Risk appetite vs. risk tolerance: How are they different?

What is risk appetite?

Risk appetite is best described as the amount of different types of risk a firm is willing to accept to achieve its objectives. Organizations recognize that they cannot remove all risks from their business. We exist in a world full of risks; achieving our business goals requires accepting some of those risks while taking actions to mitigate, avoid or transfer other risks. 

The task facing ERM programs is determining which risks fit within the organization's risk appetite and which require additional controls before they are acceptable. You can think of an organization's risk appetite as its risk capacity -- the maximum residual risk that the organization will accept after controls are put in place.

What is risk tolerance?

Risk tolerance is the amount of acceptable deviation from an organization's risk appetite. While risk appetite is a broad, strategic philosophy that guides an organization's risk management efforts, risk tolerance is a much more tactical concept that identifies the risk associated with a specific initiative and compares it to the organization's risk appetite. You can think of an organization's risk tolerance for a specific initiative as that organization's willingness to accept the risk that remains after all relevant controls are put in place.

Understanding the relationship between risk appetite and risk tolerance

An organization determines its risk appetite as part of a strategic effort to understand and manage risks. It determines risk tolerance on a case-by-case basis as it evaluates the specific risks associated with a given initiative.

One way to help understand this relationship is to think of the risks associated with fast driving.  Governments around the world recognize that fast drivers create a level of risk to all other drivers on the road and create speed limits designed to control this risk. The faster a motorist drives, the more risk is created, so the lower the speed limit, the lower the degree of overall risk to motorists. However, lower speed limits also inhibit the flow of traffic, preventing vehicles from quickly reaching their destinations. Governments must balance these concerns and determine the appropriate rate of speed for different types of roads. Speed limits are, therefore, statements of the government's risk appetite.

On today's roads, however, most drivers exceed the posted speed limits. Police officers charged with enforcing these limits generally recognize this and usually allow motorists to exceed the posted speed, only pulling over vehicles traveling far beyond the posted speed limit. A police officer patrolling a road with a 70-mph limit might, for example, decide that they are only going to pull over vehicles traveling at 80 mph or faster. This is an example of risk tolerance: The officer is willing to tolerate deviations of up to 10 mph from the posted speed limit.

Examples of risk appetite and risk tolerance statements

While speed limits are an excellent conceptual example for describing risk management, in practice, most of the risk decisions made by today's organizations are not so easily quantified. Instead, they rely upon relatively subjective evaluations of risk made by business leaders in consultation with subject matter experts. They document these evaluations and decisions in statements of the organization's risk tolerance and risk appetite.

For example, an ERM committee might make the following statement about the organization's risk appetite:

Our organization understands that there are risks inherent in our business and that taking risks is a necessary prerequisite to achieving our strategic objectives. Our enterprise risk management program methodically evaluates risks using a cost/benefit approach and determines appropriate risk treatment strategies. As an organization, we have a low appetite for risks that involve the possible loss of personally identifiable information (PII) about our customers and employees and a moderate appetite for risks that involve the potential for financial losses or cybersecurity breaches that do not involve PII but may impact other business objectives.

They might extend this statement to include all of the different types of risk facing the organization. The ERM committee might then use this statement of the organization's risk appetite to craft more specific risk tolerance statements about initiatives under consideration. 

For example, a committee might find that a project is within the organization's risk appetite and make a statement such as:

The ERM committee evaluated the risk of implementing project X and determined that it has a low probability of creating the potential loss of PII and is, therefore, within our risk tolerance.

On the other hand, a project might exceed the organization's risk tolerance. In those cases, the ERM committee might suggest that the project team revisit the relevant risks and implement new controls to mitigate, avoid or transfer the risk in order to bring the project to an acceptable risk level. In such a case, the risk tolerance statement might read:

The ERM committee evaluated the risk of implementing project Y and determined that the project would create a situation of high financial risk that is outside our risk tolerance. Controls must be put in place to mitigate this risk to an acceptable level prior to initiating this project. 

Identifying and documenting risk appetite is a crucial step in an organization's road toward a mature risk management process. The risk appetite provides a yardstick for the consistent measurement and evaluation of risks and paves the way for using risk tolerance statements to better guide future work.