According to the Institute of Internal Auditors (IIA), both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept, but there is an important difference between risk appetite vs. risk tolerance.

A risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, while risk tolerances are narrower and set the acceptable level of variation around objectives.

Put simply, risk appetite is the general level of risk a company accepts while pursuing its objectives before it decides to take any action to reduce that risk. Risk tolerance, on the other hand, is the degree of variance from its risk appetite that the organization is willing to tolerate.

Speed on a highway can be used as an example to explain the difference between risk appetite and tolerance, according to the FAIR Institute, a non-profit organization that aims to advance the discipline of measuring and managing information risk.

A state department of transportation sets a speed limit for its major highway. This  can be considered comparable to risk appetite and indicates what the department’s executives believe is an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things).

Typically, drivers will travel at speeds that are higher or lower than the actual speed limit rather than exactly at the speed limit. The point at which law enforcement starts to ticket speeders can be viewed as analogous to risk tolerance.

Further, given normal weather and other conditions, law enforcement officials rarely enforce the speed exactly at the limit. Consequently, risk appetite can be considered a line drawn in the sand that helps to set expectations, while risk tolerance can be viewed as the variance from that appetite that drives day-to-day decisions to operate differently in some way, according to the FAIR Institute.

Risk Appetite

Risk appetite pertains to a company’s longer-term strategy of what it needs to achieve and the resources available to achieve it, expressed in quantitative terms. An organization’s risk appetite indicates the amount of risk it’s willing to accept to attain its business objectives.

A payment processor might be focused on retail, for example, but as part of its enterprise risk management strategy, it might be investigating whether to move into the healthcare industry. 

If as part of its enterprise risk management strategy, the organization decides it wants to accept the legal risks associated with the Health Insurance Portability and Accountability Act (HIPAA), then it has set its risk appetite.

Deciding how much risk to accept is the key to effective risk management. The goal of risk management, particularly enterprise risk management, is to provide leadership as well as the entire organization with the insights necessary to make business decisions based on an executive-approved risk appetite statement.

A risk appetite statement is a written document that explains an organization’s risk decisions. A risk appetite statement lets a company inform its internal and external stakeholders of its risk appetite.  A well-developed risk appetite statement helps an organization better manage and understand its risk exposure and enables executives to make informed decisions based on risk. A company-wide risk appetite statement can be used to give direction to the company’s risk or compliance program

A risk appetite statement expresses the corporate attitude toward risk in either qualitative and/or quantitative terms. In the public sector, qualitative expressions of risk appetite that are commonly used include risk-neutral, risk-averse, and risk-seeking. Qualitative risk appetite statements are typically linked to operational and financial performance measures. 

An organization’s different risk tolerances will develop naturally from the company’s overall risk appetite, but those risk tolerances also need to be aligned with the organization’s business objectives. When each risk tolerance is aligned with a company’s overall risk appetite and strategic goals, it will help the company achieve those goals.

Risk Tolerance

Risk tolerance, on the other hand, sets the acceptable minimum and maximum variation levels for a company, business unit, individual initiative, or specific risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organization’s risk management strategy and is then approved by leadership.

High-risk tolerance means that an organization is willing to take a high risk, while low-risk tolerance means that the company isn’t willing to accept many risks.

There are many factors that affect a company’s risk tolerance. For instance, a company may be willing to take more risks on a critical project but it may not want to take many risks on a project that’s not very important.

An organization that operates outside its risk tolerance limits can put its risk management strategy and/or goals and objectives at risk and may even jeopardize the whole organization.

To find its risk tolerance, a company has to identify the outcome measures of its main objectives, such as customer satisfaction, and then decide the range of outcomes—above and below its target outcome—that it could accept for each objective.

For example, an organization that has established a target outcome for its customer satisfaction rating at 92 percent may decide that it can tolerate a range of outcomes that fall between 90 percent and 97 percent.

How to Assess Your Enterprise
Risk Management Maturity