cyber insurance 5 core steps in the risk management process

risk appetite

What is risk appetite?

Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.

Risk appetite can also be described as an organization's risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been put in place.

Risk tolerance, by contrast, is the amount of deviation from its risk appetite that an organization is willing to accept to achieve a specific objective, based on parameters that include industry and vertical standards.

Organizations can use risk appetite to determine the amount of risk they're taking on in pursuit of their goals. But investors can also use it to determine how much financial gain or loss they're willing to accept. Risk appetite is typically represented by a written document that describes an organization's risk-based decisions. The risk appetite statement is how an organization informs its staff and stakeholders of its risk appetite. Risk appetite is a key part of an effective risk management process.

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be influenced by a wide variety of factors:

  • The organization's culture.
  • The organization's industry.
  • The organization's competitors.
  • Types of initiatives the organization pursues.
  • The organization's current industry position and financial strength.

Risk tolerance is subject to the same factors that determine risk appetite. However, the amount of risk tolerance an organization accepts can vary on a case-by-case basis, depending on factors such as the nature of a project, a project's timeframe and the experience level of the people involved. Risk tolerance can change over time as industry standards, regulations and accepted practices change.

Meter showing risk appetite vs. risk tolerance.
Risk appetite is the capacity for risk, while risk tolerance is the risk taken after deviating from the risk appetite.

Determining your risk appetite scale

For organizations seeking to determine their risk appetite scale, it's important to consider the probability of a risk and its impact. Once risk probability and impact are used to drive an organization's risk priorities and focus, risk appetite can be evaluated through analysis of the following parameters:

  • Acceptable risk boundaries and actions. What exactly is the organization willing to do within the acceptable risk appetite level?
  • Risk exposure. Based on a desired set of actions and outcomes, does the risk exposure increase, decrease or stay the same? The level of risk exposure influences the risk appetite for any specific project or approach and possibly the overall direction an organization takes.
  • Analysis of long-term objectives. Organizations should ultimately line up risk appetite considerations with their longer-term objectives and where they should be headed to accomplish strategic goals.

Three types of risks described through tolerance levels are also commonly used when talking about risk appetite for investments: conservative, moderate and aggressive.

Conservative risk deals with anything that carries large amounts of risk. Investors with conservative approaches avoid any potential areas of risk. For an organization, this could be projects with sensitive or mission-critical data and government-contract work. A cautious risk management level is needed for this approach.

Moderate risk has the potential benefits of security measures weighed against the level of risk involved. Investors with a moderate risk tolerance accept some level of risk while specifying an acceptable percentage of losses. This level of risk appetite is adopted by organizations that aren't open to taking many risks and have mitigation strategies in place in case of a disaster.

Those investors that want to risk revenue for the potential of gaining greater profits adopt aggressive risk as a high-risk, high-reward investment. For an organization, this could mean taking on a job that requires a large upfront investment but could provide a large profit upon completion.

Risks can also be thought of as inherent and residual. Inherent risk is the risks taken to achieve an objective, while residual risk is the remaining level of risk after development and implementing the project. Any risks that remain after efforts to identify and eliminate all other risks are considered residual.

Inherent risk and residual risk.
Inherent risk is the risk taken to achieve an objective, while residual risk is the remaining level of risk after development and implementation.

How to write a risk appetite statement

Organizations can express their risk appetite by creating a risk appetite statement, a document that helps guide their organizational risk management activities.

This document should ideally include risk-taking approaches, risk mitigation topics as well as implemented and planned risk avoidance measures. The statement should ideally be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices, which also means it needs to be updated on a regular basis.

To write a risk appetite statement, do the following:

  • Consider and include all necessary stakeholders and analyze the risks to strategic objectives, tactics, operations and compliance.
  • Create a diverse group of key stakeholders to include different perspectives on the organization's risk appetite.
  • Consider the organizational culture and overall focus regarding risk tolerance and risk appetite in specific scenarios and within the industry.
  • Take note of any risk that threatens the organization in its effort to achieve its goals and prepare mitigation strategies to address these risks.
  • Define the acceptable level of uncertainty or volatility in any risk appetite statements and decisions.
  • Ensure the risk appetite statement is applicable to the organization as a whole or emphasize where or how precisely it applies.
  • Include a summary and make the document accessible so it can be read by any relevant parties.

Examples of risk appetite in practice

Some examples of risk appetite include the following:

  • An organization states that it won't accept risks that could result in a significant loss of its data or revenue base. This could, for example, apply to an organization that depends on government-contract work to stay profitable.
  • Organizations might be comfortable with the risk of putting personal data into a cloud environment but are less willing to put financial data into the same cloud based on the provider and other risk factors.

Overall, an organization's risk appetite should focus on what the organization is willing to do in pursuit of its objectives, keeping environmental and cultural factors in mind.

Learn more about the differences between risk appetite and risk tolerance.

This was last updated in October 2023

Continue Reading About risk appetite

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing