10 Mistakes to Avoid in Defining Risk Appetite for a Solid Risk-Based Approach

In the world of Anti-Money Laundering, risk appetite is the amount of Money Laundering (ML), Terrorism Financing (TF), and other financial crime risk you are willing to take as a part of your business strategy. Businesses adopt a risk-based approach to counter ML/TF risks and prioritise resources. The article highlights the top 10 mistakes to avoid in defining risk appetite for a solid risk-based approach.

The business world is dynamic. It changes every moment. There are new opportunities to explore. And there are emerging risks that you need to be wary of.

Similarly, criminals are exploring new ways of committing financial crimes. There are new avenues for money laundering, terrorism financing, and similar crimes. It requires you to prepare your business to prevent, manage, or eliminate these risks. You can do this when you know your risk appetite.

There is no universal standard of ML/TF risk appetite. It differs from entity to entity. Also, the risk appetite can change at different stages of an entity’s lifecycle.

Defining ML/TF risk appetite is crucial for risk identification, assessment, and management. Once you know how much risk you are willing to take, you can determine the strategies to tackle it. So, identify your risk appetite in a clear, comprehensive way. Avoid the most common mistakes businesses make while doing so.

If you take too many risks, you might compromise compliance requirements. If you play too safe, your growth might stagnate. So, it would be best to strike a fine balance between the two to decide your risk appetite.

We list the common missteps businesses in India take while identifying their risk appetite. You must dodge these pitfalls to enable a successful risk management framework. But before this, we give you more details on why risk appetite is significant for any entity in India.

What is Risk Appetite

It is best to define ML/FT Risk Appetite as the amount and type of risk an entity is willing to take on in pursuit of its goals and objectives.

Difference between Risk Appetite and Risk Tolerance

Risk Appetite differs from risk tolerance in the sense that it’s an umbrella term defining the philosophy behind the overall risk management efforts. In contrast, risk tolerance is the level of risk that an entity is willing to take per individual risk.

Customer Risk Profiling under PMLA

The Importance of Defining Risk Appetite Statement

Risk appetite is the amount of risk you are prepared to accept to realise your objectives. It is your risk-taking philosophy. It displays your attitude and outlook on risk-taking. It is the uncertainty that you are ready to bear pursuing your business goals.

The risk appetite statement defines your willingness to accept risk. It determines the various risks you are ready to take and the ones you don’t accept. It helps you adopt the risk-based approach.

By defining your risk appetite, you guide your risk management process. You can understand, manage, and mitigate money laundering risks properly. Thus, you can limit the scope of financial crimes and illegal activities in your business.

Risk Appetite Statement is the formal way to communicate the entity’s stand on accepting risks. You can determine what opportunities to explore despite the risk and what prospects to reject owing to higher risks. This means risk appetite gives you a solid base to analyse trade-off decisions. Thus, your strategic discussions, decisions, and actions get a better direction.

It is also a great way to manage resource allocation. Moreover, you can determine your business’s technology needs based on the risk appetite statement. Thus, it helps you plan for your business’s future requirements.

Your AML control measures depend on your risk appetite definition. It structures your brainstorming and discussions on AML programs. As a result, you have more information while designing the AML framework, leading to greater efficacy.

10 Critical Lapses while Defining Risk Appetite of the Entity

While identifying and defining your business’s risk appetite, avoid making the following mistakes:

1. Making it a theoretical exercise and ignoring the practical implication

You understand the importance of identifying risk appetite. It is crucial for your risk management and AML policy development.

So, do not make the mistake of treating it only as a theoretical exercise. It is not a bureaucratic process. Use it where necessary. It is a critical part of your AML journey, so you must analyse its practical implications. You must consider all the aspects of your business and identify your risk appetite.

Your risk appetite definition must be a part of your risk management planning. It must feature in your plans for defining AML procedures, policies, and controls. So, you must take it seriously and focus completely on it.

2. Focusing only on the qualitative or quantitative aspects of risk appetite

For some of you, defining risk appetite means writing a statement and abiding by it. It says that you are ready to accept these various risks and avert the other risks. Qualitatively, it sounds straightforward.

For some other businesses, it is a quantitative exercise. You list the various risks and the percentage of acceptability. Yes, it takes time and requires calculation and analysis. Also, it is challenging to get accurate numbers or percentages.

No one is wrong here. Both are correct. You must have qualitative and quantitative definitions for better understanding across the organisation. Take a holistic approach to defining risk in words and numbers to better understand the risk appetite.

3. Lack of 360-degree view in the identification of risk appetite

It’s essential to consider every team’s viewpoint before defining risk appetite. Whether you are the top management executive, risk manager, or AML compliance officer, only one person’s outlook is insufficient to define risk appetite. You must discuss with the internal stakeholders, understand and define their perspective.

The top management’s view is needed to understand the company’s long-term goals; they know the strategic plans, actions to take, and yearly goals. They can assess what objectives are necessary to achieve while managing the risks.

An AML compliance officer’s perspective is essential to understand the money laundering scenario. They can comprehend the legal requirements, AML trends, emerging risks, and your business’s possible AML controls. They know better what risks are acceptable and what are not bearable in your AML journey.

Also, you need inputs from all teams to get a 360-degree of the risk appetite. The risk appetite might be partial and incomplete without such a holistic view. It won’t serve the purpose of risk management, making you more susceptible to money laundering threats.

4. Copying Risk Appetite from a peer organisation or a competitor

Give risk appetite the importance it deserves. For this, stop thinking of your risk appetite as the same as a similar company’s in the market. That’s not possible. Even if two entities are similar in size, sector, products/services, and business model, their risk appetites aren’t.

