In the field of risk management, and particularly cybersecurity risk management, confusion often arises about the definitions of several risk-related terms. Not only do many information security specialists use these terms interchangeably (risk versus threat versus vulnerability, for example); even when the terms are used correctly, important distinctions can be missed.
Two of these often confused terms are especially important: risk appetite and risk tolerance. The two phrases mean very different things, and confusion between them can lead to several serious flaws in your approach to risk management.
In this article we’ll first define risk appetite and describe how it can be applied to a risk framework. Then we’ll explain risk tolerance so you can better understand how it differs from risk appetite. Armed with this information, your organization will be better positioned to construct a more precise risk management framework that’s free from confusion.
Risk Appetite vs. Risk Tolerance
According to the Institute of Internal Auditors (IIA), “risk appetite” and “risk tolerance” both set boundaries for the degree of risk an organization is prepared to accept. There are, however, a few important differences between the two terms.
Risk appetite describes the level of risk-taking that management deems acceptable in an organization’s daily activities. Risk tolerance is more precise; it sets the acceptable level of variation from performance goals intended to achieve strategic objectives.
Put another way, risk appetite is the general level of risk a company accepts while pursuing its business objectives before it decides to take any action to reduce that risk — the organization’s risk capacity, so to speak. Risk tolerance is the aggregate degree of variance from that risk appetite that the organization is willing to tolerate.
For example, consider speed on a highway. State transportation officials will designate a speed limit for the highway, which is analogous to a risk appetite; the speed limit indicates what the department believes is the correct balance among traffic flow, highway and environmental wear-and-tear, and public safety (among other factors).
Most drivers, however, will travel at speeds somewhat higher or lower than that posted speed limit. The point at which law enforcement starts to ticket speeders can be viewed as the state’s risk tolerance for driving on the highway. (After all, under normal weather and other conditions, law enforcement officials rarely enforce the exact speed limit for all cars on the road. But under severe weather conditions that might cause more accidents, or on a weekend night during a drunk driving crackdown, officers might.)
Consequently, risk appetite can be defined as a boundary line that sets expectations, while risk tolerance is the allowable variance from that appetite that drives day-to-day strategic decisions to operate differently in some way.
While this example is useful for distinguishing between risk appetite and risk tolerance in a more tangible way, we should also dive deeper to understand some of the nuances that come with each term.
Risk Appetite
Risk appetite relates to a company’s longer-term strategy of what it wants to achieve and the allocation of resources to achieve those goals. An organization’s risk appetite indicates the amount of risk it’s willing to accept to meet its business objectives.
For example, a payment processor might be focused on retail, but as part of its long-term growth strategy, it might investigate whether to move into the healthcare industry. If, as part of that growth strategy, the organization decides it wants to accept the compliance risks associated with the Health Insurance Portability and Accountability Act (HIPAA), then it has set its risk appetite.
Deciding how much risk to accept is the key to effective risk management. The goal of risk management, and particularly enterprise risk management, is to provide the entire organization with the insights necessary for decision-making based on an executive-approved risk appetite statement.
A risk appetite statement is a written document that explains an organization’s risk decisions. A risk appetite statement lets a company inform its internal and external stakeholders of its risk appetite. A well-developed risk appetite statement helps an organization better manage and understand its risk exposure and enables executives to make more informed decisions based on a more complete risk profile. A company-wide risk appetite statement can be used to give direction to the organization’s risk culture, including its compliance program.
A risk appetite statement expresses the corporate attitude toward risk in qualitative or quantitative metrics (or both). In the public sector, qualitative expressions of risk appetite can include “risk-neutral,” “risk-averse,” and “risk-seeking.” Qualitative risk appetite statements are typically linked to operational and financial performance measures.
Your organization’s risk tolerances will develop naturally from your company’s overall risk appetite, but those risk tolerances also need to be aligned with your organization’s business objectives. When each risk tolerance is aligned with a company’s overall risk appetite and strategic goals, that helps the company to better achieve those goals.
To facilitate this alignment, it’s important to understand how a risk appetite framework can help.
Risk Appetite Framework
Even with a risk appetite statement, connecting risk appetite to your organization’s business strategies and risk limits can be challenging. For starters, it can be difficult to align your organization’s business objectives with the actual processes set forth in risk management.
Typically the board of directors will develop the overall risk appetite for your organization and assure that a governance process is in place to prevent the organization from taking unacceptable risks for the sake of profit. At the same time, senior management is usually responsible for developing and implementing a specific process that aligns business strategies and risk management with the board members’ risk appetite statement.
To be successful, your board of directors and senior management will need to work together closely to develop a single risk appetite framework that accomplishes the goals mentioned above. The tenets of a robust risk appetite framework include:
- A comprehensive risk identification process;
- A wide-ranging risk calibration process;
- A risk measurement and management structure that supports and reinforces the risk appetite statement.
