Risk Tolerance vs. Risk Appetite: How To Understand Risk & Determine Your Risk Tolerance and Appetite
In organizational risk management, understanding risk tolerance vs. risk appetite is critical to finding a balance between taking and controlling risk. These concepts are applied in areas such as business investing, decision making, cybersecurity risk management, and overall finance.
While these concepts complement each other, they do have different meanings. A simple distinction of risk tolerance vs. risk appetite is this:
- Risk appetite is the willingness to take risks.
- Risk tolerance defines the boundaries and standards for assessing and responding to those risks.
Of course, there’s more to it than that. So, in this article, I’ll explain risk tolerance and appetite, including how they are related, and how they differ from each other, especially in types or levels. Additionally, let’s delve into:
- The factors that influence the levels of tolerance or appetite
- The advantages your company can gain in correctly determining risk tolerance and appetite
Let’s get started.
What is risk tolerance?
Risk tolerance is the capacity of an organization to manage the negative impacts of risks that will impact its organizational goals or operations. In terms of investments, it is the level of risks an investor (or organization) can take to succeed in their goals.
A certain level is defined for risk tolerance. For instance:
- Some companies have an aggressive risk tolerance.
- In contrast, companies that cannot withstand larger losses will have a low or moderate risk tolerance.
Moreover, risk tolerance can have minimum and maximum values set by the company’s risk management strategy. For example, an online system can tolerate downtime of a minimum of two (2) to a maximum of six (6) hours without significantly losing its users and revenue.
(Explore popular risk management frameworks for cyber, organizational and operational risk.)
What is risk appetite?
Uncertainties are the only guarantee in today’s world. Every organization must understand the risks they are willing to take to reach their goals and those they must act on to avoid — this is risk appetite.
Risk appetite defines how much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.
For instance, start-up companies focus on rapid innovation to become competitive with rivals. They must take higher risks than already established companies. Thus, we can assume that they will have:
- A high-risk appetite when adopting the latest and trending technologies.
- A low-risk appetite regarding the health and safety of their employees or finances.
Another example is academic research to contribute to innovation in specialized fields. Universities and other learning establishments will have a high-risk appetite to invest in high-quality new technologies for conducting research. On the other hand, they will have a low-risk appetite for conducting unethical and non-compliant research.
How risk appetite & risk tolerance are connected
While both concepts are related, they have two different purposes. So, we can say they are complementary: Risk appetite is what drives the willingness of the company to take risks. (Are you hungry for risk, or not so much?) Risk tolerance then defines the boundaries and standards for assessing and responding to those risks.
Therefore, risk appetite and tolerance must be in sync and aligned with the organizational goals and objectives. Assume that there is a discrepancy between these concepts. In that case, companies can take more risks than expected. Otherwise, they will not gain a return on their investments due to less risk-taking.
Levels of risk tolerance vs. appetite
Now let’s look at the levels of risk. Risk tolerance and appetite are defined using certain levels, as described below.
Levels of risk tolerance
Aggressive risk tolerance
Companies with aggressive risk tolerance have a larger capacity to withstand negative impacts in taking risks. Their focus is gaining the highest profits possible from their investments in the long term. Thus, they can face significant financial or reputational damages from the risks they have taken.
Since these companies aim for high returns in the long run, they usually are fine with short-term losses or the changing values of their investments.
Moderate risk tolerance
When companies have moderate risk tolerance, their ability to withstand the negative impacts of risks is lower than aggressive risk-tolerant companies. Therefore, they do not go for overly high rewards but the balance between risk impacts and the profits of risks taken.
They usually define percentages to the risks they can manage. As a result, these companies suffer less financial or reputational damage than aggressive risk-takers.
Conservative risk tolerance
Companies with conservative risk tolerance have a lower level of risk tolerance levels than the levels mentioned above. They tend to get a small return from their investments due to their primary focus: to minimize the damages or negative impacts as much as possible.
Risk appetite levels
- High risk appetite. Companies with aggressive risk tolerance often have a high-risk appetite. They are risk-seekers willing to take significant risks in return for high rewards.
- Moderate or neutral risk appetite. Risk-neutral organizations try to balance the risks and rewards. Rather, they take calculated risks, which they feel comfortable taking.
- Low risk appetite. This is similar to conservative risk tolerance and is called the ‘risk-averse’ level. Companies with low-risk levels tend to avoid risks that could lead to significant losses, even if their risk-taking returns are higher.
Influencing factors & drivers for risk tolerance vs risk appetite
The level of risk tolerance and risk appetite can be influenced by various factors. These factors depend on the context in which they are being determined.
Influencing factors for risk tolerance
- Your industry. Inherently, various industries have different risk tolerance levels. For example, the IT industry has a higher risk tolerance due to rapid and continuous innovations, competitiveness, user demands, and many other IT-industry-specific factors. However, companies in the energy or utility industries may have a low-risk tolerance due to their stability and the role they play in critical infrastructure.
- Your financial situation. Assume your company is financially stable: investment options, revenues, and low debt levels. In that case, you are more risk-tolerant to the negative impacts of the risks taken.
- Past experience. A company is typically more cautious if it has faced financial losses or damages due to past risks or investments. This caution tends to lower the risk tolerance of the company. On the other hand, if the company has faced such risky situations successfully, it will be more confident in tolerating more risks in the future.
- Regulatory compliance. Companies are regulated by different regulatory compliance rules, such as data protection or industry-specific regulations. These companies typically have a lower risk tolerance since they are constantly monitored for falling out of compliance. In case of breach or failure, severe charges — often financial fines — may apply.
- Preparedness for cybersecurity threats. Companies in any industry are subject to cybersecurity threats. The preparedness and resilience of a company against these risks directly impact its risk tolerance.
