Actually, it is two boundaries.
First, it is the boundary between Management and the Board with regard to risk.
- If risk taking is within the risk appetite, then Management can tell the board about that activity after the fact.
- If risk taking is outside the risk appetite, then Management needs to talk to the board in advance and get agreement with the risk taking plans. (We say outside, rather than above, because for firms in the risk taking business, risk appetite should involve a minimum AND a maximum.)
Second, it is the boundary between everyday risk mitigation practices and extraordinary mitigations.
- Everyday mitigations are the rules for accepting risk (underwriting) and the rules for trimming risk (ALM, hedging and reinsurance)
- Extraordinary mitigations are those special actions that are taken when risk is seen to be out of acceptable bounds (stopping or limiting new risk taking, bulk divestitures or acquisitions of risks, capital raising, etc.)
Firms that struggle with naming their risk appetite might try to think of where these two boundaries lie. And set their risk appetite to be near or even at those boundaries.