite Statement

A risk appetite statement is the document where your board writes down, in plain terms, how much risk and what types of risk the firm is willing to accept in order to meet its objectives. Done well, it turns an abstract idea into a working tool that shapes decisions, sets boundaries for management, and gives the board a clear line of sight over where the firm is operating and where it is drifting.

In the UK this is not just good practice. The FCA Handbook requires firms to establish risk management policies that, where appropriate, set the level of risk the firm is willing to tolerate, and the Financial Stability Board (FSB) has published the reference framework that regulators lean on when they describe what a good statement looks like. The Prudential Regulation Authority (PRA) expects boards to articulate the amount of risk they are willing to take and to see promptly when the firm moves outside it.

This guide explains what a risk appetite statement is, how it differs from risk capacity, tolerance and limits, and how to write one that satisfies SYSC 7, earns board ownership, and cascades into the day to day running of the business. Every rule and definition below is drawn from a primary source.

What a risk appetite statement actually is

The FSB defines a risk appetite statement as the articulation in written form of the aggregate level and types of risk that a firm is willing to accept, or to avoid, in order to achieve its business objectives. It is not a compliance artefact filed away after board approval. It is meant to be easy to communicate, easy for stakeholders to understand, and directly linked to the firm's strategy.

Critically, the FSB says a statement must contain both qualitative statements and quantitative measures. The quantitative side expresses appetite in terms such as earnings, capital, liquidity-at-risk or other relevant metrics that can be aggregated and disaggregated. The qualitative side sets the overall tone for risk taking and articulates clearly why the firm takes on or avoids certain types of risk. The FSB is explicit that the statement should also address risks that are harder to quantify, including reputation and conduct risks, money laundering and unethical practices.

A statement can span more than one document, but the FSB stresses that where it does, the parts must form a coherent whole so the board obtains a holistic yet compact view. In other words, if a reader cannot tell from your materials how much risk the firm is willing to accept and why, the statement is not doing its job.

Capacity, appetite, tolerance and limits: the terms that matter

Most weak statements fail because the drafters blur four distinct ideas. The FSB glossary keeps them separate, and getting the language right is the first discipline of writing a good statement. Risk capacity is the ceiling set by your resources and obligations. Risk appetite is the level you choose to operate at within that ceiling. Limits are how that appetite is allocated to the business. Tolerance, in FCA language, is simply the level of risk the firm is prepared to accept, which can be set as an overall statement or broken down by business unit.

The FSB deliberately narrows its own vocabulary. It notes that the terms risk appetite, risk tolerance and risk limits are used by different authors with slightly different meanings, so for clarity it uses only risk appetite and risk limits. UK firms should pick their own consistent definitions and stick to them, because a statement that uses appetite and tolerance interchangeably in different sections invites exactly the confusion the framework is trying to remove.

The table below sets out the four terms using the FSB definitions and the FCA wording, so you can lift a consistent glossary straight into your own policy.

TermWhat it meansSource
Risk capacityThe maximum level of risk the firm can assume given its current resources before breaching constraints set by regulatory capital and liquidity needs, its operational environment, and its obligations.FSB
Risk appetiteThe aggregate level and types of risk the firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.FSB
Risk toleranceThe level of risk tolerated by the firm, which may be set as an overall statement or as separate tolerances for individual business units.FCA SYSC 7.1
Risk limitsQuantitative measures that allocate the firm's aggregate risk appetite to business lines, legal entities, specific risk categories and concentrations.FSB
Definitions drawn from the FSB Principles for an Effective Risk Appetite Framework and FCA SYSC 7.1.

How the four terms nest together

Risk capacity is the outer ceiling; appetite sits within it; limits allocate appetite to the business; the risk profile is where the firm actually is at a point in time.

Risk capacity (ceiling)100%
Risk appetite (chosen)70%
Aggregate risk limits55%
Current risk profile48%

How SYSC 7 frames the requirement

The FCA's risk control rules sit in SYSC 7.1. SYSC 7.1.2 R requires a firm to establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems and, where appropriate, set the level of risk tolerated by the firm. That last phrase is the regulatory hook for a risk appetite statement: setting the level of risk you tolerate is the substance of the exercise.

The Handbook then requires the firm to adopt effective arrangements, processes and mechanisms to manage that risk in light of the level of risk tolerance it has set, and it confirms that the level of risk tolerated can be expressed either as an overall statement or as various risk tolerances for individual business units. SYSC 7.1.5 R goes further, requiring the firm to monitor compliance with those arrangements and the adequacy and effectiveness of the measures taken to address any deficiencies.

Ownership is explicit. SYSC 7.1.6 R requires the management body to approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in relation to the status of the business cycle. Note the scope: many of these SYSC 7.1 provisions apply as rules to common platform firms and certain other firms, and other firms should take account of them as if they were guidance. Either way, the direction of travel is the same, so build your statement to the standard and record which parts bind you as rules. You can read how we help firms operationalise this in our governance and controls tooling.

What the PRA expects from the board

For PRA-regulated firms the expectations are set out in the PRA's approach to banking supervision. The PRA expects firms to articulate the amount of risk they are willing to take across different business lines to achieve their strategic objectives, and it expects that risk appetite to be consistent with the regulator's objectives and supported by proper attention to identifying, measuring and controlling risks, including those arising in unlikely but very severe scenarios.

The board sits at the centre. The PRA says the board should articulate and maintain a culture of risk awareness and ethical behaviour for the whole organisation to follow, and that boards should ensure they receive adequate and timely information on key risks and on variances from the firm's agreed risk appetite so they can monitor and challenge executive management. Reporting is expected to flag risks that fall outside the agreed appetite.

