Risk appetite vs. risk tolerance: How are they different?

While speed limits are an excellent conceptual example for describing risk management, in practice, most of the risk decisions made For example, an ERM committee might make the following statement about the organization’s risk appetite:

Our organization understands that there are risks inherent in our business and that taking risks is a necessary prerequisite to achieving our strategic objectives. Our enterprise risk management program methodically evaluates risks using a cost/benefit approach and determines appropriate risk treatment strategies. As an organization, we have a low appetite for risks that involve the possible loss of personally identifiable information (PII) about our customers and employees and a moderate appetite for risks that involve the potential for financial losses or cybersecurity breaches that do not involve PII but may impact other business objectives.

They might extend this statement to include all of the different types of risk facing the organization. The ERM committee might then use this statement of the organization’s risk appetite to craft more specific risk tolerance statements about initiatives under consideration. 

For example, a committee might find that a project is within the organization’s risk appetite and make a statement such as:

The ERM committee evaluated the risk of implementing project X and determined that it has a low probability of creating the potential loss of PII and is, therefore, within our risk tolerance.

On the other hand, a project might exceed the organization’s risk tolerance. In those cases, the ERM committee might suggest that the project team revisit the relevant risks and implement new controls to mitigate, avoid or transfer the risk in order to bring the project to an acceptable risk level. In such a case, the risk tolerance statement might read:

The ERM committee evaluated the risk of implementing project Y and determined that the project would create a situation of high financial risk that is outside our risk tolerance. Controls must be put in place to mitigate this risk to an acceptable level prior to initiating this project. 

Identifying and documenting risk appetite is a crucial step in an organization’s road toward a mature risk management process. The risk appetite provides a yardstick for the consistent measurement and evaluation of risks and paves the way for using risk tolerance statements to better guide future work.