risk appetite

What is risk appetite and how is it different from risk tolerance?

Risk appetite is the amount of risk an organization is willing to take in pursuit of objectives it deems have value.

Risk appetite can also be described as an organization's risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been put in place.

Risk tolerance, by contrast, is the amount of deviation from its risk appetite that an organization is willing to accept to achieve a specific objective based on parameters that include industry and vertical standards.

Factors that influence risk appetite

Risk appetite, an integral component of enterprise risk management, can be influenced by a wide variety of factors, including the following:

• culture of an organization;
• industry an organization is in;
• competitors;
• types of initiatives pursued; and
• current industry position and/or financial strength.

Risk tolerance is subject to the same wide variety of factors that determine risk appetite. But the amount of risk tolerance an organization accepts can vary on a case-by-case basis, depending on factors that include the nature of a project, a project's timeframe and the experience of the people involved. Risk tolerance can change over time as, for example, industry standards, regulations and accepted practices change.

Determining your risk appetite scale

For organizations seeking to determine their risk appetite scale, it's important to consider the probability of the risk and its impact. Once risk probability and impact are used to drive an organization's risk priorities and focus, risk appetite can be evaluated through analysis of the following parameters:

• Acceptable risk boundaries and actions. What exactly is the organization willing to do within the "acceptable" risk appetite level?
• Risk exposure. Based on a desired set of actions and outcomes, does the risk exposure increase, decrease or stay the same? The level of risk exposure influences the risk appetite for any specific project or approach, and possibly the overall direction an organization takes.
• Analysis of long-term objectives. Organizations should ultimately line up risk appetite considerations with the longer-term objectives of the organization and where it should be headed to accomplish strategic goals.

How to write a risk appetite statement

Organizations sometimes express their risk appetite through the creation of a risk appetite statement, a document that helps guide organizational risk management activities.

This document should ideally include risk-taking approaches and focus, risk mitigation topics, and risk avoidance measures in place and planned. The statement should ideally be based on a review of the perspectives and concerns of all stakeholders and address the implications of current corporate strategies and practices, which also means it will need to be updated on a regular basis.

To write a risk appetite statement, do the following:

• Consider and include all necessary involved stakeholders, and analysis of the risks to strategic objectives, tactics, operations and compliance.
• Consider the organizational culture and overall focus with regard to risk tolerance and risk appetite in specific scenarios and within the industry as a whole.
• Define the acceptable level of uncertainty or volatility in any risk appetite statements and decisions.
• Reconcile risk appetite and risk tolerance with current risk exposure based on existing deployments and assets.
• Ensure the risk appetite statement is applicable to the organization as a whole, or emphasize where/how precisely it will apply.

Examples of risk appetite in practice

There are many examples of risk appetite in practice. They are as follows:

• An organization states that it will not accept risks that could result in a significant loss of its revenue base.
• Organizations may be very comfortable with the risk of putting personal data into a cloud environment but are less willing to put financial data into the same cloud based on the provider and other risk factors.
• Overall, the risk appetite of an organization should be focused on what the organization is willing to do in pursuit of its objectives, keeping environmental and cultural factors in mind.