What is cyber insurance, and why is it important? 5 core steps in the risk management process
X
Definition

What is risk appetite?

Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value. It can also be described as an organization's risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been implemented.

Risk tolerance, by contrast, is the amount of deviation from its risk appetite that an organization is willing to accept to achieve a specific objective, based on parameters that include industry and vertical standards.

Organizations can use risk appetite to determine the amount of risk they are taking to pursue their goals, but investors can also use it to determine how much financial gain or loss they are willing to accept. A risk appetite framework is typically represented by a written document that describes an organization's risk-based decisions. The risk appetite statement is how an organization informs its staff and stakeholders of its risk appetite. Risk appetite is a key part of an effective risk management process.

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be influenced by the following factors:

  • The organization's culture.
  • The organization's industry.
  • The organization's competitors.
  • Types of initiatives the organization pursues.
  • The organization's current industry position and financial strength.
  • The organization's goals and business objectives.
  • Stakeholder expectations.
  • Economic and political environment.

Risk tolerance is subject to the same factors that determine risk appetite. However, the amount of risk tolerance an organization accepts can vary, depending on factors such as the nature of a project, its time frame and the experience level of the people involved. Risk tolerance can change over time as industry standards, regulations and accepted practices change.

Image of a speedometer representing risk appetite at 0-70 mph; risk tolerance at 70-80 mph; and unacceptable risk 80 mph and above.
Risk appetite is the capacity for risk, while risk tolerance is the risk taken after deviating from the risk appetite.

Determining your risk appetite

Organizations can determine their risk appetite by considering the following parameters:

  • Business objectives. This identifies the organization's immediate and long-term goals and values based on internal and external factors, such as culture and market conditions.
  • Risk assessment. This includes identifying potential threats to the organization, assessing the likelihood of these risks occurring and determining which risks are most critical. This also includes examining the organization's history of risk-taking and past actions.
  • Risk capacity and exposure. This measures the potential for loss from a specific event and establishes the maximum amount of risk the organization can realistically withstand without jeopardizing its financial or long-term goals.
  • Analysis of long-term objectives. This tracks the organization's risk levels and performance against its long-term objectives to ensure the risk appetite statement is relevant and current.

Three types of risks described through tolerance levels are also commonly used when discussing investment risk appetite: conservative, moderate and aggressive.

Conservative risk

Conservative risk deals with anything that carries large amounts of risk. Investors with conservative approaches avoid any potential areas of risk. For an organization, this could be projects with sensitive or mission-critical data and government contract work. A cautious risk management level is needed for this approach.

Moderate risk

Moderate risk involves weighing the potential benefits of security measures against the level of risk involved. Investors with a moderate risk tolerance accept some level of risk while specifying an acceptable percentage of losses. This level of risk appetite is adopted by organizations that are not open to taking many risks and have mitigation strategies in place in case of a disaster.

Aggressive risk

Those investors who want to risk revenue for the potential of gaining greater profits adopt aggressive risk as a high-risk, high-reward investment. For an organization, this could mean taking on a job that requires a large upfront investment but could provide a large profit upon completion.

Risks can also be thought of as inherent and residual. Inherent risk refers to the risks taken to achieve an objective, while residual risk refers to the remaining level of risk after the project's development and implementation. Any risks that remain after efforts to identify and eliminate all other risks are considered residual.

An image showing a funnel in which inherent risks are fed in and become controls and residual risks.
Inherent risk is the risk taken to achieve an objective, while residual risk is the remaining level of risk after development and implementation.

How to write a risk appetite statement

Organizations can build a risk appetite framework by creating a document that helps guide their organizational risk management activities.

This document should ideally include risk-taking approaches, risk mitigation topics, and implemented and planned risk avoidance measures. It should also be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices.

The following considerations should be examined before writing a risk appetite statement:

  • Include all necessary stakeholders and analyze the risks to strategic objectives, tactics, operations and compliance.
  • Create a diverse group of key stakeholders to include different perspectives on the organization's risk appetite.
  • Consider the organizational culture and overall focus regarding risk tolerance and risk appetite in specific scenarios and within the industry.
  • Note any risk that threatens the organization's efforts to achieve its goals and prepare mitigation strategies to address these risks.
  • Define the acceptable level of uncertainty or volatility in any risk appetite statements and decisions.
  • Ensure the risk appetite statement is applicable to the organization as a whole or emphasize where or how precisely it applies.
  • Include a summary and make the document accessible so it can be read by any relevant parties.

Risk appetite examples

Risk appetite varies by industry, with some highly regulated fields being more conservative versus other industries that take a more moderate approach to risk. The following are examples of risk appetite from different industries:

  • Healthcare. Healthcare organizations are traditionally conservative or risk-averse because they focus on critical areas of patient safety and data security. They have a legal obligation to protect sensitive patient information under regulations such as the Health Insurance Portability and Accountability Act. However, healthcare organizations that are doing research and development might be willing to take moderate risks to pursue innovative treatments.
  • Financial services. Industries such as finance tend to be conservative because of legal and compliance issues. However, banks might have a higher risk appetite for emerging markets but a lower appetite for real estate.
  • Technology. Technology innovation is often driven by organizations willing to take more aggressive risks. However, evolving cyberattacks, data breaches and the ethical implications of AI and machine learning have made some companies more risk-averse.
  • Manufacturing. Manufacturing companies often balance their risk appetite with the needs of current vs. future production. For example, they might have a higher risk appetite for new technologies to improve efficiency but a more conservative risk appetite for disruptors, such as supply chain management or cybersecurity threats.

Overall, an organization's risk appetite should focus on what the organization is willing to do in pursuit of its objectives, keeping environmental and cultural factors in mind.

Learn more about the differences between risk appetite and risk tolerance.

Continue Reading About What is risk appetite?

Dig Deeper on Threats and vulnerabilities