papers

🚨 THE MOST DANGEROUS RISK APPETITE IS THE ONE NOBODY REALISES THEY HAVE : Why Boards Often Drift Into Risk Rather Than Deliberately Choosing It

Most organisations have two risk appetites: the one approved by the board and the one expressed through behaviour. The governance challenge is not what appetite leaders declare, but what appetite the system actually rewards.

Dr Alwin Tan, GAICD, MBBS, FRACS, EMBA (Melbourne Business School)

Institute for Systems Integrity

Abstract

🚨 Many boards believe they are governing risk appetite. They are actually governing the consequences of decisions already made.

Risk appetite is often treated as a governance document.

It is approved by the board, translated into frameworks, and monitored through reporting processes.

The problem is that risk appetite does not begin in the risk function.

It begins in strategy.

And long before it appears in a risk register, it is already shaping decisions about growth, investment, workforce, safety, innovation and organisational priorities.

🚨 The most dangerous risk appetite is often the one nobody realises the organisation already has.

This article argues that risk appetite is not a downstream control mechanism. It is a strategic design constraint that determines which choices are possible, which trade-offs are acceptable, and which consequences an organisation is willing to tolerate.

For healthcare systems, where strategic decisions directly influence patient outcomes, workforce sustainability and public trust, this distinction is critical.

The governance challenge is therefore not simply defining risk appetite.

It is ensuring that the appetite approved by the board is the same appetite being expressed throughout the system.

Because many organisations do not have a risk management problem.

They have a risk appetite problem.

Most Boards Think They Govern Risk Appetite

Many Are Actually Governing After-the-Fact Rationalisations

A common governance assumption persists across many organisations:

Strategy defines ambition.

Risk manages downside.

The two functions operate in parallel.

This separation creates a dangerous illusion.

Strategy is approved.

Objectives are established.

Targets are set.

Resources are allocated.

Only then does the organisation ask:

"What are the risks?"

🚨 By the time a strategy reaches the risk register, the most important governance decisions have already been made.

The Australian Institute of Company Directors emphasises that risk is inherent in strategy and should be integrated into strategic decision-making processes rather than considered separately (AICD 2026).

The governance question is therefore not whether risk is considered.

🚨 The question is not whether risk is considered. The question is whether risk appetite shaped the decision before the decision was made.

Because risk appetite is not something that should be applied to strategy.

🚨 Risk appetite is something that should shape strategy from the beginning.

Risk Appetite Is Not A Risk Management Tool

It Is The Invisible Architecture Of Strategy

Risk appetite is commonly defined as the level and type of risk an organisation is willing to accept in pursuit of its objectives.

This definition is correct.

But it is incomplete.

🚨 Risk appetite is not a risk management tool. It is the invisible architecture of strategy.

A more useful governance interpretation is:

Risk appetite is a design constraint that shapes which strategies are viable in the first place.

Just as engineers design within the constraints of gravity, materials and physics, boards must design strategy within the constraints of organisational risk appetite.

🚨 Every strategy is designed within constraints. Risk appetite is one of them.

This has three implications.

1. Risk Appetite Precedes Strategy

Risk appetite influences:

which opportunities are pursued
which investments are prioritised
which business models are viable
which trade-offs are acceptable

🚨 Risk appetite determines which futures an organisation is willing to pursue and which futures it is willing to forgo.

2. Risk Appetite Shapes Strategic Choice

Strategic objectives are not defined independently and then checked against risk.

They are calibrated by risk appetite.

🚨 Boards do not choose strategy first and risk second. Whether they realise it or not, they choose both simultaneously.

3. Risk Appetite Governs Execution

Risk appetite only becomes meaningful when it influences:

organisational design
operating thresholds
escalation pathways
resource allocation
behavioural expectations

If risk appetite does not shape behaviour, it is not functioning as governance.

It is functioning as documentation.

The Declared Appetite Gap

Many Organisations Have Two Risk Appetites

🚨 Many organisations have two risk appetites. The one approved by the board and the one expressed through behaviour.

The first appetite is the one approved by the board.

The second appetite is the one expressed through everyday decisions.

These are often not the same thing.

A hospital may formally declare:

patient safety comes first
workforce wellbeing matters
quality is non-negotiable

Yet operationally reward:

increasing activity
reducing costs
expanding services despite workforce shortages
maintaining performance targets at all costs

🚨 The system eventually follows what it rewards, not what it declares.

Over time, the organisation follows the appetite embedded in incentives rather than the appetite described in governance documents.

