Risk appetite vs. risk tolerance: How are they different?

What is risk appetite?

Risk appetite is best described as the number of different types of risk a company will accept to achieve its objectives. Organizations recognize that they can't remove all risks from their business operations. We live in a world full of risks. Achieving our business goals requires accepting some risks while mitigating, avoiding or transferring others.

The task facing ERM programs is determining which risks fit within the organization's risk appetite and which require additional controls before they're acceptable. You can think of an organization's risk appetite as its risk capacity -- the maximum residual risk that the organization will accept after controls are put in place.

What is risk tolerance?

Risk tolerance is the amount of acceptable deviation from an organization's risk appetite. While risk appetite is a broad, strategic philosophy that guides an organization's risk management efforts, risk tolerance is a much more tactical concept that identifies the risk associated with a specific initiative and compares it to the organization's risk appetite. You can think of an organization's risk tolerance for a specific initiative as its willingness to accept the risk that remains after all relevant controls are put in place.

Understanding the relationship between risk appetite and risk tolerance

An organization determines its risk appetite as part of a strategic effort to understand and manage risks. It determines risk tolerance on a case-by-case basis as it evaluates the specific risks associated with a given initiative.

One way to understand this relationship is to think of the risks associated with fast driving. Governments around the world recognize that fast drivers create a level of risk to all other drivers on the road. The faster a motorist drives, the more risk is created. To control this risk, governments set speed limits. The lower the speed limit, the lower the risk to motorists.

However, lower speed limits also inhibit the flow of traffic, preventing vehicles from quickly reaching their destinations. Governments must balance these concerns and determine the appropriate rate of speed for different types of roads. Speed limits are, therefore, statements of the government's risk appetite.

On highways today, however, most drivers exceed the posted speed limits. Police officers charged with enforcing these limits usually let motorists do so as long as they aren't traveling at speeds far beyond the posted limit. A police officer patrolling a road with a 70-mph limit might, for example, decide to only pull over vehicles traveling at 80 mph or faster. This is an example of risk tolerance: The officer, presumably with the approval of superiors and government officials, is willing to tolerate deviations of up to 10 mph from the posted speed limit.

Examples of risk appetite and risk tolerance statements

While speed limits are an excellent conceptual example for describing risk management considerations, in practice, most of the risk decisions made by organizations are not so easily quantified. Instead they rely on subjective evaluations of risk made by business leaders in consultation with subject matter experts. These evaluations and decisions are documented in statements of the organization's risk tolerance and risk appetite.

For example, an ERM committee might make the following statement about the organization's risk appetite.

Our organization understands that there are risks inherent in our business and that taking risks is a prerequisite to achieving our strategic objectives. Our enterprise risk management program methodically evaluates risks using a cost/benefit approach and determines appropriate risk treatment strategies. As an organization, we have a low appetite for risks that involve the possible loss of personally identifiable information about our customers and employees and a moderate appetite for risks that involve the potential for financial losses or cybersecurity breaches that do not involve PII but may impact other business objectives.

The ERM committee might extend this risk appetite statement to include all of the different types of risk facing the organization, and then use it to craft more specific risk tolerance statements about individual business initiatives under consideration.

For example, the committee might find that a project is within the organization's risk appetite and issue a statement such as the following.

The ERM committee evaluated the risk of implementing project X and determined that it has a low probability of creating the potential loss of PII. It is, therefore, within our risk tolerance.

But another project might exceed the organization's risk tolerance. In that case, the ERM committee might suggest that the project team revisit the relevant risks and implement new controls to mitigate, avoid or transfer the risk to bring the project to an acceptable risk level. The risk tolerance statement for that project might read like this.

The ERM committee evaluated the risk of implementing project Y and determined that it would create a situation of high financial risk that is outside our risk tolerance. Controls must be put in place to mitigate this risk to an acceptable level prior to initiating this project.

Identifying and documenting risk appetite is a crucial step in an organization's road toward a mature risk management process. The risk appetite provides a yardstick for the consistent measurement and evaluation of risks and paves the way for using associated risk tolerance statements to better guide future risk mitigation work.