Risk Strategy
Risk Appetite for Mid-Market CFOs: What It Means and How to Set It
Risk appetite is the amount and type of risk a company is willing to accept in pursuit of its goals. Most mid-market companies do not need the Fortune 500 version. Here is the right-sized version, and how to set it.
By Eric Kennedy · Thu Jun 04 2026 · 8 min read
TL;DR: Risk appetite is the amount and type of risk a company is willing to accept in pursuit of its goals. Most mid-market companies do not have a formal one, and most do not need the Fortune 500 version, which is a long, board-ratified document full of quantitative limits that nobody reads. What a mid-market company needs is a short set of plain-language thresholds, four to six of them, that tell the executive team when a risk has crossed from acceptable to escalate. Set that way, risk appetite stops being a governance artifact and becomes a decision tool the leadership team actually uses.
Risk appetite has a reputation problem. Among risk professionals, the risk appetite statement is widely regarded as the hardest part of any enterprise risk management implementation, and the result tends to be one of two failure modes. Either the company never writes one, or it writes a multi-page document full of lines like "we have a low appetite for reputational risk" that sound responsible and change nothing.
The data says most companies land in the first camp. The 2025 AICPA and NC State State of Risk Oversight Report, which surveyed 273 U.S. organizations, found that outside of financial services, only about one-quarter of organizations have formally articulated their appetite for taking risks. This is not a problem that disappears with scale. Even among organizations with more than 1 billion dollars in revenue, just 29 percent said they had mostly or extensively articulated their risk appetite or tolerance as part of strategic planning. Financial services led the field at 41 percent, and that is almost entirely because regulators require it.
Who has actually articulated a risk appetite?
Share that have mostly or extensively articulated risk appetite or tolerance in strategic planning.
Source: AICPA and NC State 2025 State of Risk Oversight Report.
Kennedy Risk Group
So if your mid-market company does not have a risk appetite statement, you are in the majority, and that majority includes most of the Fortune 500. The question is not whether you are behind. The question is what risk appetite should actually do for a company your size, and how to set it without building something that collapses the first time you need it.
What is risk appetite?
Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives. COSO, the framework most U.S. companies reference, describes it as the broad types and amount of risk a company is willing to accept in pursuit of value. ISO 31000, the international standard, frames it almost identically: the amount and type of risk an organization is willing to pursue or retain.
Strip out the framework language and risk appetite answers one question for the executive team: how much of which risks are we willing to live with in order to grow the way we want to grow? A company chasing aggressive market expansion has a different appetite than one optimizing a stable, cash-generating book of business. Appetite is the line between the risk you accept on purpose and the risk you escalate.
Risk appetite vs. risk tolerance vs. risk capacity
These three terms get used interchangeably, and they should not be. They sit in a hierarchy, and the difference matters when you actually try to use them.
How Risk Capacity, Appetite, and Tolerance Nest
Risk Capacity
The maximum risk the company can absorb before survival or strategy is threatened. Set by the balance sheet.
Risk Appetite
The risk leadership chooses to take in pursuit of strategy. Always set inside capacity.
Risk Tolerance
The measurable threshold for a specific risk. Where appetite becomes a number you can monitor.
Kennedy Risk Group
Risk capacity is the outer boundary. It is the maximum amount of risk the company can absorb before its survival or core strategy is threatened, and it is a function of your balance sheet, your liquidity, and your operational limits. A company with significant reserves and an untapped credit line has a very different capacity than one running close to the edge.
Risk appetite sits inside capacity. It is the amount of risk leadership chooses to take in pursuit of the strategy. You never set appetite above capacity.
Risk tolerance is the operational guardrail. COSO describes it as the acceptable variation in performance tied to a specific objective. Where appetite is strategic and broad ("we accept moderate operational risk"), tolerance is specific and measurable ("no single customer above 15 percent of revenue," "system downtime no more than four hours per quarter"). Tolerance is where appetite becomes a number someone can monitor.
The practical takeaway: appetite without tolerance is a slogan. A statement that says "we have a low appetite for cyber risk" with no threshold attached is decorative. It tells no one when to act.
Do mid-market companies need a risk appetite statement?
Yes, but not the version most articles describe. The value of risk appetite is not the document. It is the clarity it forces. When a leadership team agrees, in advance, on how much customer concentration is acceptable or how much leverage is too much, it removes the in-the-moment debate that slows decisions and lets the loudest voice in the room win.
The problem is that almost all risk appetite guidance is written for large, regulated enterprises. It assumes a chief risk officer, a dedicated risk committee, quantitative models, and a multi-page framework reviewed by independent directors. That is the model that produces the decorative statement, because the effort goes into the document rather than the decisions.
A mid-market company can get the real benefit of risk appetite, the clarity, without any of that infrastructure. It just has to be built differently from the start, the same way the rest of a mid-market risk program is built differently from the Fortune 500 version rather than scaled down from it.
Why the Fortune 500 risk appetite statement fails at the mid-market
Three reasons, and they are the same reasons the broader Fortune 500 risk model does not scale down to a mid-market company.
It is too long to use. A twelve-page appetite framework with quantitative limits across thirty risk categories needs a team to maintain it and a meeting structure to review it. A mid-market executive team has neither the time nor the reason to operate it, so it gets written once and never opened again.
