Risk Appetite vs. Risk Tolerance: What is the Difference?

Mary Carmichael
Author: Mary Carmichael, CRISC, CISA, CPA, Member of ISACA Emerging Trends Working Group
Date Published: 24 October 2022

In enterprise risk management, there can often be confusion about the definitions for risk-related terminology. For example, there is a frequent misunderstanding about the meaning of “risk appetite” and “risk tolerance,” with these terms being used interchangeably, potentially impacting the risk management framework for the organization. When implemented appropriately, these terms are quite distinct and play a significant role in the balancing act of “taking risk” and “controlling risk” for achieving corporate strategy and objectives. 

Deciding how much risk to accept is the key to effective risk management. Answering this question involves the application of risk appetite and risk tolerance. Here, enterprise risk management is involved to provide insights for effective decision-making using the board-approved risk appetite to identify which risks to take to achieve strategic objectives, with management implementing controls using risk tolerance to measure if the risk exposure is within the risk appetite.

This blog post will demystify the risk appetite and risk tolerance terms and explain how you can integrate these concepts within your risk management framework. ISACA’s new risk tolerance white paper, Using Risk Tolerance to Support Enterprise Strategy, will further explain the relationship between these two terms, as well as provide a standard implementation framework for the application of risk tolerance, with integration to risk appetite.

What is Risk Appetite?
Risk appetite is described as “the amount of risk that an organization is willing to accept to achieve its objectives.” Through this definition, risk appetite introduces a concept that, while risk can impact an enterprise’s success, so can risk aversion. The world is full of risk, and organizations must determine what risk to accept to achieve its objectives and what risk requires further actions to avoid, mitigate or transfer. This is a key task for an enterprise risk management program—evaluating which risks fit within the organization’s risk appetite and which risks require additional controls in place to reduce the residual risk to an acceptable level.

Typically, a risk appetite statement is approved by the board of directors and documents the organization’s risk attitude and its willingness to accept risk in specific scenarios, with a governance model in place for risk oversight (e.g., monitor if unacceptable risks are being pursued). Risk varies among organizations, and accordingly, each organization has its own risk appetite that reflects its internal and external context. For instance, a software development company will have a strong culture of continuous improvement to drive innovation for its software products and accept more risk to achieve customer growth. However, this firm may have little appetite for reputational risk given the potential impacts of customer and monetary loss.

What is Risk Tolerance?
ISACA’s Risk IT Framework, 2nd Edition, defines risk tolerance as “the acceptable deviation from the level set by the risk appetite and business objectives.” Typically, risk tolerance is communicated in quantitative terms such as:

  • Standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.
  • Service levels for system uptime require 99.5 percent availability on monthly cases; however, isolated cases of 99.4 percent will be tolerated.

Conceptually, risk tolerance sets the boundaries of risk taking that the organization will not go beyond in pursuit of its long-term objectives. To support boundary setting, measures such as key risk indicators are used to align with risk tolerance limits, ensuring that the organization remains within its risk appetite and on track to achieve its objectives. 

Risk Appetite vs. Risk Tolerance
Risk appetite and risk tolerance can be viewed as the “two sides of the same coin” as they relate to organizational performance over time. Risk appetite is about “taking risk” and risk tolerance is about “controlling risk.” For risk appetite to be adopted successfully in decision making, it must be integrated with control environment of the organization through risk tolerance, as noted in the following quote:

The risk appetite statement is generally considered the hardest part of any Enterprise Risk Management implementation. However, without clearly defined, measurable tolerances, the whole risk cycle and any risk framework is arguably at a halt. - Institute of Risk Management

Risk appetite and risk tolerance statements exemplify a clear distinction between risk appetite and risk tolerance. The following chart shows an example illustrating the differences between a risk appetite and risk tolerance statements for a healthcare provider:

Differences Between Risk Appetite and Risk Tolerance Statements

Risk Appetite Example Risk Tolerance Example

We place patient safety as our top priority. We also recognize the need to balance the level of immediate response to all patient needs with the cost of providing such service.”

“We plan our staffing to treat all patients within 5 minutes of their appointment time, and emergency walk-in patients within 15 minutes. However, management accepts that in rare situations (5% of the time) patients in need of non-life-threatening attention may not receive that attention for up to 4 hours.”

Difference: Strategic, Aggregate, Qualitative
This demonstrates a strategic philosophy for the organization about risk taking: low appetite for risk that might impact patient safety balanced with a higher appetite related to response to patient care and customer service.

Difference: Tactical, Specific, Quantitative
This demonstrates the amount of variation in the parameters to be used to measure performance and assess fit within risk tolerance limits for a specific business process. Also, the risk tolerance is expressed in quantifiable terms.

As noted in the chart, the key differences between these two terms involve the operating perspective (e.g., strategic or tactical), focus area (e.g., specific or aggregate risk), and how it is expressed (e.g., qualitative or quantitative).

Need for an Organization-wide Risk Taxonomy
Effective enterprise risk management requires all employees to understand, communicate and apply risk terminology consistently. Having an organization-wide risk taxonomy establishes a strong foundation for a standardized approach to risk management, allowing for clearer comparisons of risk types and levels across the organization and providing for meaningful input into the risk-based decision-making processes. Also, this will strengthen the board’s capabilities in understanding the top risks impacting objectives and defining risk appetite in alignment with stakeholders’ risk attitude and its translation to management about what is acceptable and unacceptable risk, which is measured by risk tolerance to ensure achievement of strategic objectives.

Editor’s note: For additional risk-related resources from ISACA, including a new Risk Scenarios Toolkit, visit our IT Risk webpage.