The PRA also expects escalation to match significance. Key decisions, both on assuming new risks and managing existing ones, should be taken at the appropriate level, including at board level where they are sufficiently important, with risks outside the agreed risk appetite and key sensitivities highlighted. A statement that never triggers a board conversation when a threshold is breached is not being used as intended.

Writing the statement, step by step

A risk appetite statement is developed top down and bottom up. The FSB describes setting the institution-wide appetite as the first step, after which the aggregate appetite is allocated down to business lines and other levels in alignment with the firm's strategic and business plans. That allocation needs input from the business, not just the centre, which is why the drafting process matters as much as the final wording.

The steps below follow the FSB's own description of what an effective statement should do, adapted for a UK firm working to SYSC 7. Treat them as a drafting order rather than a one-off checklist, because the statement should be revisited whenever strategy, capacity or the risk profile shifts.

1
Anchor to strategy
Capture the strategic and business plan assumptions the statement rests on, so appetite ties to objectives.
2
Establish capacity
Determine the maximum risk the firm can bear before breaching regulatory, liquidity and operational constraints.
3
Set the appetite
State the aggregate level and types of risk the firm will accept within capacity to meet objectives.
4
Add quantitative measures
Express appetite in earnings, capital, liquidity or other metrics that can be aggregated and disaggregated.
5
Add qualitative statements
Explain why the firm takes on or avoids risks, including reputation and conduct risks, with clear boundaries.
6
Cascade into limits
Allocate the aggregate appetite into risk limits for business lines, entities and risk categories.
7
Stress test it
Check what events would push the firm outside its appetite or capacity under severe scenarios.
8
Board approval
Have the management body approve the statement and commit to periodic review under SYSC 7.1.6 R.

Cascading appetite into limits and monitoring

A statement only changes behaviour once it becomes measurable limits that people work to. The FSB defines risk limits as the allocation of the aggregate risk appetite to business lines, legal entities, specific risk categories and concentrations. It says limits should be specific and sensitive to the actual shape of portfolios, measurable, frequency based, reportable and built on forward looking assumptions. It also warns that limits should not be overly complicated, ambiguous or subjective, and should not simply default to regulatory limits or peer benchmarks.

Measurable limits are your defence against unknowingly exceeding capacity as conditions change. The FSB notes that having limits which can be measured helps prevent a firm from breaching its risk capacity as markets move, and acts as a defence against excessive risk taking. For risks that resist numbers, such as reputation risk, limits should still be measurable even through qualitative assessment, which stops conduct and reputational exposures from falling outside the framework.

Monitoring closes the loop. SYSC 7.1.5 R requires firms to monitor the adequacy and effectiveness of their risk management policies and the measures taken to address deficiencies, and the PRA expects timely reporting of variances from agreed appetite. Build the reporting so that a breach is visible, owned and escalated rather than quietly absorbed. If you are standing up this framework as part of an authorisation application, our authorisation support can help you evidence it to the regulator.

Conclusion

A risk appetite statement is worth writing only if it is used. The regulatory anchors are clear: SYSC 7 requires firms to set the level of risk they tolerate and requires the management body to approve and periodically review the underlying strategies, while the FSB and PRA set out what a credible statement contains and how the board should own it. Keep the four terms distinct, pair quantitative measures with honest qualitative statements about conduct and reputation, and make sure the aggregate appetite cascades into limits that people actually work to.

Above all, avoid the rubber stamp. The FSB warns supervisors to check that boards do not merely rubber stamp management's recommendation, and the PRA expects boards to see and challenge variances from appetite. Treat the statement as a living instrument that gets revisited when strategy, capacity or the risk profile moves, and it becomes one of the most useful governance documents your firm holds.

Frequently asked questions

What is a risk appetite statement?

It is the written articulation of the aggregate level and types of risk a firm is willing to accept, or to avoid, in order to achieve its business objectives. The FSB says it must combine qualitative statements with quantitative measures and be directly linked to the firm's strategy, and it should also address hard to quantify risks such as reputation and conduct risk.

Is a risk appetite statement legally required in the UK?

SYSC 7.1.2 R requires firms to maintain risk management policies that, where appropriate, set the level of risk the firm tolerates, and SYSC 7.1.6 R requires the management body to approve and periodically review the related strategies and policies. Many SYSC 7.1 provisions apply as rules to common platform firms and certain other firms, while other firms should take account of them as if they were guidance, so you should check how they bind your particular firm.

What is the difference between risk appetite and risk capacity?

Risk capacity is the maximum level of risk a firm can assume given its current resources before it breaches constraints set by regulatory capital, liquidity, its operational environment and its obligations. Risk appetite is the level the firm chooses to accept within that capacity to achieve its objectives. Appetite always sits inside capacity.

How do risk limits relate to a risk appetite statement?

Risk limits are how the aggregate appetite is allocated to business lines, legal entities, risk categories and concentrations. The FSB says limits should be specific, measurable, frequency based, reportable and forward looking, and they should constrain risk taking within appetite rather than simply default to regulatory limits or peer comparisons.

Who owns the risk appetite statement?

The board owns it. The FSB says the board must establish the risk appetite framework and approve the statement, developed in collaboration with the CEO, CRO and CFO, and SYSC 7.1.6 R requires the management body to approve and periodically review the underlying strategies and policies. The PRA expects boards to receive timely information on variances from agreed appetite and to challenge management.

What should the quantitative part of the statement include?

The FSB says quantitative measures should express appetite in terms such as earnings, capital, liquidity-at-risk or other relevant metrics, set so they can be aggregated and disaggregated and translated into risk limits for business lines and entities. These should be paired with qualitative statements that explain the motivations for taking on or avoiding particular risks.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide