Few documents the board approves are referenced more often, and understood less precisely, than the risk appetite statement. It appears in board papers, in the annual report, in the audit committee's terms of reference and in the regulator's questionnaire — but ask three directors what their organisation's risk appetite actually is, and you will often get three different answers.
This article is a practical guide to writing a risk appetite statement (RAS) that the board will approve, the executive team will actually use, and the audit committee can meaningfully oversee. It is written for Nigerian boards, CROs, CFOs and risk committee members preparing — or rewriting — the RAS.
What a risk appetite statement is for
A risk appetite statement is the board's standing instruction to management on the amount and type of risk the organisation is willing to accept in pursuit of its strategy. Done well, it does three things.
It constrains management within an agreed risk envelope — capital, liquidity, FX, credit, operational, compliance, reputational.
It allocates capital and attention — telling the executive where they should be spending risk capacity (growth, new markets, new products) and where they should not.
It gives the audit committee something to test against — a breach of a stated tolerance is a defined event with a defined escalation path; without a RAS, "have we taken too much risk?" is an opinion question.
A RAS that does none of these things is paper compliance.
What it is not
It is not a risk register. The risk register identifies specific risks the organisation faces; the RAS sets the boundaries within which the executive may manage them.
It is not a strategy document. Strategy says what the organisation will pursue; the RAS says how much risk the board is willing to underwrite in pursuit of it.
It is not a one-off document. A RAS that has not been recalibrated since the last NFEM reform, the last capital adequacy update, or the last material change in operating environment is out of date.
The structure of a usable RAS
After reviewing many Nigerian risk appetite statements — across financial services, manufacturing, oil and gas, and growth-stage businesses — we recommend a structure with seven sections. This is the structure the board approves; the dashboard and operating limits sit underneath.
1. Purpose and scope
State why the RAS exists, what it covers, and which entities and currencies are in scope. A RAS that covers the parent but is silent on material subsidiaries is incomplete.
2. Definitions
Distinguish, in the body of the document, between risk appetite (the aggregate level and type of risk the board accepts), risk tolerance (the acceptable variation around objectives, usually quantified), and risk limits (hard quantitative ceilings). The terms are often used interchangeably; the discipline of distinguishing them in the document is itself a control.
3. Governance and responsibilities
State, in a single table, who does what. The board approves the RAS. The risk committee recommends it and monitors utilisation. The CEO operationalises it within strategy and budget. The CRO owns the framework and produces the monitoring dashboard. Internal audit provides assurance over implementation.
4. Risk categories and the qualitative appetite
For each major category — strategic, financial, operational, compliance, reputational — state in plain English the board's stance.
For most Nigerian boards, the categorisation looks like this:
- Strategic — we accept measured risk in pursuit of profitable growth in our core markets; ventures outside the stated strategy require board approval.
- Financial — we maintain capital and liquidity buffers above regulatory minimums at all times; we hedge material FX exposures within approved limits.
- Operational — we have low tolerance for control failures that result in customer harm, material loss or regulatory action.
- Compliance — we have zero tolerance for wilful regulatory breach, fraud, or unethical conduct.
- Reputational — we will not engage in activity that, if disclosed, would damage the trust of our customers, regulators or communities.
The qualitative statements must be specific enough to drive decisions. "We have a moderate appetite for operational risk" is not a usable statement; the five above are.
5. Quantitative tolerance metrics
For each category, define a small number of measurable tolerance metrics with explicit green / amber / red thresholds.
A defensible starting set for a Nigerian non-financial corporate:
- Liquidity — liquidity coverage ratio: green ≥130%; amber 115–130%; red <115%.
- Capital — capital adequacy buffer above regulatory minimum: green ≥200 bps; amber 100–200 bps; red <100 bps.
- FX — unhedged FX exposure as % of equity: green <5%; amber 5–10%; red >10%.
- Operational — material incidents per quarter: green 0; amber 1; red ≥2.
- Compliance — regulatory breach count YTD: green 0; amber 1; red ≥2.
- Reputational — adverse media events per quarter: green 0; amber 1; red ≥2.
Five well-chosen metrics that the executive can answer in real time are worth more than 30 metrics that nobody reports.
