Risk Management

5 Myths About Risk Appetite That Leaders Still Believe

Risk appetite becomes useful only when leaders translate it into tolerance limits, escalation rules, and site-level decisions that protect fatal-risk controls.

By 7 min read
risk management scene on 5 myths about risk appetite that leaders still believe — 5 Myths About Risk Appetite That Leaders St

Key takeaways

  1. 01Risk appetite sets the strategic boundary, while risk tolerance defines the operational band before the plan must change.
  2. 02A green matrix sorts scenarios, but it does not prove that controls are working or that appetite is respected in the field.
  3. 03Board language only matters when it reaches decision rights, escalation triggers, and stop conditions for live work.
  4. 04Low residual risk can still be unacceptable when the consequence is severe or the control stack is fragile.
  5. 05Site-specific thresholds are necessary because different operations carry different exposure profiles and failure modes.

Risk appetite is not a slogan and it is not a colored box on a monthly slide. It is the boundary leadership chooses when it decides how much uncertainty the business will carry in pursuit of an objective, and the boundary only works when it reaches site-level decisions, escalation rules, and stop conditions that the field can actually use.

In the 2024 Census of Fatal Occupational Injuries, the US Bureau of Labor Statistics recorded 5,070 fatal work injuries. That figure is one reason risk appetite cannot stay inside a board memo, because fatal exposure does not wait for a neat strategy statement to become operational.

Across 25+ years leading EHS at multinationals, Andreza Araujo has seen leaders confuse appetite, tolerance, and acceptance until no one knows who must stop the job. In Safety Culture: From Theory to Practice and A Ilusao da Conformidade, her point is simple: the risk conversation is useful only when it changes repeated decisions, not when it merely sounds sophisticated.

What risk appetite actually means

ISO 31000 asks organizations to define risk criteria before they assess, treat, and review risk. That ordering matters, because a company cannot know whether a scenario is acceptable until it has decided what level of exposure it is willing to carry, what deviation is tolerable, and which event would trigger escalation or redesign.

Risk appetite is the strategic boundary. Risk tolerance is the operational band around that boundary. Risk acceptance is the decision to live with a specific residual risk after controls are in place. When leaders collapse those terms into one phrase, they create language that sounds careful while producing weak decisions.

The same confusion appears in Risk Appetite vs Risk Tolerance: 3 Decision Lines, but this article goes one step further. It shows how the vocabulary fails when the board, the plant, and the supervisor all use the same word for different decisions.

Myth 1: risk appetite and risk tolerance are the same

They are not the same, and the difference is not academic. Appetite defines how much exposure the organization is prepared to carry in pursuit of a goal. Tolerance defines the operational range before the organization must change the plan, stop the work, or escalate the issue.

Patrick Hudson’s maturity thinking is useful here because mature organizations do not rely on slogans. They define what good looks like, what deviation is still admissible, and where the line moves from managed variation to unacceptable drift. That is the level of clarity a risk owner needs.

Term What it answers Who owns it Field test
Risk appetite How much exposure the organization is willing to carry to reach an objective Board and executive leadership Can the company explain which scenarios it will never trade for speed or cost?
Risk tolerance How much variation is allowed before the plan must change Executives, plant leaders, and risk owners Is there a threshold that forces escalation before the work drifts too far?
Risk acceptance Whether the residual risk is acceptable after controls Decision maker for that scenario Can the owner defend the decision if the control fails today?

The practical trap is clear in Risk Matrix: 8 Distortions That Hide Fatal Exposure. A matrix can sort scenarios, but it does not tell you whether the organization is inside appetite. Only a decision rule can do that.

Myth 2: a green matrix proves appetite is under control

A green matrix proves only that someone scored the hazard as low or acceptable by the rules used in the matrix. It does not prove the controls are working, the assumptions are current, or the scenario has not drifted into a different class of exposure. ISO 31010 exists precisely because organizations need methods that fit the decision, not a single grid that pretends to fit all decisions.

In safety, the matrix often rewards optimism. If the team scores a scenario low because the injury is not visible, the green box can hide weak isolation, weak maintenance, bad sequencing, or contractor exposure. James Reason is useful here because latent conditions make the wrong answer look normal long before the event becomes visible.

The article SIF Rate vs TRIR vs Precursors: Which Metric Fits shows the same problem from a different angle. A green box or a low TRIR can both hide the exposure that matters most, which is why risk appetite must be tied to barrier verification instead of to surface color.

Myth 3: the board can write appetite once and walk away

The board can set appetite once, but the organization cannot run it once. Appetite has to be translated into decision rights, escalation triggers, scenario thresholds, and stop conditions that supervisors can use before the work starts. If that translation never happens, the appetite statement becomes decoration.

Across more than 250 cultural transformation projects supported by Andreza Araujo’s team, the same pattern appears. Leadership announces a strong position, but the field still lacks a rule for when the work is too risky to continue. That gap is where production pressure starts making the real decision.

For multi-site groups, the translation should be visible in the risk register, the management review, and the pre-job conversation. The article Leading Indicators: 7 Metrics TRIR Will Never Show belongs here because appetite without weekly verification is still a hope, not a control system.