🚨 Organisations rarely become what they say they value. They become what they repeatedly incentivise.

The system begins expressing a different appetite from the one leaders believe they are governing.

This creates what ISI describes as the Declared Appetite Gap.

The gap between:

Declared Appetite

What leaders say they value.

Operational Appetite

What the system actually rewards.

🚨 The greatest governance risk is often not excessive risk-taking. It is unrecognised risk-taking.

The governance challenge is not:

What appetite has the board approved?

The governance challenge is:

What appetite is the organisation expressing through behaviour?

🚨 The most important risk appetite document may not be the one sitting in the board papers. It may be the one embedded in daily decisions.

The Three Domains Of Governance Integration

Effective boards ensure that risk appetite is embedded across three interconnected domains.

1. Context: Framing The System

Context determines what is realistically possible.

Boards must ensure that:

organisational goals are realistic within risk boundaries
external constraints are understood
operating models remain viable under expected stress

In healthcare this means understanding:

workforce shortages
regulatory obligations
funding constraints
demand volatility
patient safety thresholds

At this stage risk appetite determines what is feasible, not merely what is desirable.

2. Strategy: Making Choices Under Uncertainty

Strategy is fundamentally a process of selecting among competing alternatives.

Boards must continually test:

whether objectives align with risk appetite
whether the organisation is taking the right risks
whether plausible failure scenarios have been considered
whether resilience has been adequately protected

This aligns with established strategy literature that views strategy as a set of integrated choices made under uncertainty (Porter 1985; Martin 2013).

In healthcare these choices frequently involve tensions such as:

growth versus workforce capacity
efficiency versus safety margins
innovation versus operational reliability

🚨 Every decision to remove a safety margin is a risk appetite decision.

🚨 Every decision to stretch workforce capacity is a risk appetite decision.

🚨 Every decision to pursue growth despite operational strain is a risk appetite decision.

These are not simply management decisions.

They are risk appetite decisions.

🚨 Healthcare boards do not simply govern financial performance. They govern the conditions under which patients receive care.

3. Execution: Translating Intent Into Reality

Execution is where governance either holds or fails.

Boards must ensure that:

structures reinforce risk boundaries
escalation pathways remain functional
performance systems support stated priorities
frontline behaviours reflect declared values

This is where the distinction between declared appetite and operational appetite becomes visible.

Research consistently demonstrates that quality and safety failures rarely occur because policy is absent.

They occur because governance intent becomes disconnected from operational reality (Bismark et al. 2014; Jones et al. 2017).

Signal Integrity: The Missing Link In Risk Appetite Governance

Most discussions of risk appetite focus on:

controls
metrics
reporting
thresholds

The more important question is:

How does the board know whether the organisation is actually operating within its appetite?

🚨 Risk appetite cannot function without signal integrity.

Boards do not govern reality directly.

🚨 Boards do not govern reality. They govern representations of reality.

If signals become distorted:

incidents are hidden
near misses disappear
escalation weakens
concerns are filtered
dashboards remain reassuring

then risk appetite becomes largely theoretical.

🚨 If signals are distorted, risk appetite becomes fiction.

Leaders may believe the organisation remains within appetite.

Meanwhile the system may have drifted far beyond it.

🚨 A board cannot govern risks it cannot accurately see.

🚨 The most dangerous dashboards are not the red ones. They are the green ones hiding deteriorating reality.

🚨 When reassurance becomes easier to report than reality, governance starts failing.

Culture Is How Risk Appetite Becomes Visible

The World Health Organization recognises patient safety as a product of systems, behaviours and environments that reduce risk and harm (WHO 2021).

🚨 Culture is how risk appetite becomes visible.

Culture influences:

whether concerns are raised
whether near misses are reported
whether escalation occurs early
whether truth reaches decision-makers

🚨 A declared appetite means little if the culture punishes people for reporting risk.

🚨 The true test of risk appetite is not what leaders say. It is what employees believe will happen when they speak up.

Without psychological safety:

risk indicators become lagging indicators.

Reporting becomes curated.

Boards receive reassurance rather than reality.

🚨 If people are afraid to escalate risk, the organisation has already developed an appetite for delayed visibility.

The organisation may appear stable while underlying risk accumulates.

This is why culture is not separate from risk appetite.

Culture is the mechanism through which risk appetite becomes visible.

Risk Appetite Is Really About Consequences

One of the most important governance insights is that risk appetite is not simply a statement about tolerated risk.

🚨 Risk appetite is not a statement about tolerated risk. It is a statement about tolerated consequences.

