Most organisations have a risk appetite statement, typically embedded in the enterprise risk framework, approved by the board, and reviewed annually. It often includes well-crafted phrases like, ‘We have no risk appetite for non-compliance’.

But here’s the uncomfortable truth: Your risk appetite isn’t what you say it is, it’s what you tolerate.

The Risk Appetite Mirage

On paper, your organisation might have zero tolerance for financial crime. It might state that certain high-risk clients are outside your risk appetite or that you’re not comfortable operating in jurisdictions with unstable regulatory environments.

But what happens in practice?

• You keep that profitable high-risk client because they’re a “strategic relationship”.
• You approve the third-party partnership without fully vetting their AML/CTF program, bowing to pressure to hit growth targets.
• You ignore the less important red flags on a transaction because no one wants to hold up a VIP.

And just like that, your true risk appetite is exposed. Not by the well-crafted statement, but by the decisions made when the stakes are high, and the pressure is on.

The real challenge is bridging the gap between what is declared and what is practiced. This is where organisational culture plays a defining role.

Culture Eats Risk Appetite for Breakfast

Risk appetite statements often focus on what the organisation is willing to accept. But the harder questions are:

1. Who makes the decisions when things aren’t black and white?
2. How are those decisions made?

If your leaders reward short-term wins and turn a blind eye to ‘minor’ policy breaches, or there is pushback on your exit recommendation for that ‘high-value customer’ with more red flags than a Formula 1 race weekend in Melbourne, your risk appetite is already skewed—no matter what the document says.

Tone from the top is critical when it comes to risk appetite. But policies alone don’t dictate risk culture, everyday behaviours do. This disconnect is where risk appetite silently shifts, one unchallenged decision at a time.

• If frontline staff are afraid to escalate issues because they don’t want to be labelled as blockers, your risk appetite drifts toward ‘see no evil’.
• If a financial crime analyst receives a call from an executive questioning the risk rating, or the recent SMR on a high-value customer, it effectively overrides the documented appetite, shaping the real appetite in the minds of those handling these decisions daily.

Your culture determines your actual risk tolerance. The tone from the top, middle, and even informal influencers defines the edges of acceptable risk. If middle management remains silent, who will challenge an executive deviating from policy without an approved exception?

The opposite is also true. If your leaders role-model the documented risk appetite, support a proactive ‘speak up’ culture, and integrate risk management into everyday decision-making, there’s a fair chance your risk appetite and your organisational culture are in check.

A Living Conversation, Not a Dead Document

Too often, risk appetite is treated as a compliance box to tick, not a conversation to have.

But it’s in these conversations that real clarity emerges:

• When a deal gets escalated because it’s right on the edge—who’s in the room and who gets a vote?
• When a whistleblower speaks up, what happens next? Are they protected?
• When a regulator asks, “Why did you take that risk?”—are you ready to answer?

An effective risk appetite isn’t a line in the sand. It’s a shared understanding, constantly evolving as the business changes.

Three Ways to Find Out Your Real Risk Appetite

If you’re serious about understanding your true risk appetite, start here:

1. Look at What You’ve Walked Past

• What breaches, incidents, or near misses have been tolerated or quietly managed away in the last 12 months?
• What does that say about your risk threshold?

2. Examine Who Has the Final Say

• Are risk decisions made by the right people, or are commercial pressures overriding risk and compliance voices?
• Does risk have a seat at the table, or are they an afterthought?

3. Test the Edges in Real Time

Set up scenario discussions with leadership:

• Would we launch a new product in that market without adequate controls in place?
• Would we maintain a high-value client who refused to provide source of wealth verification?
• What is our breaking point?

Discussions such as these will quickly reveal the grey areas, and whether everyone is truly on the same page.

Conclusion: If You Want to Know Your Appetite, Look in the Mirror

If you see a gap between your documented risk appetite and the risks your business actually tolerates, what will you do today to close it? Risk appetite isn’t just a statement, it’s a lived reality. Start the conversation, challenge misalignment, and make sure what’s on paper reflects the decisions you make when it matters most.

You can have the best risk appetite statement in the industry. You can have frameworks, heatmaps, and dashboards. But none of them matter if your culture, leadership, and decision-making aren’t aligned.

In the end, your risk appetite isn’t what you say—it’s what you tolerate. And what you tolerate is what you inevitably become.

At Platinum AML, we help our clients navigate these grey areas to make informed and confident decisions that balance compliance with commercial reality. If you’d like to discuss how your business can ensure risk appetite is more than just words on a page, we’d be happy to have a conversation.