Risk Tolerance vs. Risk Appetite Explained

In organizational risk management, Risk Tolerance and Risk Appetite are two fundamental concepts. These concepts are applied in areas such as business investing, decision making, cybersecurity risk management, and overall finance.

While these concepts complement each other, they do have different meanings. A simple distinction is this:

• Risk appetite is the willingness to take risks.
• Risk tolerance defines how much a company can tolerate the risks it is willing to take.

And there’s a bit more to it. So, in this article, I’ll explain risk tolerance and appetite, including how they are related, and how they differ from each other, especially in types or levels. Additionally, let’s delve into:

• The factors that influence the levels of tolerance or appetite
• The advantages your company can gain in correctly determining risk tolerance and appetite

Let’s get started.

What is Risk Tolerance?

Risk Tolerance is the capacity of an organization to manage the negative impacts of risks that will impact its organizational goals or operations. In terms of investments, it is the level of risks an investor (or organization) can take to succeed in their goals.

A certain level is defined for risk tolerance. For instance:

• Some companies have an aggressive risk tolerance.
• In contrast, companies that cannot withstand larger losses will have a low or moderate risk tolerance. 

Moreover, risk tolerance can have minimum and maximum values set by the company’s risk management strategy. For example, an online system can tolerate downtime of a minimum of two (2) to a maximum of six (6) hours without significantly losing its users and revenue. 

(Explore popular risk management frameworks for cyber, organizational and operational risk.)

What is Risk Appetite?

Uncertainties are the only guarantee in today’s world. Every organization must understand the risks they are willing to take to reach their goals and those they must act on to avoid — this is risk appetite.

Risk appetite defines how much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.

For instance, start-up companies focus on rapid innovation to become competitive with rivals. They must take higher risks than already established companies. Thus, we can assume that they will have:

• A high-risk appetite when adopting the latest and trending technologies.
• A low-risk appetite regarding the health and safety of their employees or finances.

Another example is academic research to contribute to innovation in specialized fields. Universities and other learning establishments will have a high-risk appetite to invest in high-quality new technologies for conducting research. On the other hand, they will have a low-risk appetite for conducting unethical and non-compliant research. 

How risk appetite & risk tolerance are connected

While both concepts are related, they have two different purposes. So, we can say they are complementary: Risk appetite is what drives the willingness of the company to take risks. Risk tolerance then defines the boundaries and standards for assessing and responding to those risks. 

Therefore, risk appetite and tolerance must be in sync and aligned with the organizational goals and objectives. Assume that there is a discrepancy between these concepts. In that case, companies can take more risks than expected. Otherwise, they will not gain a return on their investments due to less risk-taking. 

Levels of risk tolerance vs. appetite

Risk tolerance and appetite are defined using certain levels, as described below. 

Risk tolerance levels

Aggressive risk tolerance

Companies with aggressive risk tolerance have a larger capacity to withstand negative impacts in taking risks. Their focus is gaining the highest profits possible from their investments in the long term. Thus, they can face significant financial or reputational damages from the risks they have taken.

Since these companies aim for high returns in the long run, they usually are fine with short-term losses or the changing values of their investments.

Moderate risk tolerance 

When companies have moderate risk tolerance, their ability to withstand the negative impacts of risks is lower than aggressive risk-tolerant companies. Therefore, they do not go for overly high rewards but the balance between risk impacts and the profits of risks taken.

They usually define percentages to the risks they can manage. As a result, these companies suffer less financial or reputational damage than aggressive risk-takers. 

Conservative risk tolerance

Companies with conservative risk tolerance have a lower level of risk tolerance levels than the levels mentioned above. They tend to get a small return from their investments due to their primary focus: to minimize the damages or negative impacts as much as possible.

Risk appetite levels

• High risk appetite. Companies with aggressive risk tolerance often have a high-risk appetite. They are risk-seekers willing to take significant risks in return for high rewards.
• Moderate or neutral risk appetite. Risk-neutral organizations try to balance the risks and rewards. Rather, they take calculated risks, which they feel comfortable taking. 
• Low risk appetite. This is similar to conservative risk tolerance and is called the ‘risk-averse’ level. Companies with low-risk levels tend to avoid risks that could lead to significant losses, even if their risk-taking returns are higher.

