Risk appetite statements in corporate policies - how detailed should they be?

The risk appetite cascade should flow from strategic to operational. Board-level appetite is typically qualitative ("We have low tolerance for regulatory breaches"). Policy-level appetite should be more specific and actionable ("All regulatory submissions must be reviewed by Compliance before filing"). The key is translating high-level appetite into practical boundaries. For critical policies, include specific thresholds or limits where appropriate (e.g., approval levels, tolerance percentages). Avoid making policies so rigid they can't adapt to business needs.