By Jared Ezzell
While every business is exposed to a certain level of risk every day, the important thing is how an organization monitors and mitigates / manages that risk in service of its goals and strategic objectives.
For instance, it wouldn’t make any sense for a company to take on too much risk when the reward would not justify it. Understanding your company’s risk appetite vs. risk tolerance is the first step to setting boundaries (risk controls framework) when it comes to taking on unnecessary risk and creating an effective risk management strategy.
In this article, we’ll explain risk appetite vs. risk tolerance, and we’ll walk you through how to use each to make day-to-day decisions.
Risk Appetite vs. Risk Tolerance: Unpacking the Differences
Risk appetite is the amount of risk you are willing to take on to reach your business goals, whereas risk tolerance is the level of risk that a company can tolerate in order to achieve a specific business objective. It’s the limit of risk that can be reached without pushing beyond your risk capacity.
Enterprise risk management (ERM) is the process of finding and analyzing risk exposure such as finance, fraud, operational, technological, or strategic risks both internally and externally. It helps to manage and monitor risk. Part of a company’s enterprise risk management strategies are weighing risk appetite vs. risk tolerance as one considers the rewards and consequences of each potential risk exposure.
A company’s risk appetite and risk tolerance will likely change as the business grows, reaches new boundaries, and changes priorities.
Risk appetite is the overall risk a company is willing to take. Its framework offers guidance for making which suppliers to work with. Knowing the level of risk appetite helps to reduce uncertainty, focus on objectives, and support important decisions.
While risk appetite is a high-level approach that looks at the risk for broader business goals, risk tolerance focuses on the acceptable risk for specific business decisions. Risk tolerance is more about the practical steps to take in mitigating risk.
A good example of the difference between risk appetite vs. risk tolerance is a company saying that its overall risk appetite is very low when considering the risk of injury to employees. The risk tolerance statement details that employees should therefore only be allowed to take part in high-risk physical activities for two hours per week once this has been approved by their direct manager.
When deciding how to put risk tolerance into practice, companies may look at quantitative data or other information to help them decide what the best course of action is. In this example, the risk team may have assessed data to discover that taking part in high-risk physical activities for two hours per week is in line with the company’s risk appetite.
Another example could be that an organization’s risk appetite is at a medium level when it comes to forming relationships with suppliers from high-risk jurisdictions. Therefore, the organization’s risk tolerance statement explains that the organization can do business with high-risk suppliers if they operate in certain countries, but regular risk assessments must be completed to monitor the ongoing risk to the company.
Using Risk Appetite vs. Risk Tolerance in Your Business
Your decision-making in every area of the business should be guided by the amount and type of risk you are willing to take. Let’s talk about how to use risk appetite and risk tolerance in your business.
Step 1: Figure Out Your Risk Boundaries
The whole point of risk appetite and risk tolerance is to identify the level of risk you’re willing to take on as you make strategic decisions, including forming your long-term business objectives and deciding which suppliers to work with.
This also depends on your overall risk attitude. For instance, if you’re a new business with limited investment funds, taking on a lot of financial risk may not be an option. Therefore, when assessing the risk of working with suppliers, you may want to ensure they don’t operate in politically unstable countries to reduce your risk.
Once you know the level of risk you can take on, you can put together a risk appetite framework.
Step 2: Set up a Risk Management Framework
A risk management framework details different metrics or levels of risk from low-risk to high and explains what each involves. You should outline what each section of the framework means. For instance, minimal risk may mean there is some risk involved, but it can be managed easily and does not reasonably pose a current or future threat to the business.
When you have a framework that works for you, you can begin to form risk appetite and tolerance statements.
Step 3: Make Risk Appetite and Risk Tolerance Statements
Risk statements define the level of risk you are willing to take on for each area of the business. You can create statements that outline the maximum risk level you can accept.
Outlining your risk appetite may involve separating your risk categories into areas such as financial risks, systematic risks, or procedural risks. You can then form risk appetite statements that detail acceptable behavior and outcomes, with certain defined risk levels for each category.
For example, you may decide that your business has a low appetite for supplier risk as risk exposure may affect manufacturing or efficiency in the supply chain and any additional controls will have a negative impact on the company.
Once you have identified the levels of risk within each risk category, it may be necessary to audit your risk appetite later down the line, perhaps in 3-6 months to make sure it’s still relevant.
Let’s take a look at an example of a risk appetite and tolerance statements for potential risk to a business’s reputation and a low appetite for risk:
- Risk category: Business reputation
- Risk level: Low appetite
- Risk appetite statement: There is very limited risk appetite for engaging in supplier relationships or business operations that risk reputational damage. Having an outstanding reputation is fundamental to the business since it contributes to customer loyalty, satisfaction, and profitability.
- Risk tolerance statement: The company cannot work with any suppliers, stakeholders or providers who are linked to politically exposed people or that are associated with negative media attention. We operate using a cautious approach to onboarding new business connections and undergo continued monitoring.
Step 4: Complete Risk Assessments
Risk assessments are used to gather information about suppliers, stakeholders, or manufacturers to work out how they operate, where they operate, who they are owned by, and other factors.
Once you conduct risk assessments as part of your onboarding or risk management processes, you will have an overall risk score for each supplier, vendor, or stakeholder. You can use your risk appetite and risk tolerance statements and framework to establish whether you can do business with a particular company depending on whether they align.
The risk assessment outcomes and your appetite and tolerance levels will affect what you decide to do next. You might decide not to continue working with a supplier or conducting ongoing monitoring checks.