Influencing factors & drivers for risk

The level of Risk Tolerance and Risk Appetite can be influenced by various factors. These factors depend on the context in which they are being determined. 

Influencing factors for Risk Tolerance

• Your industry. Inherently, various industries have different risk tolerance levels. For example, the IT industry has a higher risk tolerance due to rapid and continuous innovations, competitiveness, user demands, and many other IT-industry-specific factors. However, companies in the energy or utility industries may have a low-risk tolerance due to their stability and the role they play in critical infrastructure.
  

• Your financial situation. Assume your company is financially stable: investment options, revenues, and low debt levels. In that case, you are more risk-tolerant to the negative impacts of the risks taken.

• Past experience. A company is typically more cautious if it has faced financial losses or damages due to past risk or investments. This caution tends to lower the risk tolerance of the company. On the other hand, if the company has faced such risky situations successfully, it will be more confident in tolerating more risks in the future.

• Regulatory compliance. Companies are regulated by different regulatory compliance rules, such as data protection or industry-specific regulations. These companies typically have a lower risk tolerance since they are constantly monitored for falling out of compliance. In case of breach or failure, severe charges — often financial fines — may apply.
  

• Preparedness for cybersecurity threats. Companies in any industry are subject to cybersecurity threats. The preparedness and resilience of a company against these risks directly impact its risk tolerance.
  

• Operational capacity. Companies face operational risks like system downtimes and data breaches that impact risk tolerance.

(Related reading: governance, risk & compliance aka GRC.)

Risk Appetite influencing factors

• Rapid innovation can significantly influence the risk appetite of a company.  For example, various tools and technologies are being developed while the existing ones are evolving. Thus, there is a constant need for companies to adapt to such changes. Consequently, a higher risk appetite must be developed to stay ahead of the game.
  

• Market opportunities. Companies are willing to take higher risks when new markets are opened. Large-scale market opportunities encourage companies to take more risks to secure a significant market share.

• Company culture and leadership. Risk appetite highly depends on the key decision-makers of a company, including the CEO and higher management. They could drive towards a high-risk appetite if they are more growth oriented — or, they will focus on averting risk aversion if they are more conservative leaders.

• Your strategic objectives and goals. The organizational goals, such as becoming the top leader in the market and leading in innovation, determine how much risk it is willing to take.

• Stakeholder expectations. For example, stakeholders who are interested in areas like blockchain, AI, and cloud computing can drive a company to adopt a higher risk appetite.

Advantages of knowing your risk tolerance & appetite for risk

Both concepts guide companies in effectively managing risks, providing several benefits.

Foster a strong risk culture

Defining your risk tolerance and appetite helps to develop a positive risk culture within the company. As a result, your employees will:

• Know what kind of risks there are.
• Abide by the rules as laid out.
• Avoid negative risk management practices. 

Improve decision making

Understanding risk tolerance and appetite helps assess the impacts of stakeholders' decisions. It ensures their decisions are aligned with the company’s strategic goals and enabling them to make smarter, more informed decisions.  

Improve customer confidence

When the customers know that your company has a good record of handling risks well, they tend to continue their relationship and become more confident.

For example, suppose a company has handled system downtime well and delivered products or services consistently with minimum impact, as stated in its risk tolerance statements. In that case, customers will continue to trust them.

Improve your adaptability to changing conditions

Companies with well-defined risk tolerance and appetite are better at adapting to changing market conditions. This adaptability ensures they are well prepared to handle uncertainties. 

What risk will you tolerate? What risk are you ready for?

Risk appetite and tolerance are interchangeably used in risk management in any organization. As you have learned in this article, both concepts are related — but do have distinct meanings.

Both define three types of levels, and several distinct and related factors influence determining the exact level of risk tolerance and appetite. Finally, there are several advantages to identifying the risk appetite and tolerance of various aspects within an organization.