Risk appetite vs Risk Tolerancenicholas@zenneo.com
These are probably two of the most confusing and misunderstood terms in risk management and are often used interchangeably.
The word appetite is useful to understand the notion of how it applies to risk. Risk appetite is the propensity of an organisation to undertake activities that may cause harm or disruption (ie. risks), noting the level of risk appetite is aligned to the effectiveness of risk controls that may prevent or reduce harm or disruption from occurring.
For example, the military necessarily has a high-risk appetite by virtue of the danger involved when undertaking operational and training activities. Nevertheless, the military will do a lot of planning, training and preparation to reduce the level of harm or disruption that may arise from that activity.
On the other hand, a child-care operator may have a low-risk appetite as their primary duty of care includes the protection and safety of the children under their care. Child-care operators are required under strict laws to analyse their risk management plans to ensure their child-care workers, grounds, sanitation, food etc are not placing children at unacceptable risk.
Importantly, risk appetite is reflected in the risk matrix. Many organisations may not realise their risk matrix is “skewed” and this can have a significant impact on their overall risk management outcomes.
To get a better understanding of what skewed matrices may look like, compare the three risk matrices below.
High Risk Appetite
This skewed matrix reflects a high-risk appetite because 18 of the 25 rating possibilities are either Very Low, Low or Medium. As a result, many risks can be accepted without requiring significant higher authority approval. As a general rule, the more “Green” in the matrix, the higher the risk appetite.
Balanced Risk Appetite
This matrix is an example of a more balanced and moderate risk appetite due to the relatively even spread across the 25 risk ratings.
Low Risk Appetite
This skewed risk matrix represents a low-risk appetite as 18 out of 25 rating possibilities are either Very High, High or Medium. Many risks would require higher authority approval because of the inherently higher risk rating after assessing the likelihood and consequence. Because of the structure of the matrix, there is pressure not to engage in activities due to the higher chance of the activity being rated High or Very High. As a general rule, the more “Red” in the matrix the lower the risk appetite.
It is important for organisations to understand the risk appetite they have written into their matrix. Importantly, if you change your risk matrix to reflect a change in risk appetite, you should concurrently reassess all of your open risks consistent with the new risk matrix. Otherwise, your previous risk assessments may be considered invalid.
Interestingly, having a high risk appetite does not necessarily mean you have a high risk tolerance.
Risk tolerance is the level of loss or disruption an organisation is willing to accept when undertaking an activity that may disrupt objectives (ie. a risk). Therefore, the level of risk tolerance should be:
- Based on a clear statement of the consequence of a risk event occurring
- Related to assets that are categorised via the risk categories
- Based on specific parameters of loss ranging from ‘not much’ (insignificant) through to ‘a lot’ (catastrophic)
Risk tolerance statements should be carefully crafted to ensure they accurately reflect the disruption to, or loss of, important assets. Assets are important because they are either mission critical or directly enable the achievement of objectives.
Because the risk tolerance statements inform the rating of the outcome of the risk event, risk tolerance statements influence whether the organisation should accept that risk and undertake that activity – the final decision whether to accept the risk or not should be based on the final risk rating. Hence, it is important to ensure the risk rating is accurate and as many factors as practicable have been considered when determining that risk rating.
Have a look at these example risk tolerance statements, noting the importance of getting the risk categories accurate that shape the assets being considered.
In reality, developing risk tolerance statements becomes a bit more complex as risk tolerance is also related to opportunity. While the assessed risk tolerance may be “outside” your agreed or approved organisational tolerance, the opportunity arising from accepting the risk and “moving on” may, in some instances, outweigh the assessed disruption or loss. The decision may be to accept the risk and move on. It also means that strategic risk tolerance statements may need to be revised to fit the context of more operational and tactical risk management frameworks. Otherwise the risk ratings may become invalid.
Ideally, you should always be factoring in opportunity for each risk, as well as the organisational exposure that may arise that may also be associated with the risk.
Pentaguard gives you a multi-dimensional approach to threat, hazard and risk assessments ensuring greater visibility of assessments and better security decisions.