Calibrate the actual thresholds to your sector, capital base, regulator expectations and prior loss experience. Off-the-shelf thresholds are a starting point, not the answer.
6. Escalation and breach reporting
State, in the policy, what happens at amber and red.
Amber — early warning. Reported at the next risk committee. CRO produces a movement note and proposed action.
Red — breach. Reported to the risk committee chair within five business days and to the board at its next meeting. CRO and the relevant executive present the remediation plan. Breach logged in the breach register and tracked to closure.
Persistent amber — if a KRI remains amber for two consecutive quarters, treat it as red. Most uncontrolled deterioration in our experience does not start with a red event; it starts with two quarters of amber that were tolerated.
7. Review
State the cadence. The RAS is reviewed at least annually, aligned to strategy and budget; it is reviewed within 60 days of a material change in strategy, capital position, regulatory environment, or major incident.
The board approval workflow
A common failure pattern is for the CRO to take a draft RAS straight to the board for first review. By the time the board has spent 20 minutes on the qualitative statements, there is no time for the tolerance metrics, the metrics get rubber-stamped, and the RAS is operationally weak from day one.
A better workflow:
1. CRO drafts the RAS in consultation with the executive committee. 2. Risk committee reviews — spending most of its time on the tolerance metrics, the calibration of thresholds, and the escalation thresholds. 3. Board approves the recommended RAS, with minutes recording the rationale for any departure from the risk committee's recommendation. 4. Approved RAS is circulated to executive committee, internal audit and external auditor. 5. Material change requires board re-approval; minor recalibration may be delegated to the risk committee.
The discipline here is that the risk committee, not the full board, is the place to debate calibration. The board's role is to approve the resulting envelope and to challenge the qualitative stance.
The conversations the RAS is supposed to provoke
A RAS that the board approves with no debate is almost always a RAS that the executive has aligned to current practice rather than to a forward view. The conversations a useful RAS provokes include:
- Are we comfortable with our current FX exposure relative to equity, or do we need to hedge more?
- Is our liquidity buffer adequate for a 30-day disruption to the FX market?
- What does "moderate" strategic appetite actually mean for the M&A pipeline?
- Are we explicit enough that we do not tolerate wilful regulatory breach — or have we left wriggle room?
- What is the trajectory on our compliance breach count, and is it inside the tolerance the board has stated?
A board meeting that spends 45 minutes on these questions has made the RAS earn its place in the board pack.
Monitoring after approval
The RAS is meaningful only if it is monitored.
- Monthly — executive committee reviews KRI movement against thresholds.
- Quarterly — risk committee reviews the full dashboard; breach register; remediation status.
- Annually — board reviews and re-approves; CRO presents recalibration recommendations.
The dashboard should fit on one page per category, with current KRI value, trend, threshold band, and management commentary. An executive summary page should show category-level status (green / amber / red) and the top three risks for board attention.
What the audit committee should test
The audit committee — or the risk committee, depending on the governance structure — should be able to satisfy itself, at least annually, that:
- The RAS has been formally reviewed and re-approved by the board.
- Each defined tolerance has been monitored at the stated cadence.
- Every breach in the period was escalated through the stated route.
- The remediation log is current and is being closed at an acceptable pace.
- The dashboard the executive uses is consistent with the dashboard the board sees.
Where the Outliers Risk Appetite Statement Toolkit fits
We maintain a working risk appetite statement toolkit aligned to the structure above. It includes the qualitative stance, a quantitative tolerance matrix, escalation thresholds, the board approval workflow, a sample RAS, a sample tolerance matrix and monitoring dashboard guidance — all calibrated for Nigerian boards.
It is a starting point, not an end. The board must own the qualitative statements and calibrate the quantitative thresholds to the business. But it is a much better starting point than a blank document.
If you are writing your first RAS, or rewriting one that has lost its operational meaning, start with the Risk Appetite Statement Toolkit. The broader Risk Management Centre and its resource library provide the dashboards, registers and board packs that surround the RAS in a working ERM operating model.
Download the Risk Appetite Statement Toolkit to bring a working structure to your next board discussion of risk appetite.