In the field of risk management, and particularly cybersecurity risk management, there is often confusion about the definitions that accompany several risk-related terms. Not only do many information security specialists use these terms interchangeably (think risk vs. threat vs. vulnerability); even when the terms are used correctly, important distinctions can be missed.
Two of these often confused terms are especially important: risk appetite and risk tolerance. They have two very different meanings. Ultimately, any confusion between the two can lead to a number of errors in your risk management framework.
In this article we’ll first clearly define risk appetite and describe how it can be applied to a risk appetite framework. Then we’ll introduce risk tolerance so you can better understand how it differs from risk appetite. Armed with this information, your organization will be better positioned to construct a more precise risk management framework that’s free from confusion.
Risk Appetite vs. Risk Tolerance
According to the Institute of Internal Auditors (IIA), “risk appetite” and “risk tolerance” both set boundaries of how much risk an entity is prepared to accept. There are, however, a few important differences between risk appetite and risk tolerance.
A risk appetite is a statement that broadly considers the levels of risk-taking that management deems acceptable. Risk tolerance is more narrowly defined; it sets the acceptable level of variation for performance goals intended to achieve strategic objectives.
Put simply, risk appetite is the general level of risk a company accepts while pursuing its business objectives, before it decides to take any action to reduce that risk – its risk capacity, so to speak. Risk tolerance, on the other hand, is the aggregate degree of variance from its risk appetite that the organization is willing to tolerate.
Speed on a highway is one example that can explain the difference between risk appetite and risk tolerance, according to the FAIR Institute, a non-profit organization that aims to advance the discipline of measuring and managing information risk.
A state department of transportation sets a speed limit for its major highway. This can be considered comparable to risk appetite; it indicates what the department’s executives believe is an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things). Most drivers, however, will travel at speeds somewhat higher or lower than the actual speed limit rather than obey the exact speed limit. The point at which law enforcement starts to ticket speeders can be viewed as analogous to risk tolerance.
Further, given normal weather and other conditions, law enforcement officials rarely enforce the speed exactly at the limit. Consequently, risk appetite can be defined as a boundary line to set expectations, while risk tolerance can be viewed as the variance from that appetite that drives day-to-day strategic decisions to operate differently in some way, according to the FAIR Institute.
While this example is useful for distinguishing between risk appetite and risk tolerance in a more tangible way, we should also dive deeper to understand some of the nuances that come with each term.
Risk appetite relates to a company’s longer-term strategy of what it wants to achieve and the allocation of resources available to achieve it, expressed in quantitative metrics. An organization’s risk appetite indicates the amount of risk it’s willing to accept to attain its business objectives.
For example, a payment processor might be focused on retail, but as part of its enterprise risk management strategy, it might be investigating whether to move into the healthcare industry. If as part of its enterprise risk management strategy, the organization decides it wants to accept the compliance risks associated with the Health Insurance Portability and Accountability Act (HIPAA), then it has set its risk appetite.
Deciding how much risk to accept is the key to effective risk management. The goal of risk management, and particularly enterprise risk management, is to provide the entire organization with the insights necessary for decision-making that’s based on an executive-approved risk appetite statement.
A risk appetite statement is a written document that explains an organization’s risk decisions. A risk appetite statement lets a company inform its internal and external stakeholders of its risk appetite. A well-developed risk appetite statement helps an organization better manage and understand its risk exposure and enables executives to make more informed decisions based on a more complete risk profile. A company-wide risk appetite statement can be used to give direction to the organization’s risk culture, including its compliance program.
A risk appetite statement expresses the corporate attitude toward risk in either qualitative and/or quantitative metrics. In the public sector, qualitative expressions of risk appetite that are commonly used include risk-neutral, risk-averse, and risk-seeking. Qualitative risk appetite statements are typically linked to operational and financial performance measures.
Your organization’s different risk tolerances will develop naturally from your company’s overall risk appetite, but those risk tolerances also need to be aligned with your organization’s business objectives. When each risk tolerance is aligned with a company’s overall risk appetite and strategic goals, it will help the company better achieve those goals. To better facilitate this alignment, it’s important to understand how a risk appetite framework can help.
