Enterprise risk management (ERM) programs are designed to identify, evaluate, and manage all the risks facing an organization. In order to effectively achieve this goal, these programs must have a consistent process for determining the types of risk, the level of risk, and how they relate to the organization’s maximum risk tolerance.
When evaluating risk exposure, risk managers use two important and related terms: risk appetite and risk tolerance. While these terms are related, they represent two different ways that risk managers can describe the risk attitude of their organization.
Risk appetite is best described as the number of different types of risk a company is willing to accept in order to achieve its objectives. Organizations recognize that they cannot eliminate all risks from their business operations. In fact, risks are inherent in all aspects of business. To achieve their goals, organizations must accept some risks while mitigating, avoiding, or transferring others. The task facing ERM programs is to determine which risks fit within the organization’s risk appetite and which require additional controls before they are acceptable. An organization’s risk appetite can be thought of as its risk capacity — the maximum residual risk that the organization will accept after controls are put in place.
On the other hand, risk tolerance is the amount of acceptable deviation from an organization’s risk appetite. While risk appetite is a broad, strategic philosophy that guides an organization’s risk management efforts, risk tolerance is a much more tactical concept that identifies the risk associated with a specific initiative and compares it to the organization’s risk appetite. An organization’s risk tolerance for a specific initiative represents its willingness to accept the risk that remains after all relevant controls are put in place.
An organization determines its risk appetite as part of a strategic effort to understand and manage risks. It determines risk tolerance on a case-by-case basis as it evaluates the specific risks associated with a given initiative. This can be better understood by examining the relationship between risk appetite and risk tolerance in the context of speed limits.
Governments around the world set speed limits as a way to control the risk associated with fast driving. The faster a motorist drives, the more risk is created. Lower speed limits reduce the risk to motorists, but they also inhibit the flow of traffic. Therefore, governments must balance these concerns and determine the appropriate rate of speed for different types of roads. Speed limits can be seen as statements of the government’s risk appetite.
In practice, however, most drivers exceed the posted speed limits. Police officers are responsible for enforcing these limits, but they may tolerate deviations from the posted speed limit within certain bounds. For example, a police officer on a road with a 70-mph speed limit may only pull over vehicles traveling at 80 mph or faster. This demonstrates risk tolerance, as the officer is willing to accept deviations of up to 10 mph from the posted speed limit.
While speed limits provide a conceptual example of risk management considerations, in practice, most risk decisions made by organizations are not easily quantified. Instead, organizations rely on subjective evaluations of risk made by business leaders in consultation with subject matter experts. These evaluations and decisions are documented in statements of the organization’s risk tolerance and risk appetite.
For example, an ERM committee might make a statement about the organization’s risk appetite, acknowledging the risks inherent in their business and their low appetite for risks involving the loss of personally identifiable information (PII) but moderate appetite for financial losses or cybersecurity breaches that do not involve PII. The committee might then extend this risk appetite statement to include all different types of risk facing the organization and use it to craft more specific risk tolerance statements about individual business initiatives.
For some projects, the risk tolerance may be within acceptable limits, while for others, it may exceed the organization’s risk tolerance. In such cases, the ERM committee may recommend revisiting the relevant risks and implementing new controls to mitigate, avoid, or transfer the risk to an acceptable level. Identifying and documenting risk appetite is a crucial step in an organization’s journey towards a mature risk management process. It provides a yardstick for measuring and evaluating risks consistently and guides future risk mitigation work.
In conclusion, risk appetite and risk tolerance are essential concepts in enterprise risk management. While risk appetite represents the types of risks that an organization is willing to accept, risk tolerance measures the acceptable deviation from the organization’s risk appetite. Understanding these concepts and their relationship is crucial for managing risks effectively and achieving organizational objectives.