Ultimately, the goal of an effective risk appetite framework is to link your organization’s risk appetite statement to meaningful risk limits. Establishing a framework that is integrated, transparent, measurable, and actionable is (and will continue to be) a critical component of business success.
Risk Tolerance
Risk tolerance sets the acceptable minimum and maximum variation levels for a company, business unit, individual initiative, or specific risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organization’s risk management strategy, and is then approved by leadership. High risk tolerance means that an organization is willing to take lots of risk, while low risk tolerance means the company isn’t.
Many factors can affect a company’s risk tolerance. For instance, a company may be willing to tolerate more risks on a critical project, but it may not want to take many risks on a project that’s not very important. Other companies might take the opposite approach. An organization that operates outside its risk tolerance limits can jeopardize the achievement of its objectives and perhaps even the whole enterprise itself.
To articulate its risk tolerance, a company has to identify the outcome measures of its main objectives, such as customer satisfaction; and then decide the range of outcomes — both above and below its target outcome — that it would accept for each objective.
Both risk appetite and risk tolerance depend on a number of factors, including (but not limited to):
- Your organization’s industry;
- Your company’s culture;
- What your competitors are doing;
- The nature of your business objectives pursued; and
- the financial strength and capabilities of your organization.
It’s also important to understand that risk appetite and risk tolerance are likely to change over time. For this reason, you should assess risks on a regular basis or even continuously, depending on the circumstances, available resources, skills, technologies, or systems.
Accomplishing the goals that come along with establishing risk appetite and risk tolerance can be overwhelming, and it’s one of the reasons why many organizations choose to forego the risk management process altogether. That’s unwise. A robust risk management program is quickly becoming a necessity for all organizations as we move into the age of digital transformation.
The work involved in risk governance isn’t easy, especially if you’re reliant on antiquated methods to achieve actionable results. If your organization still uses spreadsheets for the majority of its risk management processes, it’s time to make a change.
Types of Risk Tolerance
On a scale from low to high, organizations can have these levels of risk tolerance:
Conservative risk tolerance
Organizations dealing with government contracts, sensitive information, or any data that attracts cyber criminals typically want conservative or lower risk tolerance levels, and must adopt a more cautious approach to risk management. Examples of such organizations include defense contractors, hospitals, and financial firms.
Moderate risk tolerance
Organizations with moderate risk tolerance generally aren’t as open to taking risks. When assessing risks, leaders should weigh the potential benefits of security measures against the level of risk involved, and devise mitigation strategies accordingly to reduce the impact or probability of associated risks.
Aggressive risk tolerance
Organizations with aggressive or higher risk tolerance take greater flexibility with cybersecurity measures. This doesn’t mean they can outright ignore risk management; instead, leaders have more discretion in deciding where the highest level of protection is needed.
Organizations with more control over where funds are allocated can reduce costs significantly over time. Companies with low data processing and storage requirements, such as a construction firm or a janitorial service, have higher risk tolerance.
What Is Risk Capacity?
Risk capacity is the total risk an organization needs to take to accomplish its long-term and short-term goals. Your organization’s risk capacity is determined by a combination of factors, including company finances, risk experience, and overall risk tolerance.
Contrary to popular belief, risk capacity is not the same as risk tolerance. The latter is the level of risk you’re willing to take to achieve specific goals. The former is the risk you need to take to meet objectives.
Finding the right balance between risk capacity and risk tolerance is critical. Get this right and you can meet organizational and financial goals without subjecting your company to unnecessary threats.
Manage Risks With the ZenGRC Pro Platform
Implementing a risk management process can be difficult for many reasons. It’s expensive, time-consuming, and resource intensive, to name a few. Between risk identification and risk assessment alone, your organization will need to consider all the different types of risk assessments and determine which is best for your organization.
Add to that the numerous risk methodologies in compliance; the potential reputational, operational risks and financial risks associated with a security incident; and the rapidly increasing number of cyber threats — and quite suddenly, effective risk management can seem impossible.
To stay ahead of compliance requirements, repercussions, and ever-evolving risks, you need a solution that can help you better manage your risks and mitigate business exposure by providing you with greater visibility across your organization.
The ZenGRC Pro Platform gives you the power to be more strategic with IT risk management by putting your business activities front and center. Discover a modern way to manage your risk posture with ZenGRC Pro, giving you the ability to understand and act on your IT and cyber risks, all in a single unified platform.
With an incredibly intuitive user experience and in-application expert guidance, you can assess, manage, and communicate risks and their potential business impact.
Using AI, the relationships among assets, controls, and risks are automatically created, alerting you to changes in your risk posture and making it simple to grow and manage your risk programs. With dashboards and reports that provide contextual insights, it’s easier to communicate with key stakeholders and make informed business decisions with the ZenGRC Pro platform.
Become more strategic with your IT risk management and schedule a demo today to learn more about how ZenGRC can help your organization confidently manage risks and compliance.