Risk appetite vs. risk tolerance: These two terms are often confused and even used interchangeably. While they both provide guidance for deciding how much risk to take on, risk appetite and risk tolerance are separate concepts that both play an important role in finding the balance between taking risk and controlling it. Knowing the distinction, how they interact, and how to put them to work can make sure you are taking the right amount of risk to accomplish your strategic goals.
Think of risk appetite vs. risk tolerance as two sides of the same coin. Enterprise risk management expert and frequent Risk@Work webinar guest Rob Quail defines the terms this way:
- Risk appetite is the amount of risk an organization is willing to take to achieve its objectives. Risk appetite is applied broadly and strategically.
- Risk tolerance is the specific level of risk an organization deems acceptable within various categories of risk. Risk tolerance is applied operationally and tactically.
What Is Risk Appetite?
Risk appetite is the amount of volatility or uncertainty acceptable to achieve goals. It is typically set by the board of directors and senior management team as part of the strategic planning process, often in a dedicated risk workshop.
Risk appetite is a function of circumstances and is usually expressed in relative terms, such as:
- Extremely high. You are willing to accept a significant amount of uncertainty or volatility in exchange for greater rewards like significant growth in market share or profit.
- High. You are willing to accept strongly justified risks in exchange for growth.
- Moderate. You are willing to accept only as much risk as necessary to achieve goals.
- Low. You will reluctantly accept only those risks that are essential for maintaining a healthy business.
- Extremely low. You are unwilling to take on risks, even if the result is slower growth or lower profits.
While risk is often considered a negative to be avoided, you can’t avoid all risk. Some risk is necessary to grow. Your risk appetite will depend on the maturity of your business, stage of growth, stakeholder expectations, industry considerations, branding factors, and more. A private equity tech start-up, for instance, likely will have a higher risk appetite to help it grow quickly than a public utility that needs to pay regular dividends to its shareholders.
The critical point is to decide on the level of risk you’re comfortable with within the context of your business strategy. As Quail says, “If you don’t understand the relationship of risk and uncertainty in your strategy, then you really don’t understand your strategy.”
What Is Risk Tolerance?
Risk tolerance sets minimum and maximum limits for each risk category, business unit, or initiative. Unlike risk appetite, risk tolerance is described in quantitative terms. Clearly defined measures such as key risk indicators, revenue, and credit ratings can be used to gauge whether you are staying within your risk tolerance limits. If you cross the threshold, you must act. These metrics can help guide everyday decisions and alert you when you’re in danger of exceeding your limits.
A publicly traded company that wants to provide steady returns to its shareholders, for example, might set its risk tolerance level at no more than two consecutive quarters with negative earnings. Anything beyond that limit would trigger a review of activities to move performance back into positive territory.
Similarly, a company that prioritizes customer service might be able to tolerate, say, a maximum of two hours of system downtime without significantly impacting service or revenue. Longer outages would trigger a backup plan.
How Risk Appetite and Risk Tolerance Work Together
Risk appetite and risk tolerance work together to provide a framework to ensure you are taking on risk in a way that’s consistent with your strategic objectives, at a level that’s within your established tolerance, and when aggregated, within your overall risk appetite.
For example, a service business that prioritizes customer retention might express its risk appetite and tolerance as:
- Risk appetite: We value our customers and will strive to respond quickly with excellent service.
- Risk tolerance: We will prioritize servicing key long-term customers and can tolerate a maximum churn rate of 10% among this group. Above this level, we will divert service resources from new customers to better serve key customers.
An investment firm seeking high returns for its clients might express its risk appetite and tolerance as:
- Risk appetite: We seek to maximize returns with an aggressive strategy fueled by higher-risk opportunities.
- Risk tolerance: We will allow drawdowns (decline from peak to lower value) of 30% to accommodate the increased risk exposure.
Note that risk tolerance is not just about exceeding the maximum. These metrics also can show you where you are taking less risk than necessary to achieve your objectives.
Perhaps the most important part of the risk appetite vs. risk tolerance discussion is the conversation itself. Consider a midsized construction firm where safety is the absolute priority over all else. According to Quail, after operating in this strict framework, the company wasn’t happy with its results. Discussion ensued, and the group concluded that it had to accept more risk to encourage innovation in new safety programs. This did not mean that employee injuries were now acceptable. The change simply acknowledged that taking on some risk – like unknown outcomes of a new safety process – is the only way to innovate and improve.
The best discussions are the tough ones that yield new understanding. A risk appetite vs. risk tolerance conversation can uncover a new perspective of strategies, of what risks might be acceptable and when, and the relationship between risk taking and value building.
For more information on enterprise risk management, download our ebook, Charting a Course for Enterprise Risk Management, and check out Riskonnect’s ERM software.
