Risk Appetite: The Emperor’s New Clothes, Revisited

Written By Stefania Cirignano

Lee Hale’s recent article for Ankura, “The Emperor’s New Clothes: Debunking Financial Crime Risk Appetite Statements,” hits uncomfortably close to home for many in the compliance community. It calls out a familiar truth: That despite years of regulatory encouragement, financial crime risk appetite statements often remain abstract, inconsistent, and disconnected from the reality of day-to-day decision-making. They exist because they have to, not because they work.

Lee highlights three recurring issues.

  • First, that most statements are written in generic language, detached from the specific financial crime risks a firm actually faces.

  • Second, that they are rarely underpinned by measurable data or metrics that make the appetite actionable.

  • And third, that even when well-intentioned, they tend to sit apart from the frameworks that should operationalise them, the Business-Wide Risk Assessment (BWRA), control environment, and governance routines.

It is a persuasive diagnosis. But it also reinforces why we built our alternative BWRA methodology the way we did.

From abstract appetite to actionable thresholds

Our approach starts at the opposite end of the problem. Rather than defining “low, medium, or high” appetite in the abstract, we ground every assessment in specific risk events:

threat actor → threat act → abused process → outcome → victim/beneficiary.

This schema forces clarity, not “we have a low appetite for money laundering,” but “we have a low appetite for onboarding customers through intermediaries without validated beneficial ownership data.” That shift in granularity transforms risk appetite from a slogan into a measurable statement about specific behaviours and controls.

From static statements to dynamic intelligence

Another of Lee’s observations is that appetite frameworks rarely adapt as new intelligence emerges. Our BWRA methodology embeds the intelligence cycle directly into the risk assessment process. External threat data, emerging typologies, and internal incident reports all feed back into the evaluation of inherent risk and control effectiveness.

Appetite isn’t a paragraph in a board paper, it is a living threshold recalibrated as the threat landscape evolves.

From compliance to consequence

Finally, Lee notes that appetite statements often fail because they’re decoupled from consequence. Our model links appetite directly to residual risk scoring at the risk-event level, enabling a transparent dialogue between the board and first line:

  • If residual risk exceeds appetite, why?

  • Is it a function of exposure, control design, or control performance?

  • What are the trade-offs if we tolerate that position?

That linkage between declared appetite and assessed reality makes tolerance visible — and defensible.

The way forward

Lee’s critique is a timely reminder that words alone do not constitute risk management. But it also points toward a solution, move from declarative appetite to diagnostic insight.

Our enhanced BWRA methodology operationalises that shift, turning risk appetite from a statement of intent into a measurable, dynamic, and intelligence-led component of financial crime governance. Because appetite, when properly defined, isn’t about how much risk we can tolerate. It’s about how clearly we understand the risk we already run.

Stefania Cirignano
Previous

Navigating UK financial crime risk challenges for overseas firms
Next

Controls without evidence? Why regulators demand more than good intentions.