When an organization adopts an enterprise risk management standard, they must understand that although they cannot avoid all risks, they have control over certain aspects and risks they are willing to take. Some risks are necessary for reaching objectives within an organization, however, others can lead to devastating consequences.
When consciously making decisions for an organization’s wellbeing surrounding risk management, the concepts of “risk appetite” and “risk tolerance” play a significant role. But what do these terms mean, and how are they different?
What is Risk Appetite?
According to ISO 31000, a risk appetite definition is “the amount and type of risk that an organization is prepared to pursue, retain or take.” Before an organization can manage risk, the risk appetite must be determined.
When developing a risk appetite framework, the internal and external context of the organization must be taken into consideration. Risk frameworks must be tailored to each individual entity. Risk appetite is essentially how an organization views risk and reward; what amount or type of risk is or isn’t worth taking?
The foundation of a risk appetite framework is establishing context. Factors of context can range from company culture to competitors to financial capabilities. An organization’s internal and external context can change over time, which makes the establishment of risk appetite an ongoing process.
The pursuit of objectives is what creates value at the core of an organization, and risk appetite is an essential aspect of this. When an organization has a high-risk appetite, it has determined that taking risks with higher uncertainty is worth the potentially higher benefit. A low-risk appetite organization finds the best option is to be adverse to risk in order to avoid potential consequences.
What is Risk Tolerance?
Risk tolerance is the level of risk an organization is willing to take on in terms of individual risks. When an organization decides its risk tolerance, it is defining boundaries within specific areas of risk for the entity. Risk tolerance is important because each risk is unique in nature.
Many people find it hard to differentiate between risk appetite and tolerance, because of the concepts’ similarities. However, risk tolerance refers to the organization’s goals in a more specific and individual way, whereas appetite is a holistic measurement. An organization’s risk tolerance calls for parameters that are practical and able to be applied to decision-making.
The concept of risk tolerance refers to the variation of results that an organization is willing to tolerate as an outcome of specific measures taken towards achieving objectives. This concept determines the entity’s preparedness to bear the consequences after treating risks in specific areas or silos.
Managing risk is essential in the success of any organization, and to effectively achieve this certain concepts must be implemented. Risk appetite; the amount and type of risk an organization is willing to take. Risk tolerance; the variation of outcomes an organization is willing to tolerate in specific silos. When these two concepts are established, enterprise risk management procedures can be embedded into every part of an organization, and continue to develop as context evolves over time. Knowing the difference between risk appetite and tolerance accelerates decision-making and is essential in the success of any organization.