It is too abstract to act on. Statements written to satisfy a board committee drift toward language that cannot be falsified. "We are committed to the highest standards of data protection" is not an appetite. It is a press release. No one can hold it up during a real decision and know whether they are inside the line or outside it.
It is built quantitatively in a company that runs qualitatively. The same AICPA and NC State report found that only 3 percent of organizations assess risk using mostly quantitative models. The mid-market reality is judgment-based, and an appetite built on models the company does not actually run is a document, not a tool.
What a right-sized mid-market risk appetite looks like
A mid-market risk appetite is short, specific, and tied to a decision. In practice it is usually four to six category-level statements, each one paired with a threshold that triggers escalation. Not thirty categories. Not a quantitative model. Four to six lines the executive team can hold in their heads.
Each line does three things. It names the risk category in plain language. It states the posture, meaning low, moderate, or higher appetite, and why. And it sets the threshold that moves the risk from "managed" to "bring it to the table."
What a Mid-Market Risk Appetite Looks Like
Illustrative. The numbers come from your own strategy and balance sheet.
Customer concentration
Low appetite
No single customer above 20 percent of revenue; escalate to the CFO at 15 percent
Cyber and data
Low appetite
Any breach of customer data, or system downtime beyond four hours, escalates immediately
Growth and new markets
Higher appetite
Pursue new segments that fit core capabilities; capped at a set share of annual investment
Leverage
Moderate appetite
Net debt to EBITDA below an agreed ceiling; escalate half a turn below
Kennedy Risk Group
The test for every line is simple: could a member of the executive team use it to make a real decision next quarter? If yes, it belongs. If it reads like something written for a regulator, cut it.
How to set risk appetite at a mid-market company
Start from strategy, not from a risk list. Risk appetite only means something measured against what you are trying to do. Begin with the two or three things the company is betting on this year.
Pick four to six categories that actually move the strategy. For most mid-market companies these cluster around customer concentration, cyber and data, financial and liquidity, compliance, and one or two strategic bets. Skip the categories that do not threaten a real outcome.
Set a posture and a threshold for each. The posture is the sentence. The threshold is the number or condition that triggers escalation. Without the threshold, you have a slogan.
Tie it to the cadence you already have. The appetite gets reviewed in the existing quarterly executive or audit committee discussion, not in a separate process. When a threshold is breached, it goes on the agenda and against the relevant entry in your risk register.
Review it annually, and after anything that changes the strategy. A merger, a new market, a major regulatory change, a strategic pivot. Appetite tracks strategy, so it changes when strategy changes.
That is the whole program. It fits on one page, it takes a few working sessions to build, and every line earns its place by being usable in a decision.
Who owns risk appetite?
The board approves it, management operationalizes it, and the audit committee usually oversees it. Most mid-market companies have no chief risk officer and no separate board risk committee, and the 2025 AICPA and NC State report confirms this is the norm well beyond the mid-market: outside of financial services, boards most often delegate risk oversight to the audit committee rather than a dedicated risk committee.
For the CFO, the role is integration. Risk appetite belongs inside the financial planning and reporting rhythm the CFO already owns, not bolted on as a separate governance exercise. And under the standards that govern internal audit, the audit function does not set appetite or tolerance. It provides independent assurance that the appetite exists, that thresholds are being monitored, and that breaches are escalated. Setting the line itself is leadership's job.
Where to Start
If you want a quick read on where your risk program stands today, including whether your reporting is producing decisions or just documenting activity, start with the ERM scorecard. It takes a few minutes and gives you a maturity read on the spot. If you are ready to build a right-sized risk appetite as part of a full program, the ERM Foundation Build is where that work happens.
Take the ERM Scorecard{.cta-primary} See the ERM Foundation Build{.cta-secondary}
Frequently Asked Questions
What is the difference between risk appetite and risk tolerance?
Risk appetite is the broad, strategic level of risk a company is willing to accept in pursuit of its objectives. Risk tolerance is the specific, measurable boundary around that appetite for a given risk, the threshold that defines how much variation is acceptable before someone has to act. Appetite is the strategy; tolerance is the guardrail. An appetite statement without tolerance thresholds cannot be monitored or acted on.
Does a mid-market company need a formal risk appetite statement?
It needs the clarity a risk appetite provides, but not the long, board-ratified document built for large regulated enterprises. A mid-market company is better served by a one-page set of four to six plain-language category statements, each with a threshold that triggers escalation, tied to the existing quarterly review.
How many risk categories should a risk appetite statement cover?
For most mid-market companies, four to six. The categories should be the ones that actually threaten the strategy, which typically include customer concentration, cyber and data, financial and liquidity, compliance, and one or two strategic bets. More categories than that usually means the statement has stopped being usable.
Who approves the risk appetite statement?
The board approves it, management operationalizes it into thresholds and monitoring, and in most mid-market companies the audit committee provides oversight. Internal audit does not set the appetite. It provides assurance that the appetite exists and that breaches are escalated.
How often should you review risk appetite?
At least annually, as part of the strategic planning cycle, and again whenever something material changes the strategy, such as a merger, a new market, a regulatory change, or a strategic pivot. Appetite follows strategy, so it should be revisited when strategy moves.