ISO Guide 73:2009 establishes a set of definitions for risk management in organizations. It defines risk appetite as “the amount and type of risk that an organization is willing to pursue or retain.”
The concept refers to the acceptable level of risk within an enterprise risk management structure, understanding that risks are a fundamental part of any business process. That acceptable level of risk (whatever it may be) results from an analysis of the organization’s operating environment and the risk-reward trade-offs present in that landscape. Knowing your risk appetite is essential to building a risk management system that supports the company’s objectives and is endorsed by the board of directors.
Another definition in ISO Guide 73:2009 is risk tolerance. Risk tolerance is defined as “the organization’s readiness to bear a risk after risk treatment, to achieve the organization’s objectives.” Or, put another way, risk tolerance is the range of acceptable outcomes related to a desired performance result.
Risk appetite and risk tolerance are closely related, but remain distinct concepts. Risk appetite is a general corporate governance policy, while risk tolerance is a range of acceptable outcomes specific to each business objective.
Speed limits are a good example of how the two concepts relate to each other. While roads have a speed limit set according to the evaluation of different variables (risk appetite), the agencies in charge of enforcing speed limits do not implement the laws with such precision. Instead, they allow officers a certain degree of flexibility before fining the offender (risk tolerance).
Risk appetite and risk tolerance are concepts crucial to enterprise risk management (ERM). In addition, they’re also strongly related to corporate compliance – and to a large extent, they depend on corporate compliance. Why?
What Does Risk Appetite Mean in Compliance?
The board of directors is responsible for setting a company’s risk appetite and risk tolerance. This includes risks related to regulatory compliance, and it means that the company’s risk appetite and tolerance will guide the policies and procedures used in the company’s compliance program.
For example, the board may set a very low tolerance level for compliance risks. That would translate into an extremely small range of acceptable outcomes for compliance objectives such as “screen all third parties for security weaknesses before engaging with them” or “train all employees on cybersecurity practices every quarter.” The permissible failure rate for both of those goals would be quite low, perhaps even zero.
Determining My Risk Appetite for Compliance
This risk appetite is embedded into the company’s compliance structure through a “risk appetite statement,” understood as the organization’s consensus on the acceptable levels of risk to meet the company’s strategic objectives.
This statement is the core of the risk appetite framework. It will guide decision-makers in selecting objectives that will provide the largest benefits to the company while posing the least odds for failure or other adverse outcomes (regulatory enforcement, lawsuits, bad press, and the like).
For example, a company with a low appetite for risk might avoid using an innovative IT system with low testing time and little technical support. Meanwhile, a financial institution with a high-risk appetite in credit risks may approve a loan that has a high interest rate but also a high chance of not being repaid.
Risk appetite statements should be developed in a segmented manner: a risk statement defining a high-level approach to risk appetite, and then a series of more specific risk appetite statements according to the different areas of interest.
For each risk area, it is necessary to consider the impact, probability of occurrence, and severity for each particular risk. Each internal risk manager or owner is enabled to evaluate the threats against the risk appetite statement relevant to them.
These documents should include a description of the objectives and goals as a basis for assessing the related risks and to keep team members focused. Unlike other corporate documents, risk appetite statements should serve as a guide and be as concise as possible.
Critical metrics should also be included to identify the risk scale used and the acceptable risk level, so that everyone on a risk management team has the same information. That said, no metric remains set in stone forever; companies need to evaluate this threshold periodically to adjust it to their current environment.
Reduce Risks & Ensure Compliance with ZenGRC
ZenGRC is a compliance, risk management, and governance tool that can assist you in implementing and monitoring your risk management framework and remediation efforts.
ZenGRC has a user-friendly interface to help you prioritize duties, so everyone understands what to do and when to do it. The workflow tagging feature allows you to assign risk assessment analysis, mitigation operations tasks, and evaluate pending activities.
When audit time comes, ZenGRC’s audit-trail document repository is a “single source of truth” that lets you rapidly obtain the proof of data you need. ZenGRC can help you manage the complete lifecycle of all your relevant compliance frameworks, including PCI, ISO, HIPAA, and others.
Contact us for a free consultation and get started on the path to worry-free risk and compliance management.