Every strategic decision implicitly answers questions such as:

How much workforce strain is acceptable?
How much uncertainty is acceptable?
How much safety margin can be removed?
How much operational fragility is acceptable?
How much reputational damage can be absorbed?

🚨 Every board decision answers a question about what consequences the organisation is willing to absorb.

Boards may never ask these questions explicitly.

Yet organisational decisions answer them continuously.

🚨 Risk appetite ultimately becomes a statement about organisational identity.

🚨 Show me your risk appetite and I will show you the organisation you are becoming.

Failure Patterns When Appetite Is Not Integrated

Consistent governance failures emerge when appetite remains disconnected from strategy.

Misaligned Context

unrealistic ambition
fragile operating models
underestimated constraints

Distorted Strategy

objectives disconnected from capability
inadequate scenario testing
unmanaged uncertainty

Failed Execution

escalation delays
behavioural inconsistency
incentives overriding priorities

Cultural Suppression

under-reporting
delayed visibility of harm
filtered information flows

🚨 Failure is rarely sudden. It is usually progressive, visible and predictable.

These patterns appear repeatedly across healthcare inquiries, regulatory reviews and safety research.

ISI Interpretation: Governing Decision Integrity

The deeper governance challenge is not governing risk.

It is governing decision integrity across a complex system.

🚨 Boards do not govern outcomes. They govern the conditions that make outcomes more or less likely.

Context defines framing.

Strategy defines choice.

Implementation defines behaviour.

Risk appetite defines constraint.

Signal integrity determines visibility.

🚨 Context shapes decisions. Decisions shape behaviour. Behaviour shapes outcomes. Risk appetite shapes all three.

When these elements align, organisations become capable of:

resilient strategy
safe execution
adaptive response
sustainable performance

When they do not align, failure often begins long before the first visible incident.

🚨 Governance failure rarely begins with catastrophe. It begins with small decisions drifting beyond declared appetite.

Conclusion

Risk appetite is not an adjunct to strategy.

It is the invisible architecture beneath it.

For healthcare systems, where strategic decisions directly influence patient safety, workforce sustainability and public trust, this distinction is fundamental.

Boards that treat risk appetite as a compliance document will struggle to govern outcomes.

🚨 Boards that treat risk appetite as a document govern compliance. Boards that treat it as a design constraint govern reality.

Because the most important question is not:

What risk appetite has the board approved?

It is:

What risk appetite is the organisation actually expressing through its decisions, behaviours and culture?

🚨 The governance challenge is not what risk appetite the board has approved.

🚨 The governance challenge is what risk appetite the organisation is actually expressing through its decisions, behaviours and culture.

🚨 The future of an organisation is often visible in the risks it repeatedly chooses not to see.

References (Harvard Style)

Australian Institute of Company Directors (AICD) 2026, Risk and Strategy, AICD, Sydney.

Bismark, MM, Studdert, DM, Walter, SJ & Mello, MM 2014, ‘Governance of quality of care: a qualitative study of health service boards in Victoria, Australia’, BMJ Quality & Safety, vol. 23, no. 6, pp. 474–482.

COSO 2017, Enterprise Risk Management: Integrating with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, Durham, NC.

Institute of Risk Management (IRM) 2020, Risk Appetite and Tolerance: Guidance Paper, IRM, London.

Jones, L, Pomeroy, L, Robert, G, Burnett, S, Anderson, JE, Fulop, NJ, Maben, J & Morrow, E 2017, ‘How do hospital boards govern for quality improvement?’, BMJ Quality & Safety, vol. 26, no. 12, pp. 978–986.

Kaplan, RS & Mikes, A 2012, ‘Managing risks: a new framework’, Harvard Business Review, vol. 90, no. 6, pp. 48–60.

Martin, RL 2013, Playing to Win: How Strategy Really Works, Harvard Business Review Press, Boston.

OECD 2020, System Governance Towards Improved Patient Safety, OECD Health Working Paper No. 120, OECD, Paris.

Porter, ME 1985, Competitive Advantage: Creating and Sustaining Superior Performance, Free Press, New York.

Reason, J 1997, Managing the Risks of Organisational Accidents, Ashgate Publishing, Aldershot.

Weick, KE & Sutcliffe, KM 2015, Managing the Unexpected: Sustained Performance in a Complex World, 3rd edn, John Wiley & Sons, Hoboken, NJ.

World Health Organization (WHO) 2021, Global Patient Safety Action Plan 2021–2030, WHO, Geneva.