When the board wants this work done properly, one useful question is simple: what would make us stop, redesign, or escalate this scenario tomorrow? If no one can answer that question, then the appetite statement has no field authority.

Myth 4: low residual risk means the job is acceptable

Low residual risk does not automatically mean acceptable. A residual risk can be low and still be unacceptable if the consequence is severe enough, if the control stack is fragile, or if the scenario sits inside a critical path where one failure can reach a serious injury or fatality. Acceptability is a decision, not a score.

This is where James Reason matters again. Latent failures can stay quiet until they line up with an active failure, so a low score can mislead a team into thinking the job is safe when the barrier design has never been strong enough. Bird and Heinrich help here too, because precursor events deserve more attention than the final injury count often gets.

For that reason, residual risk should be reviewed alongside control assurance, contractor exposure, and the credibility of recovery if the control fails. If the team cannot say what happens when the barrier does not work, then the job is not finished, even if the matrix looks calm.

Myth 5: one appetite statement fits every site

A global appetite statement can guide the company, but it cannot replace site-specific thresholds. A warehouse, a chemical plant, a distribution center, and a maintenance shutdown do not carry the same exposure profile, contractor mix, or failure mode. The appetite language can stay common, but the tolerance limits must reflect the work that each site actually performs.

This is why a single statement without local translation turns into corporate wallpaper. The board may say it wants zero fatal exposure, but the plant manager still needs to know what level of deviation from a permit, a lifting plan, or an isolation check triggers intervention today. That translation belongs in the decision log, not only in the strategy paper.

The article SIF Rate vs TRIR vs Precursors: Which Metric Fits is a useful companion because each site needs a metric package that fits its own exposure. Risk appetite works the same way. The principle can be shared, but the control boundary must be local.

What leaders should do now

Start by writing the appetite statement in plain language. Then translate it into three items that the field can use: a threshold, an escalation route, and a stop condition. If any of those three items is missing, the appetite statement is incomplete.

Next, test the statement against three live scenarios. Choose one high-energy task, one contractor task, and one routine task that tends to drift. Ask the owner to show where appetite becomes tolerance, where tolerance becomes acceptance, and where acceptance would be refused.

Finally, review the result in management review and in the weekly operational cadence. If the boundary does not change permits, maintenance priority, supervision, or design decisions, then the boundary is not real.

  • Write the appetite in one sentence that a supervisor can repeat without interpretation.
  • Define the tolerance band for the top scenarios that can lead to serious harm.
  • Assign one owner for escalation and one owner for control verification.
  • Link the statement to a live metric, a decision log, and a stop condition.
  • Review one case every month to confirm the boundary still matches the work.

A risk appetite statement only matters when it changes the next decision in the field, because any boundary that stays inside the board pack is not a boundary at all.

Closing note

Risk appetite is a governance tool, not a decorative phrase. It defines what the organization will carry, what it will not carry, and where leadership must stop or redesign the work. When leaders confuse it with tolerance or acceptance, they lose the ability to set real boundaries.

If your team needs help turning appetite into field-ready thresholds and control rules, Andreza Araujo’s safety culture diagnostics and book catalog are a practical place to start. Visit Andreza Araujo or explore the store to move from language to decision.

Topics risk-management risk-appetite risk-tolerance risk-matrix risk-governance decision-rights

Frequently asked questions

What is the difference between risk appetite and risk tolerance?
Risk appetite is the amount of uncertainty leadership is willing to carry in pursuit of an objective. Risk tolerance is the operational band around that appetite, which tells the organization when a deviation is still allowed and when the work must change or stop.
Why is a green risk matrix not enough?
A green matrix only shows how a scenario was scored. It does not prove that the controls are effective, that assumptions are current, or that the scenario still fits the same exposure class. Leaders need barrier verification and decision rules, not only color.
Can the board set risk appetite once and leave it alone?
No. The board can define the principle, but the organization still has to translate it into thresholds, escalation paths, and stop conditions for specific tasks and sites. Without that translation, the statement stays abstract.
Why can low residual risk still be unacceptable?
A residual risk can be low and still be unacceptable when the consequence is severe, when the control stack is fragile, or when the work sits close to a fatal scenario. Acceptability is a judgment about the decision, not only a score.
How does Andreza Araujo use this idea in practice?
Andreza Araujo uses risk language as part of culture and leadership work, not as a slide exercise. In her books and advisory work, the focus stays on repeated decisions, field verification, and the boundary between what leaders say they want and what the work still allows.

About the author

Andreza Araújo

Safety Culture Expert | Senior EHS Executive

Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.

  • Civil & Safety Engineer (Unicamp)
  • M.A. Environmental Diplomacy (University of Geneva)
  • Sustainability Cert (IMD Switzerland)
  • People Management & Coaching (Ohio University)
  • UN Paris speaker representative for Brazil
  • ILO Turin speaker
  • LinkedIn Top Voice
  • Indra Nooyi PepsiCo CEO recognition (2x)

Documentaries

Watch Andreza's documentaries

Three productions on safety culture, organizational failure and the human lessons behind major disasters.

Podcasts

Listen to Andreza's podcasts

She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.

Summarize with AI