Risk Appetite Framework
Even with a risk appetite statement, connecting it to your organization’s business strategies and risk limits can be challenging. First, it can be difficult to align your organization’s business objectives with the actual processes set forth in risk management.
Typically the board of directors will develop the overall risk appetite for your organization and assure that there is a governance process in place to make sure that the organization doesn’t take unacceptable risks for the sake of profit. At the same time, senior management is usually responsible for developing and implementing a specific process that aligns business strategies and risk management with the board members’ risk appetite statement.
To be successful, your board of directors and senior management will need to work together closely to develop a single risk appetite framework that accomplishes the goals mentioned above.
The tenants of a robust risk appetite framework include:
- A comprehensive risk identification process;
- A wide-ranging risk calibration process;
- A risk measurement and management structure that supports and reinforces the risk appetite statement.
Ultimately, the goal of an effective risk appetite framework is to link your organization’s risk appetite statement to meaningful risk limits. Establishing a framework that is integrated, transparent, measurable, and actionable is (and will continue to be) a critical component of business success.
Risk tolerance sets the acceptable minimum and maximum variation levels for a company, business unit, individual initiative, or specific risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organization’s risk management strategy, and is then approved by leadership.
High-risk tolerance means that an organization is willing to take a high risk, while low-risk tolerance means that the company isn’t willing to accept many risks. There are many factors that affect a company’s risk tolerance. For instance, a company may be willing to tolerate more risks on a critical project, but it may not want to take many risks on a project that’s not very important (and other companies might take the opposite approach).
An organization that operates outside its risk tolerance limits can jeopardize the achievement of its objectives and perhaps even the whole enterprise itself.
To articulate its risk tolerance, a company has to identify the outcome measures of its main objectives, such as customer satisfaction, and then decide the range of outcomes – both above and below its target outcome – that it could accept for each objective.
Both risk appetite and risk tolerance vary on a number of factors, including (but not limited to):
- your organization’s industry;
- your company’s culture;
- any competitors;
- the nature of your business objectives pursued; and
- the financial strength and capabilities of your organization.
It’s also important to understand that risk appetite and risk tolerance are likely to change over time. For this reason, you should assess risks on a periodic basis or continuously, depending on the circumstances, available resources, skills, technologies or systems.
Accomplishing the goals that come along with establishing risk appetite and risk tolerance can be overwhelming, and it’s one of the reasons why many organizations choose to forego the risk management process altogether. That’s unwise. A robust risk management program is quickly becoming a necessity for all organizations as we swiftly move into the age of digital transformation.
The work involved in risk governance isn’t easy, especially if you’re reliant on antiquated methods to achieve actionable results. If your organization still uses spreadsheets for the majority of its risk management processes, it’s time to make a change.
Fortunately, there are solutions designed to help.
Manage Risks with the Reciprocity ROAR Platform
Implementing a risk management process can be difficult for many reasons. It’s expensive, time consuming, and resource intensive, to name a few. Between risk identification and risk assessment alone, your organization will need to consider all the different types of risk assessments and determine which is best for your organization.
Add to that the numerous risk methodologies in compliance; the potential reputational, operational risks and financial risks associated with a security incident; and the rapidly increasing number of cyber threats – and quite suddenly, risk management can seem almost unattainable.
To stay ahead of compliance requirements, repercussions, and ever-evolving risks, you need a solution that can help you better manage your risks and mitigate business exposure by providing you with greater visibility across your organization.
The Reciprocity ROAR Platform, which underpins Reciprocity ZenRisk and Reciprocity ZenComply, gives you the power to be more strategic with IT risk management by putting your business activities front and center. Discover a modern way to manage your risk posture with the Reciprocity ROAR Platform, giving you the ability to understand and act on your IT and cyber risks, all in a single unified platform.
With an incredibly intuitive user experience paired with in-application expert guidance, you can assess, manage, and communicate risks and their potential business impact. Using AI, the relationships between assets, controls and risks are automatically created, alerting you to changes in your risk posture and making it simple to grow and manage your risk programs. With dashboards and reports that provide contextual insights, it’s easier to communicate with key stakeholders and make informed business decisions with the Reciprocity ROAR platform.
Become more strategic with your IT risk management and talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization confidently manage risks and compliance.