HealthComplianceESGUpdatedMarch 12, 2021

Risk appetite and risk tolerance: what’s the difference?

As any risk professional will tell you, there is sometimes confusion and misunderstanding around terms used in risk management.

If you look up the definition of a risk term by searching on the internet, you may come across multiple definitions. This can be frustrating for people who need to explain risk management concepts within their organization and implement them.

If you are building your risk management framework, you will need to understand and define “Risk Appetite.” If you search on the internet, you will find explanations that define risk appetite as the level of risk an organization can tolerate. Evidently, many professionals use risk appetite and risk tolerance interchangeably. This can lead to errors in your framework because: 1) they are distinct concepts, 2) risk appetite is not just a fancier synonym for risk tolerance, 3) risk tolerance is not well defined, meaning there are different interpretations of what it means.

In this post, we will demystify risk appetite and risk tolerance so you understand both concepts and integrate them in your framework.

Risk appetite is the general level of risk you accept

Determining risk appetite is the first step of risk management because you are establishing the amount of risk you’re willing to “live” with and how much risk you need to manage. Risk appetite is the level of risk an organization is willing to accept while pursuing its objectives, and before any action is determined necessary to reduce the risk. ISO Guide 73:2009 Risk Management – Vocabulary defines risk appetite as the “amount and type of risk that an organization is willing to pursue or retain.” Risk appetite allows organizations to determine how willing they are to take risks (including financial and operational impacts) to innovate in pursuit of objectives.

Risk appetite can vary based on many factors, such as: 1) industry, 2) company culture, 3) competitors, 4) the nature of the objectives pursued (e.g. how aggressive they are), and 5) the financial strength and capabilities of the organization (i.e. the more resources a company has, the more willing it may be to accept risks and the costs associated to them). It’s also worth noting risk appetite can change over time. It’s always good to periodically or continuously assess risks against risk criteria. The cadence of this assessment depends on circumstances, available resources, skills, technologies, or systems.

Risk tolerance is more granular and affects individual risk

To define risk tolerance, we turn to Johannes Swanepoel at Standard Model Partners, a premiere provider of Governance, Risk Management, and Compliance (GRC) products and services.

Swanepoel says risk tolerance and risk appetite are interpreted and used inconsistently between risk management programs, which means researching their definitions gives you only people’s interpretations. Therefore, he uses only terms from the ISO 31000:2009 Risk Management standard because they are included only after rigorous review and consensus by ISO members. While ISO 31000 does not include a definition of risk tolerance or risk appetite,ISO Guide 73:2009 Risk Management – Vocabulary defines risk tolerance as “an organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.”

In addition, according to COSO’s “Strengthening Enterprise Risk Management for Strategic Advantage,” risk tolerance “reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve,” while risk appetite is “a broad-based description of the desired level of risk that an entity will take in pursuit of its mission.”

The relationship between risk tolerance and risk appetite

For Swanepoel, risk tolerance is the level of risk an organization can accept per individual risk, whereas risk appetite is the total risk the organization can bear in a given risk profile, usually expressed in aggregate. Risk tolerance is related to the acceptance of the outcomes of a risk should it occur, and having the right resources and controls to absorb or “tolerate” the risk, expressed in qualitative and/or quantitative risk criteria. On the other hand, risk appetite is related to the longer-term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.

As mentioned earlier, ISO31000:2009 includes neither of the two terms because ISO says that “publication as an International Standard requires approval by at least 75% of the member bodies casting a vote.” When referencing ISO31000:2009, the term “risk attitude” is instead used. ISO31000:2009 defines risk attitude as “an organization’s approach to assess and eventually pursue, retain, take or turn away from risk.”

ISO/TR 31004 takes this further by explaining the importance of risk criteria in the measurement of an organization’s risk attitude. When implementing a risk framework, it states: “Appropriate risk criteria should be established. Risk criteria need to be consistent with the objectives of the organization and aligned with its risk attitude. If the objectives change, the risk criteria need to be adjusted accordingly. It’s important for effective risk management that the risk criteria are developed to reflect the organization’s risk attitude and objectives.”

In conclusion, Swanepoel’s advice is to stick with terms defined by ISO standards. If a term is not defined by an ISO standard, it will invite others to provide their own interpretations, which results in more confusion. This increases the risk of being misunderstood, and if you have a low tolerance for that, it’s better to avoid the risk altogether.

Content Thought Leader - Wolters Kluwer Enablon
Jean-Grégoire Manoukian is Content Thought Leader at Wolters Kluwer Enablon. He’s responsible for thought leadership, content creation and the management of articles and social media activities. JG started at Enablon in 2014 as Content Marketing Manager and has more than 25 years of experience, including many years as a product manager for chemical management and product stewardship solutions. He also worked as a product marketing manager in the telecommunications industry.
Back To Top