Put simply risk appetite is a high-level general statement that broadly sets out the acceptable risk while pursuing business objectives before any action is taken to reduce that risk

Risk appetite depends on many factors, such as industry, culture, competitors, the nature of the objectives being pursued (how aggressive they are) and the financial strength and capabilities of the organization (more resourceful businesses may be more inclined to accept risks and the associate costs)
Furthermore, risk appetite is not static and changes over time
Best practice dictates risks should be assessed against risk criteria periodically or continuously (once or twice annually, or daily in specific risk scenarios), subject to the circumstances, available resources, skills, technologies or systems

An enterprise-wide risk appetite statement is a powerful tool that gives your risk or compliance program direction
However, like any policy, risk appetite without associated action is nothing more than an idea

There are not many definitions of risk tolerance, however, according to COSO’s “Strengthening Enterprise Risk Management for Strategic Advantage”, risk tolerance “reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve”

Risk tolerance is the specific maximum risk that a company is willing to take based on the type of risk
Risk tolerance defines the limits within which the organization operates in given its overall risk appetite
Consideration must be given to various risks including legal, operational, financial, third-party, information security, compliance, credit and reputational and acceptable parameters set for each
Risk tolerance can be expressed through different metrics, reflecting the unique nature of each risk
Several metrics such as KPI limits, acceptable loss, credit ratings, probabilities, qualitative measures or balance sheet ratios can help measure, communicate and guide daily decision making

A higher risk tolerance indicates that a business is willing to take a higher risk, whereas a low-risk tolerance indicates that it isn’t willing to accept many risks

Several factors affect an organization’s risk tolerance, such as, a company willing to take more risks on a critical project, but it may not want to do so on a project that is not very important

When a business operates outside its risk tolerance bounds, it can put its risk management strategy, or goals and objectives or both at risk and possibly even jeopardize the whole company

According to the FAIR Institute, a non-profit organization that aims to advance the discipline of measuring and managing information risk – using the highway speed analogy, described in the next paragraph, helps differentiate between risk appetite and tolerance

The department for transportation or other highways authority sets a speed limit which can be considered the risk appetite and indicates the authorities’ belief regarding an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things)

Highway users will drive at varying speeds, higher or lower than the limit rather than at exactly the speed limit
Risk tolerance is the point at which traffic enforcement actually starts ticketing violators

Provided weather and other conditions are normal, traffic authorities rarely enforce the speed exactly at the limit
Therefore, risk appetite is akin to a line drawn in the sand that helps to set expectations, while risk tolerance analogous to the variance from that appetite that drives day-to-day decisions to operate differently in some fashion

Risk appetite and risk tolerance combine to define a company’s risk posture
Risk posture is an organization’s overarching approach to risk management and a utility of how embedded risk management is in its culture, strategy and corporate governance
Companies with a strong risk posture are more able to take meaningful risks within the bounds of strategic and operating objectives

A strong risk posture is driven from top-down requiring senior executive focus and board support to ensure accurate risk reporting, proactive management, and a consistent approach
This effort must be underpinned by an independent risk function, the use of a risk management platform to identify, analyze, and measure risk, and a determined, risk-based approach to decision making

Residual risk is defined as the threat a risk poses after considering the current mitigation activities in place to address it and is an important metric for gauging overall risk appetite

The aim of risk management, especially enterprise risk management is to communicate and inform the leadership and all stakeholders within the organization the necessary information to make informed business decisions based on an executive-approved risk appetite statement
A company-wide risk appetite statement can be used to give direction to the company’s risk or compliance program

A risk appetite framework guides decision-makers to be cognizant of the risk and acknowledge the risk exposure implied with their chosen course of action or strategy
For a risk appetite framework to be effective, an organization must implement an agreed risk measurement and risk scoring methodology, as well as a common risk taxonomy that is consistently understood and applied throughout the organization

For example, a company may choose to appoint third-party vendors for specific services, trading off some level of third-party risk in exchange for the expertise, value, and flexibility a third party brings
In this example, the organization is consciously deciding to take a level of risk that is within its specified level of tolerance, harmonious with its strategic and organizational objectives, and, when all categories of risk are aggregated, in line with its risk appetite

A well-articulated integrated risk framework helps businesses proactively decide how much risk to take while adhering with overall business and operating strategy
The acceptable level of trade-off is captured through an integrated risk management framework with a well-defined risk calculation and aggregation methodology, adherence to agreed risk tolerances, and a dynamic risk reporting solution
Organizations with a strong risk posture tend to integrate risk management into their strategic positioning and daily activities, embedding informed risk-taking as part of its culture

Developing risk appetite, making it relevant on a day to day basis and enforcing it is a challenge
In order to link risk appetite to business decisions it is paramount to collect the pertinent metrics to measure the risk appetite
Being aware of residual risk and operating within a risk tolerance provides executives greater assurance that the organization remains within its risk appetite, thus ensuring a higher level of comfort that the business will achieve its strategic objectives

Best practice risk appetite and risk tolerance definition ensure that risk tolerances are specific to an organization’s individual goals and have actionable parameters

In Maclear’s integrated risk management solution, every risk pillar is given a risk tolerance, or a range acceptable to the organization
This range can be measured by monitoring the residual risk

The risk management oversight committee is tasked by the board of directors to set a risk tolerance range for minimum and maximum levels of residual risk
Business process owners in turn are tasked to monitor and adjust mitigation activities, procedures, or controls to keep the residual risk within the identified risk tolerance

Setting enterprise risk tolerances is an iterative calibration exercise; you need to collect several risk assessments for areas known to have high and low risk always comparing residual risk with acceptable levels

Standardized risk assessment templates and intuitive dashboards enable risk managers to collect the pertinent information to implement appropriate risk appetite and risk tolerance at both an individual business process and enterprise level

In conclusion, risk appetite is the general level of risk a business accepts while pursuing its objectives before it decides to take any action to reduce that risk
Risk tolerance, on the other hand, is the acceptable level of variation around objectives

If your organization is interested in Maclear’s Integrated Risk Management solution, we invite you to explore the Maclear GRC Suite™ by visiting https://www
maclearglobal
com
Our comprehensive range of solutions is designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making

To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to contact@maclear-grc
com

WHAT SHOULD A GOOD GRC FRAMEWORK AND ARCHITECTURE INCLUDE?