- Operational capacity. Companies face operational risks like system downtimes and data breaches that impact risk tolerance.
(Related reading: governance, risk & compliance aka GRC.)
Risk appetite influencing factors
So, what can determine your appetite for risk? Lots of things.
Focused need for innovation
Rapid innovation can significantly influence the risk appetite of a company. For example, various tools and technologies are being developed while the existing ones are evolving. Thus, there is a constant need for companies to adapt to such changes. Consequently, a higher risk appetite must be developed to stay ahead of the game.
A great way to think of this:
- The technology sector at large is constantly looking to innovate, to crack the next biggest thing and share it with the world.
- The financial industry, on the other hand, tends to hold steady, as they have many laws, regulations, and obligations to uphold, to customers, government entities, and sometimes even stakeholders. Think of your bank: their products depend on being safe, reliable, and easy to use for a wide population.
Company culture and leadership
Risk appetite highly depends on the key decision-makers of a company, including the CEO and higher management. They could drive towards a high-risk appetite if they are more growth-oriented — or they will focus on averting risk aversion if they are more conservative leaders.
(More on this topic just below, when we dig into who sets tolerance and appetite levels across an entire organization.)
Additional factors
- Market opportunities. Companies are willing to take higher risks when new markets are opened. Large-scale market opportunities encourage companies to take more risks to secure a significant market share.
- Your strategic objectives and goals. The organizational goals, such as becoming the top leader in the market and leading in innovation, determine how much risk it is willing to take.
- Stakeholder expectations. For example, stakeholders who are interested in areas like blockchain, AI, and cloud computing can drive a company to adopt a higher risk appetite.
Risk in the real world: Who sets risk tolerance and risk appetite levels?
In this next section, we’ll now move from the concepts of risk tolerance and appetite into the practicalities of it. What does it mean, in the real world, to determine your risk tolerance or how much you hunger for risk?
Certainly, on a personal level, you may already know these answers, but for a company of any size, it is a real topic of much consideration and work to achieve.
Risk management & the board of directors
The board of directors has a broad role in organizational risk management. And there’s often two “deliverables” from the board for the entire organization:
- The risk appetite statement
- A risk taxonomy
Risk appetite statement. This definition from The OCC says that a risk appetite statement “articulates the level and type of risk [the organization] will accept while conducting its mission and carrying out its strategic plan.” Typically, the statement is developed in collaboration with an organization's senior management, such as the CEO, CFO, and CRO
The board of director approves, evaluates, and challenges the risk appetite statement. They hold senior management accountable for operating within the approved risk tolerance and appetite levels. In this regard, the board regularly monitors the actual risk limits and profile against the set limits and obtains an independent assessment, either through internal assessors or third parties.
Risk taxonomy. An risk taxonomy defines a standard structure for identifying, assessing, and reporting risks across the entire organization. It helps the board better understand the risks significant to their organization and the nature of those risks.
Because board members' technical knowledge level varies, a isk taxonomy bridges the gap between technical teams and the board by clearly categorizing risks and eliminating ambiguity. With clearly defined risk information, the board can set the level of risk exposure acceptable to their organization.
That begs our next question: how do you set your statement and create your risk taxonomy?
ISO 31000:2009 and ISO/TR 31004
ISO 31000 specifies internationally recognized standards for risk management. The latest version, released in 2018, to cover emerging risk factors, including digital currency and complex economic systems. Here’s what ISO 31000 helps with:
- Encouraging a proactive approach to risk management. Organizations that take this approach can mitigate and resolve risks before they escalate.
- Providing structured risk management processes, frameworks, and principles, building stakeholder confidence.
- Integrating risk management principles into an organization's activities, functions, and processes.
- Promoting risk management culture, encouraging stakeholders and employees to monitor and manage risks.
ISO/TR 31004 is a supporting document that guides you on how to implement ISO 31000 risk management principles. It provides a framework for organizations to transition to ISO 31000, ensuring the implementation of ISO 31000 aligns with an organization's risk appetite, culture, size, etc.
How frequently should you assess risks?
Every project task or strategy change can cause a potential risk. Therefore, you should perform risk assessments continually to capture every potential issue. These factors should guide your risk assessment schedule:
- The nature of your industry
- The scope of the project/business area impact
- Your org’s risk assessment process and risk culture
While the frequency of assessing risks can vary depending on your circumstances (monthly, quarterly, biannually, etc.), it is a best practice to assess risks annually.
(Related reading: how to perform risk assessments.)
Advantages of knowing your risk tolerance & appetite for risk
Both concepts guide companies in effectively managing risks, providing several benefits.
Foster a strong risk culture. Defining your risk tolerance and appetite helps to develop a positive risk culture within the company. Employees recognize risks, follow guidelines, and avoid poor risk practices.
Improve decision making. Understanding risk tolerance and appetite aligns decisions with strategic goals for smarter choices.
Boost customer confidence and trust. A strong risk management record builds trust and loyalty. For example, when your favorite software provider has handled system downtime well and delivered products or services consistently with minimum impact, as stated in its risk tolerance statements, customers will continue to trust them.
Improve your adaptability to changing conditions. Companies with well-defined risk tolerance and appetite are better at adapting to changing market conditions. This adaptability ensures they are well prepared to handle uncertainties.
What risk will you tolerate? What risk are you ready for?
Risk appetite and tolerance are interchangeably used in risk management in any organization. As you have learned in this article, both concepts are related — but do have distinct meanings.
Both define three types of levels, and several distinct and related factors influence determining the exact level of risk tolerance and appetite. Finally, there are several advantages to identifying the risk appetite and tolerance of various aspects within an organization.
See an error or have a suggestion? Please let us know by emailing splunkblogs@cisco.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.