A one-size-fits-all approach does not work in the case of risk appetite. It is specific and unique for every entity. So do not copy-paste the risk appetite from another entity. If you make a general risk appetite statement, your employees will not accept it. So, customise it to ensure the possible management, mitigation, and prevention of risks.

Conduct your own research. Interview your internal stakeholders. Understand your business model, growth trajectory, and objectives. Based on this analysis, identify how much risks you are willing to take for your business’s journey.

5. Too technical, inconsistent language, or complex words

You are defining the risk appetite for your organisation. Your employees, team members, and management will need to refer to it for their decisions and strategies. So, try to write the risk appetite statement in entity-fitting language. This means the language commonly used in your business operations.

Don’t make it too jargonish. Too many technical words will not be comprehensible for some of the employees. Also, the use of acronyms will make it incoherent. So, make it simple, unambiguous, and less technical. All your employees must be able to interpret it easily for use in decision-making.

Also, keep the terminology for risk appetite and related measures consistent. You must use similar language in risk management programs, AML policies, and due diligence measures. Such consistency enables better understanding and clarity of the entity’s risk philosophy.

10 Mistakes to Avoid in Defining Risk Appetite for a Solid Risk-Based Approach

6. Neglecting negatives over positives or vice versa while defining risk appetite

Risk appetite covers your risk philosophy. And it will include both – the positives and the negatives. But if you ignore one over the other or forget to include both aspects, your risk appetite definition is incomplete.

It means you must consider the opportunities that risk-taking offers. Obviously, when you accept some risks, you will get returns. You can explore more business prospects, expand to new markets, acquire new customer segments, or take any other action.

You must also not ignore the downside risks, which means the threats. Analyse the effects of such potential threats before defining the risk appetite. So, keep a fine balance between the two to ensure you do not suffer later.

7. A static, rigid approach to risk appetite identification

Industries are evolving. The world and Indian economies are changing. So, the risks are also fluctuating and new risks are coming up. Even organisations’ regulatory landscape is transforming.

Amid all these changes, your risk appetite definition must also change. You can’t keep it as before. It must reflect the changes in the following factors:

  • Macroeconomic environment
  • Regulations
  • Stakeholders’ feedback
  • Emerging risks
  • Trends in business verticals
  • Delivery Channels
  • New business opportunities
  • Demand-supply in market
  • Geographies
  • Products/Services offered
  • Type of customers served

So, you must review your risk appetite at regular intervals. You must go through it to see if it reflects the changes in the business context. If not, update it. You can set it as an annual exercise to evaluate it so that you can incorporate changes based on internal and external business evolution.

8. Absence of acceptability of the risk appetite by the internal stakeholders

If new employees join your company, but their thoughts are not aligned with your vision/goals, their efforts will be questionable. Similarly, implementation would be challenging if the internal stakeholders do not align with the risk appetite statement.

So, get the acceptability of all internal stakeholders on the risk appetite. They must accept it. The employees must be ready to undergo training on managing this risk appetite. They must know how the risk appetite affects decision-making and the best actions to take.

Also, the senior management must set the tone. This means it must ensure that employees accept the risk appetite and work with it to achieve business objectives. That is why it is crucial to identify risk appetite in coordination with all departments. The senior management must ensure an appropriate risk culture is set and acted upon.

9. Disregarding risk exposure, priorities, and tolerance

You cannot ignore risk probability while determining risk appetite. You can determine the exposure once you know the likelihood of various risks. Risk exposure knowledge helps you analyse the impact of various risks. You can determine your risk priorities based on this information on risk exposure and impact.

You must also know your risk tolerance (how much extra risk you are ready to take after your risk appetite). These cultural factors of your business help you better understand your risk appetite.

Now, since you know your boundaries, priorities, and tolerance levels, you can define the risk appetite. Thus, ignoring any one factor can lead to incorrect definitions. And correct identification of risk appetite enables you to achieve your long-term strategic goals.

10. Not integrating risk appetite with decision-making

So, you define your risk appetite in simple words. It is a result of qualitative + quantitative exercise. It considers all your business aspects and is acceptable to all internal stakeholders. This means you avoid all the above mistakes and are happy with your risk appetite.

But, then? What if your decisions still lack risk consideration? What if you make strategies without deliberating over your risk appetite? This means it is not serving the purpose.

Use it in your decision-making. For example, when analysing whether to “go or no go” for an alternative, consider your risk appetite. When deciding whether to onboard a high-risk customer, consider your risk appetite. Evaluate what option is within your risk appetite and what you can handle. Ignore the option that is out of your risk appetite limits. Thus, it can be a point of comparison between various decision alternatives.


Thus, these common lapses can occur when identifying and defining risk appetite. You must be extra cautious to avoid falling into such traps. Try to avoid these errors to have a clear, comprehensive risk appetite statement. Once you have this, you can expect a smooth risk management and mitigation ride.

Benefits of partnership with AML India

AML India is the right partner for any of your AML compliance needs. We help clients follow the mandatory provisions of AML laws on time. Our consultants design the most fitting AML measures for your business. Our service offerings include:

  • Business risk assessment
  • Documentation of AML policies, procedures, and controls
  • Setting up the AML compliance department
  • Conducting AML training for employees
  • Guidance on AML software selection
  • AML audits and health checks

So, for any AML need of yours, we have the appropriate solution to ensure compliance.

About the Author

Pathik Shah


Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.