Risk appetite and risk tolerance are often used interchangeably, but they serve different, and complimentary, purposes in effective risk management. Understanding both is important before making use of them as part of risk assessment using the Cydea Risk Platform.
Let’s start with an analogy: think of risk like driving.
Some people enjoy driving fast, they’re comfortable with a bit of speed. Others prefer to stay safely within the limits. That’s risk appetite: your overall attitude towards risk. It’s shaped by who you are and the environment you operate in. In an organisational context, it reflects how much risk your company is willing to take in pursuit of strategic goals.
Now consider risk tolerance. Even the speed enthusiast slows down near schools or in bad weather. That’s tolerance: the specific, situational boundaries that define what’s acceptable and what’s not. You might be happy cruising at 75 in a 70 zone, but you’ll stick to 20 in a school zone. Tolerance applies your general appetite to real-world situations with more precision.
Risk Appetite: Strategic and Broad
Risk Appetite is a broad level of risk an organisation is willing to accept in pursuit of its strategic objectives. It is defined by factors such as:
- The industry your organisation operates in
- Regulatory factors
- The competitive landscape
Because it is strategic in nature, it’s typically set by a board or a senior leadership team in an organisation to set general boundaries to operate within when taking risks.
Most often reflected qualitatively, examples include statements such as ‘risk averse’ or ‘risk-seeking’. It can be useful to set an organisational view of risk but as a qualitative statement, it doesn’t do much more than that.
When expressed in quantitative terms, it starts to take on a bit more shape, capturing a total maximum acceptable financial loss, typically as an annual figure.
Risk Tolerance: Tactical and Measurable
Risk Tolerance is a specific and measurable level of risk that an organisation is willing to accept for particular risk categories. It takes the risk appetite to the next level, setting more granular thresholds for operational decisions around risk. It is most usefully expressed quantitatively (in pounds and pence) and hence fits our way of doing quantitative risk management at Cydea!
Risk tolerance is going to vary depending on the level of possible losses. If you ask a CFO what their appetite is for losing £10k in a year, it is going to be very different to their tolerance for losing £100k in a year. It is therefore important to capture this range of tolerable losses.
Bringing It All Together
We use risk tolerance in the Cydea Risk Platform in this manner to capture tolerance for a range of possible losses. This enables a much more nuanced discussion about managing risk, enabling more tailored controls to be applied. An example could be the application of cyber risk insurance to manage potential costly impacts of a large-scale ransomware attack that has gone beyond just infecting a couple of corporate laptops.
In summary, risk appetite is an important aspect of risk management and can often help get the ball rolling when it comes to talking about risk management within a business, particularly at board level, but it is the definition of risk tolerance that will truly operationalise risk management and support better decision making.
Cydea is here to help. We begin by understanding what’s important to your organisation and building out bespoke cyber risk programmes from these principles. If you’d prefer to get started yourself, you can check out our Risk Platform to elevate your security programme.
Photo by Jakub Żerdzicki on Unsplash
Andrei Draghiciu
Nicolas Aristegui
Helen Giddings
Ridhwaan Tai