Enterprise risk management (ERM) programs must have a consistent process for identifying types of risks that an organization faces, the degree of risks, and how those risks relate to the maximum risk that the organization is willing to take. Risk appetite and risk tolerance are two crucial and related terms that are used by ERM programs when undertaking that process.

Defining Risk Appetite and Risk Tolerance

1. Risk Appetite

Risk appetite is defined as the amount of risk that an organization is willing to accept to achieve its objectives. An organization's risk attitude and readiness to accept risk in particular situations are typically documented in a risk appetite statement that is approved by the board of directors. Each organization has a unique risk appetite that reflects its internal and external circumstances.

Risk appetite helps to make risk-informed decisions. This is crucial as it’s a way to assess the impact of management decisions and to ensure senior management is engaged in driving a risk-informed agenda. If you don’t understand your organization’s risk appetite, then there’s no way to prudently implement controls in line with your organization's goal to manage risk.

2. Risk Tolerance

Risk tolerance is defined as the degree of acceptable deviance from an organization's risk appetite. Risk tolerance is a much more tactical concept that determines the risk associated with a specific initiative and compares it to the organization's risk appetite. Risk tolerance can also be considered as an organization's willingness to tolerate the risk that remains after all controls have been implemented.

The concept of risk tolerance establishes the limits of risk taking that an organization won’t cross in order to achieve its long-term goals. Measures like key risk indicators are used to connect with risk tolerance levels to enable boundary setting, ensuring that the organization stays within its risk appetite and on pace to meet its goals.

Risk Appetite vs. Risk Tolerance

Are Risk Appetite and Risk Tolerance Different? Yes. They’re different but related. Risk appetite and risk tolerance can be seen as the "two sides of the same coin". Risk appetite is about “taking risk” and risk tolerance is about “controlling risk”. For risk appetite to be adopted successfully in decision making, it must be integrated with the control environment of the organization through risk tolerance. Risk appetite serves as a benchmark for the objective measurement and assessment of risks and sets the way for the use of risk tolerance statements to better direct future work.

How to Develop Risk Appetite

It shouldn't take an excessive amount of time to develop a risk appetite because it’s not an end in itself. Also remember that any discussion of strategy and objectives must come before any indication of risk appetite.

Before developing risk appetite, organizations should first remember the purposes of risk appetite are. What are the purposes of risk appetite?

The purposes of Risk Appetite

• Promote the implementation of Enterprise Risk Management (ERM) throughout the organization
• Change the way risk discussions are conducted so that risks are effectively identified and managed within the risk appetite
• Serve as a foundation for additional discussion of risk tolerance

If that’s so then how to develop risk appetite?

There are 3 methods frequently used by management and boards to discuss and develop their risk appetite. The following is the explanation of each method in developing risk appetite.

1. Facilitated Discussions

After several iterations, management and the board can develop a risk appetite statement that indicates the combined views of their leadership and governance bodies. The facilitators then encourage them to prioritize their goals and risk appetite clearly. When developing risk appetite, those involved should keep the organization’s strategic plan at the forefront.

2. Discussions Related to Objectives and Strategies

Risk appetite that an organization is willing to accept often becomes more evident when management considers their major issues and objectives. An understanding of the current risk appetite can be gained by reviewing and evaluating those matters. This method examines what the perceived risks are in pursuing objectives, enabling management to go the extra mile in discussing the strategies.

3. Development of Performance Model

An organization may model its risk profile as part of developing its risk appetite. This entails taking "bottom-up" risk data and creating models that consider organization-specific risks. In order to discuss how much risk the organization is willing to take, management and the board can compare the overall risk appetite.

Risk appetite is an integral part of an organization's strategy for achieving goals. Most crucially, an organization's commitment to effective Enterprise Risk Management (ERM) begins with the development of its risk appetite.

Reference:

Carmichael, M. (2022). Risk Appetite vs. Risk Tolerance: What is the Difference? ISACA. https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2022/risk-appetite-vs-risk-tolerance-what-is-the-difference

Chapple, M. (2021). Risk appetite vs. risk tolerance: How are they different? CIO. https://www.techtarget.com/searchcio/feature/Risk-appetite-vs-risk-tolerance-How-are-they-different

Rittenberg, L. & Martens, F. (2012). Understanding and Communicating Risk Appetite. Committee of Sponsoring Organizations of the Treadway Commission (COSO).