What Are The Differences Between Risk Appetite vs Risk Tolerance and Residual Risk? [Definitions]

risk appetite vs risk tolerance main image

When comparing risk appetite vs risk tolerance, risk appetite focuses on the level of risk that an organization deems acceptable whereas risk tolerance focuses on the acceptable level of variation around risk objectives.

According to the IIA, both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. However, as you can see above there is an important difference to note when comparing risk appetite vs risk tolerance.

An example of a risk appetite statement would be when a company says it does not accept risks that could result in a significant loss of its revenue base. When the same company says it does not wish to accept risks that would cause revenue from its top 10 customers to decline by more than 10%, it is expressing a risk tolerance definition.

Awareness of residual risk and operating within a risk tolerance provides management greater assurance that the company remains within its risk appetite as part of the risk management process.

This reassurance, in turn, provides a higher degree of comfort that the company will achieve its strategic objectives. It also helps to ensure that actual risk exposure is being managed.

What is Risk Appetite?

According to ISO 31000, a risk appetite definition is “the amount and type of risk that an organization is prepared to pursue, retain or take.”

The challenge with developing a risk appetite definition is how to implement and enforce it, making it relevant to business units on a day-to-day and case by case basis.

This means it is important to link risk appetite to business objectives and then collect the appropriate risk metrics to measure the risk appetite.

What is Risk Tolerance?

Risk tolerance reflects the acceptable level of variation around a particular set of risk-based objectives. It’s a measurement of exactly how much of a loss a person or an organization is willing to experience given their existing assets and the other risks they currently face.

If someone has a low risk tolerance, they likely make more conservative business objectives that do not pose a threat to themselves or their organization.

Someone that has a higher risk tolerance, however, may opt for more aggressive decisions in which they have a higher likelihood for consequences or face more dangerous consequences.

What is Residual Risk?

When crafting a best practice risk appetite and risk tolerance definition, it’s important to keep in mind that risk tolerances should be specific to a company’s individual goals and require actionable parameters and risk criteria.

For example, in LogicManager’s unified root-cause risk library, every risk management factor can be given a risk tolerance, or a range of acceptability to the organization.

One way to measure this range is by monitoring the residual risk.

Residual risk definition: The threat a risk poses after considering the current mitigation activities in place to address it, and can be an important metric for assessing overall risk appetite.

A risk tolerance range for minimum and the specific maximum risk is typically set by the committee responsible for risk management oversight and accepted by the board of directors.

This means that if a risk’s impact on the organization, multiplied by its likelihood of occurring, multiplied by the effectiveness of current mitigation activities falls outside of the level deemed acceptable, then the risk factor is out of tolerance.

Business process owners must then adjust risk mitigation activities, procedures, or controls in order to keep the residual risk within the defined risk tolerance.

Setting enterprise risk tolerances is a calibration exercise, meaning you need to collect a number of risk assessments for areas known to have high and low risk.

This provides an opportunity to compare residual risk to measurements of known acceptability.

Translating Risk Appetite and Risk Tolerance Statements into Reality

An organization-wide risk appetite statement can be a powerful tool that gives your risk criteria or compliance program direction. However, like any policy, risk appetite without accompanying action this is nothing more than an idea.

With standardized risk assessment templates and intuitive risk dashboards, risk managers can collect the information necessary to implement appropriate risk appetite and risk tolerance at both an enterprise level and for individual business processes.

Make Underlying Risk Metrics Comparable Over Time, Across Levels, and Across Silos

Using our customer service metrics again, the number of re-opened cases might be a good root-cause metric, but it’s not comparable over time or across products as the number of total cases will always vary. Instead, measuring the percent of cases that are re-opened is a more meaningful metric because its value is independent of customer volume, and is thus comparable both over time and across silos.

Frequently Asked Questions

How Do I Define Risk Tolerances at the Front-Line Process Level?

Every day, front-line managers are making operational decisions about the minimum and maximum levels of risk which are far from an organization’s risk appetite policies and the level of risk that the organization is willing to take.

The front line is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.

To successfully implement your risk appetite across the organization, you must be able to identify and define risk tolerances at the front-line process level. Robust monitoring tools allow organizations to evaluate risk tolerances for the root causes of risk at any level.

In turn, this allows organizations to connect front-line enterprise risk management decisions with overall risk appetite and determine which processes are out of range through intuitive, navigable dashboards and risk management reports.

How Do I Connect Risk Appetite to Business Performance?

Risk appetites should always be aimed at improving business performance. Say your organization has a strategic imperative of customer satisfaction and your risk appetite statement outlines a low tolerance for customer dissatisfaction. You could set risk management goals for a particular customer satisfaction survey; however, this metric doesn’t offer any actionable solution to improve customer service. With a survey you’ll always be acting on customer impressions from last month as an effect of last year’s policies.

Instead, your risk management metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization. In this example, other forward-looking metrics could include call-wait time or email response time. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.

How Do I Align Risk Tolerances with Strategic Goals and Business Models?

Risk tolerances will naturally develop from your overall risk appetite, but they also need to be aligned with your organization’s goals and how much risk your organization is willing to take. Your organization might have a very low risk tolerance definition set for customer dissatisfaction, but if you’re attracting lots of high cost customers, then this policy isn’t in line with a discount business model.

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual level of risk and contribute to achieving your strategic risk management goals.

FREE DOWNLOAD: 5 Risk Appetite Statement Examples

FREE DOWNLOAD: 5 Risk Appetite Statement Examples

Get started with Risk Appetite Statements with some of our best practice examples.

DOWNLOAD HERE