Risk appetite for SMEs: how to write a one-page statement

A risk appetite statement (per ISO 31000) is a written definition of how much risk the company is willing to take on defined areas. For an SME it does not need to run to many pages. Three to five concrete thresholds — set by the board and applied in every risk report — is usually enough.

Why a written statement matters

Without a stated risk appetite, the board and management have no shared language for when a risk has become too big. Every assessment becomes ad hoc. A risk that looks acceptable to the CEO may look alarming to the board — and without a written criterion, you end up arguing about who is right. A risk appetite statement removes that argument by defining thresholds in advance.

SME example — three concrete thresholds

One-page risk appetite for a smaller SME:

• Leverage: Maximum 3.0x rolling EBITDA. Warning at 2.5x.
• Customer concentration: No single customer above 25% of annual revenue. Warning at 20%.
• Liquidity: Minimum 60 days of operating cash in hand. Warning at 90 days.
• Single-event impact: No single event may reduce EBITDA by more than 20%.

Four lines. Measurable. Used every time.

Appetite vs. tolerance

Two concepts are often confused. Risk appetite is what you actively want to accept in pursuit of returns. Risk tolerance is what you can survive without breaking. They are not the same. A company can have an appetite for 2.5x leverage and a tolerance of 3.5x — the gap between the two is your buffer.

Two traps — vague or over-engineered

Most SMEs fall into one of two traps:

• Too vague: "We accept a moderate risk profile consistent with our business model." That means nothing and cannot be enforced.
• Over-engineered: 14 pages of matrices, scenarios and dependencies. It does not get read. It does not get used.

The right version is concrete, measurable thresholds — three to five — that you can actually check at each meeting.

Warning level vs. breach level

For each threshold, define two levels:

• Warning — the level at which the board is notified and a plan is drawn up.
• Breach — the level at which the risk appetite has been exceeded and the board must decide to act or change the threshold.

The gap between the two is your reaction time. If the warning is at 2.5x and the breach is at 3.0x, you have time to act before you are out of options.

Who owns the document?

The board approves the risk appetite and refreshes it at least annually. The CEO or CFO owns the operations — meaning the responsibility for reporting against the thresholds each quarter. If a threshold is breached, the board must take a position: tighten the response or adjust the threshold. Both are legitimate answers — but they must be explicit.

The balancing dimension

A stated risk appetite is the foundation of the fourth dimension of good risk communication: balance. Without a written criterion, no one can judge whether a risk is inside or outside appetite. With one, every risk report becomes a more objective assessment — not a gut feel.