Two terms often confusing to public sector leaders are “risk appetite” and “risk tolerance”. The level of acceptance and support for Enterprise Risk Management (ERM) programs often depends on executive understanding of these commonly used ERM terms. Unfortunately, risk appetite and risk tolerance are frequently used interchangeably although they have different meanings. Adding to the confusion is different definitions used by risk management professionals depending on the ERM framework referenced. Although the two most common ERM frameworks (ISO 31000, and COSO) define these terms differently, they contain common elements.
International Standards Organization (ISO) 31000
Risk Appetite: An organization’s approach to assess, and eventually pursue, retain, take, or turn away from risk.
Risk Tolerance: An organization’s or stakeholder’s readiness to bear the risk after treatment in order to achieve its objectives.
Committee of Sponsoring Organizations (COSO)
Risk Appetite: The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influence the entity’s culture and operating style.
Risk Tolerance: The acceptable level of variation relative to achievement of a specific objective, and often best measured in the same units as those used to measure the related objective.
Risk appetite is a strategically focused, high-level expression of the amount of uncertainty an organization is willing to accept with respect to expected outcomes for one or more goals or objectives. Established by the Board of Directors or executive leadership of the organization, risk appetite sets the organization’s attitude towards taking risk. Organizations use one or more statements for all key business areas. Appetite statements are written expressions of this corporate attitude expressed in either qualitative and/or quantitative terms. In the public sector, risk averse, risk neutral, and risk seeking are common qualitative expression of risk appetite. Qualitative risk appetite statements are generally linked to financial and operational performance measures and reflect overall level of acceptable variation at the corporate or business unit level.
Risk tolerance can be thought of as the lanes of the road which the organization travels. These boundaries set the acceptable minimum and maximum levels of variation for the organization, business unit, specific risk category, or individual initiative. Risk tolerance limits are operationally oriented, and expressed quantitatively by the board or executive leadership. Risk tolerance boundaries provide decision makers with essential information on the level of risk the organization considers bearable. Operating beyond established tolerance limits jeopardizes the organizations strategy and/or its goals and objectives. This situation can also threaten the entire organization.