In organizational risk management, Risk Tolerance and Risk Appetite are two fundamental concepts. These concepts are applied in areas such as business investing, decision making, cybersecurity risk management, and overall finance.
While these concepts complement each other, they do have different meanings. A simple distinction is this:
And there’s a bit more to it. So, in this article, I’ll explain risk tolerance and appetite, including how they are related, and how they differ from each other, especially in types or levels. Additionally, let’s delve into:
Let’s get started.
Risk Tolerance is the capacity of an organization to manage the negative impacts of risks that will impact its organizational goals or operations. In terms of investments, it is the level of risks an investor (or organization) can take to succeed in their goals.
A certain level is defined for risk tolerance. For instance:
Moreover, risk tolerance can have minimum and maximum values set by the company’s risk management strategy. For example, an online system can tolerate downtime of a minimum of two (2) to a maximum of six (6) hours without significantly losing its users and revenue.
(Explore popular risk management frameworks for cyber, organizational and operational risk.)
Uncertainties are the only guarantee in today’s world. Every organization must understand the risks they are willing to take to reach their goals and those they must act on to avoid — this is risk appetite.
Risk appetite defines how much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.
For instance, start-up companies focus on rapid innovation to become competitive with rivals. They must take higher risks than already established companies. Thus, we can assume that they will have:
Another example is academic research to contribute to innovation in specialized fields. Universities and other learning establishments will have a high-risk appetite to invest in high-quality new technologies for conducting research. On the other hand, they will have a low-risk appetite for conducting unethical and non-compliant research.
While both concepts are related, they have two different purposes. So, we can say they are complementary: Risk appetite is what drives the willingness of the company to take risks. Risk tolerance then defines the boundaries and standards for assessing and responding to those risks.
Therefore, risk appetite and tolerance must be in sync and aligned with the organizational goals and objectives. Assume that there is a discrepancy between these concepts. In that case, companies can take more risks than expected. Otherwise, they will not gain a return on their investments due to less risk-taking.
Risk tolerance and appetite are defined using certain levels, as described below.
Companies with aggressive risk tolerance have a larger capacity to withstand negative impacts in taking risks. Their focus is gaining the highest profits possible from their investments in the long term. Thus, they can face significant financial or reputational damages from the risks they have taken.
Since these companies aim for high returns in the long run, they usually are fine with short-term losses or the changing values of their investments.
When companies have moderate risk tolerance, their ability to withstand the negative impacts of risks is lower than aggressive risk-tolerant companies. Therefore, they do not go for overly high rewards but the balance between risk impacts and the profits of risks taken.
They usually define percentages to the risks they can manage. As a result, these companies suffer less financial or reputational damage than aggressive risk-takers.
Companies with conservative risk tolerance have a lower level of risk tolerance levels than the levels mentioned above. They tend to get a small return from their investments due to their primary focus: to minimize the damages or negative impacts as much as possible.
The level of Risk Tolerance and Risk Appetite can be influenced by various factors. These factors depend on the context in which they are being determined.
(Related reading: governance, risk & compliance aka GRC.)
Both concepts guide companies in effectively managing risks, providing several benefits.
Defining your risk tolerance and appetite helps to develop a positive risk culture within the company. As a result, your employees will:
Understanding risk tolerance and appetite helps assess the impacts of stakeholders' decisions. It ensures their decisions are aligned with the company’s strategic goals and enabling them to make smarter, more informed decisions.
When the customers know that your company has a good record of handling risks well, they tend to continue their relationship and become more confident.
For example, suppose a company has handled system downtime well and delivered products or services consistently with minimum impact, as stated in its risk tolerance statements. In that case, customers will continue to trust them.
Companies with well-defined risk tolerance and appetite are better at adapting to changing market conditions. This adaptability ensures they are well prepared to handle uncertainties.
Risk appetite and tolerance are interchangeably used in risk management in any organization. As you have learned in this article, both concepts are related — but do have distinct meanings.
Both define three types of levels, and several distinct and related factors influence determining the exact level of risk tolerance and appetite. Finally, there are several advantages to identifying the risk appetite and tolerance of various aspects within an organization.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.