Risk appetite in health and safety is not a slogan about zero harm. It is a board-level decision about how much exposure the organisation is prepared to carry in pursuit of its objectives and how that sits within legal duty and operational capacity.
Risk tolerance defines the measurable limits within that appetite. When either is misunderstood, governance weakens and exposure increases.
What Is Risk Appetite in Health and Safety?
Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives.
In health and safety, this is not about accepting harm. It is about defining the boundaries within which decisions are made under pressure.
A risk appetite statement should:
Clarify exposure expectations
Align with strategy
Reflect operational reality
Sit within legal duty under HSWA 2015
Without clarity, appetite becomes performative.
Risk Appetite vs Risk Tolerance in Health and Safety
Risk appetite defines the overall boundary.
Risk tolerance defines the measurable limits within that boundary.
Example:
Risk appetite may state the organisation will not accept uncontrolled exposure to fatal risk.
Risk tolerance defines the measurable conditions under which high-risk work may proceed such as:
Permit controls in place
Competency verified
Supervision levels defined
Environmental constraints met
Confusing these terms leads to drift.
And drift creates exposure.
Discover the difference between hazard and risk here.
The “Zero Harm” Trap
In facilitated workshops, boards often default to:
“Zero harm.”
The intent is honourable.
The consequence is often unexamined.
In one recent case, a board had set risk tolerance to “low” across all known hazards. Every category. No differentiation.
The result:
Unrealistic thresholds
Operational inconsistency
Legal exposure
No prioritisation
Business as usual
No one understood what “low” actually meant in practice.
When examined, the organisation was not meeting its own declared standard. There were no clear improvement priorities. No resource allocation shift.
Once the distinction between appetite, tolerance, and legal duty was clarified, direction changed immediately.
Resourcing shifted.
Critical risks were identified.
Leadership alignment improved.
Good intention without risk literacy is dangerous.
When Risk Appetite Overrides Legal Duty
Under HSWA 2015, PCBUs must eliminate or minimise risks so far as reasonably practicable.
Risk appetite does not override that duty.
Yet I have seen leaders assume:
“If our tolerance is high, we can defer this control.”
That is incorrect.
If a control is reasonably practicable and available, it must be implemented regardless of appetite.
When appetite is misused to delay control implementation:
Management becomes disempowered
Controls drift
Exposure increases silently
Appetite guides decision-making within legal boundaries. It does not redefine them.
What Happens When Risk Appetite Is Undefined
When risk appetite is vague or mis-set:
Resource flows to visible issues not critical exposure
Board reports focus on housekeeping not fatal risk
Practitioners become reactive
Executive confidence increases while actual control weakens
I have seen inspection reports filled with:
Test and tag findings
Sign-in breaches
Minor housekeeping issues
While critical risks such as:
Work at height
Driving exposure
Hot works
Excavation
Fatigue
Overlapping PCBU coordination
Received less scrutiny.
Undefined appetite creates misplaced comfort.
A Workshop Reality Check
In multiple board sessions, I have asked each director individually:
“What are our top five risks?”
Answers vary dramatically.
Driving overlooked.
Psychosocial exposure missed.
Routine high-risk work normalised.
The moment the inconsistency becomes visible, the room changes.
That discomfort is productive.
Alignment only begins once language and thresholds are shared.
Until then, reporting cannot drive prioritisation.
Operating Within Appetite but Beyond Capacity
One organisation had performed “well” on paper for years.
Requests for:
Incident investigation training
External review
Audit investment
Were declined because everything was “under control.”
A significant event exposed the gap.
They were within their stated appetite.
They were beyond their capacity.
Emergency preparedness gaps surfaced.
Knowledge deficits became visible.
Board proximity to frontline risk had eroded.
Since intervention:
Annual internal audits are embedded
External ISO 45001 audits occur
The H&S Manager has additional support
The H&S Committee has defined governance linkage
Capacity now matches declared appetite.
How Risk Appetite Connects to S.A.F.E.T.Y.™
Risk appetite lives primarily in:
S – Strategy
A – Accountability
Without strategic clarity, appetite becomes reactive.
Without accountability, tolerance is not enforced.
F.E.E.D.™ ensures reporting informs appetite recalibration.
G.A.P.E.™ ensures leaders remain proximate enough to see whether declared appetite matches operational exposure.
Risk appetite is not a document.
It is a governance behaviour.
Developing a Risk Appetite Framework in Health and Safety
A practical approach includes:
Clarify strategic objectives
Identify critical risks
Define measurable tolerances
Test against legal duty
Validate against operational capacity
Embed into board reporting
Without capacity validation, appetite statements become fiction.
Frequently Asked Questions
What is risk appetite in health and safety?
Risk appetite in health and safety is the amount and type of risk an organisation is willing to accept in pursuit of strategic objectives within legal duty boundaries.
What is the difference between risk appetite and risk tolerance?
Risk appetite sets the overall boundary of acceptable exposure. Risk tolerance defines the measurable limits within that boundary for specific risks or activities.
Can risk appetite override HSWA obligations?
No. Legal duty under HSWA 2015 requires elimination or minimisation of risk so far as reasonably practicable regardless of declared appetite.
What happens if risk tolerance is set too low?
Unrealistic thresholds create operational inconsistency and legal exposure because the organisation may not meet its own declared standards.
What happens if risk tolerance is set too high?
Controls may be deferred, critical risks under-prioritised, and leadership confidence may exceed actual capability.
Executive Diagnostic
Ask each board member privately:
What are our top five safety risks?
What is our tolerance threshold for each?
How do we verify we are operating within tolerance?
If answers vary widely, appetite clarity is insufficient.
If you are responsible for governance and risk oversight and want clarity on whether your declared appetite reflects operational reality, begin with a structured conversation.
The Compliance Compass™ provides independent insight into your governance, risk alignment, and diminishing exposure profile.
Safety is not paperwork.
It is leadership under pressure.
About the Author
Matt Jones is a HASANZ-registered health and safety consultant and founder of Advanced Safety. He advises directors executives and senior leaders on governance accountability risk leadership maturity and the design of safety systems that hold under pressure.
He developed the S.A.F.E.T.Y.™, F.E.E.D™ and G.A.P.E™ frameworks to help organisations move from reactive compliance to intentional system design strengthening clarity ownership feedback loops and control across high-risk environments.
